xref: /openbmc/qemu/crypto/tlscredsx509.c (revision f101c9fe)
1 /*
2  * QEMU crypto TLS x509 credential support
3  *
4  * Copyright (c) 2015 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 #include "qemu/osdep.h"
22 #include "crypto/tlscredsx509.h"
23 #include "tlscredspriv.h"
24 #include "crypto/secret.h"
25 #include "qapi/error.h"
26 #include "qemu/module.h"
27 #include "qom/object_interfaces.h"
28 #include "trace.h"
29 
30 
31 #ifdef CONFIG_GNUTLS
32 
33 #include <gnutls/x509.h>
34 
35 
36 static int
37 qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert,
38                                    const char *certFile,
39                                    bool isServer,
40                                    bool isCA,
41                                    Error **errp)
42 {
43     time_t now = time(NULL);
44 
45     if (now == ((time_t)-1)) {
46         error_setg_errno(errp, errno, "cannot get current time");
47         return -1;
48     }
49 
50     if (gnutls_x509_crt_get_expiration_time(cert) < now) {
51         error_setg(errp,
52                    (isCA ?
53                     "The CA certificate %s has expired" :
54                     (isServer ?
55                      "The server certificate %s has expired" :
56                      "The client certificate %s has expired")),
57                    certFile);
58         return -1;
59     }
60 
61     if (gnutls_x509_crt_get_activation_time(cert) > now) {
62         error_setg(errp,
63                    (isCA ?
64                     "The CA certificate %s is not yet active" :
65                     (isServer ?
66                      "The server certificate %s is not yet active" :
67                      "The client certificate %s is not yet active")),
68                    certFile);
69         return -1;
70     }
71 
72     return 0;
73 }
74 
75 
76 static int
77 qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds,
78                                                gnutls_x509_crt_t cert,
79                                                const char *certFile,
80                                                bool isServer,
81                                                bool isCA,
82                                                Error **errp)
83 {
84     int status;
85 
86     status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL);
87     trace_qcrypto_tls_creds_x509_check_basic_constraints(
88         creds, certFile, status);
89 
90     if (status > 0) { /* It is a CA cert */
91         if (!isCA) {
92             error_setg(errp, isServer ?
93                        "The certificate %s basic constraints show a CA, "
94                        "but we need one for a server" :
95                        "The certificate %s basic constraints show a CA, "
96                        "but we need one for a client",
97                        certFile);
98             return -1;
99         }
100     } else if (status == 0) { /* It is not a CA cert */
101         if (isCA) {
102             error_setg(errp,
103                        "The certificate %s basic constraints do not "
104                        "show a CA",
105                        certFile);
106             return -1;
107         }
108     } else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
109         /* Missing basicConstraints */
110         if (isCA) {
111             error_setg(errp,
112                        "The certificate %s is missing basic constraints "
113                        "for a CA",
114                        certFile);
115             return -1;
116         }
117     } else { /* General error */
118         error_setg(errp,
119                    "Unable to query certificate %s basic constraints: %s",
120                    certFile, gnutls_strerror(status));
121         return -1;
122     }
123 
124     return 0;
125 }
126 
127 
128 static int
129 qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX509 *creds,
130                                        gnutls_x509_crt_t cert,
131                                        const char *certFile,
132                                        bool isCA,
133                                        Error **errp)
134 {
135     int status;
136     unsigned int usage = 0;
137     unsigned int critical = 0;
138 
139     status = gnutls_x509_crt_get_key_usage(cert, &usage, &critical);
140     trace_qcrypto_tls_creds_x509_check_key_usage(
141         creds, certFile, status, usage, critical);
142 
143     if (status < 0) {
144         if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
145             usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
146                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT;
147         } else {
148             error_setg(errp,
149                        "Unable to query certificate %s key usage: %s",
150                        certFile, gnutls_strerror(status));
151             return -1;
152         }
153     }
154 
155     if (isCA) {
156         if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) {
157             if (critical) {
158                 error_setg(errp,
159                            "Certificate %s usage does not permit "
160                            "certificate signing", certFile);
161                 return -1;
162             }
163         }
164     } else {
165         if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
166             if (critical) {
167                 error_setg(errp,
168                            "Certificate %s usage does not permit digital "
169                            "signature", certFile);
170                 return -1;
171             }
172         }
173         if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
174             if (critical) {
175                 error_setg(errp,
176                            "Certificate %s usage does not permit key "
177                            "encipherment", certFile);
178                 return -1;
179             }
180         }
181     }
182 
183     return 0;
184 }
185 
186 
187 static int
188 qcrypto_tls_creds_check_cert_key_purpose(QCryptoTLSCredsX509 *creds,
189                                          gnutls_x509_crt_t cert,
190                                          const char *certFile,
191                                          bool isServer,
192                                          Error **errp)
193 {
194     int status;
195     size_t i;
196     unsigned int purposeCritical;
197     unsigned int critical;
198     char *buffer = NULL;
199     size_t size;
200     bool allowClient = false, allowServer = false;
201 
202     critical = 0;
203     for (i = 0; ; i++) {
204         size = 0;
205         status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer,
206                                                      &size, NULL);
207 
208         if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
209 
210             /* If there is no data at all, then we must allow
211                client/server to pass */
212             if (i == 0) {
213                 allowServer = allowClient = true;
214             }
215             break;
216         }
217         if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) {
218             error_setg(errp,
219                        "Unable to query certificate %s key purpose: %s",
220                        certFile, gnutls_strerror(status));
221             return -1;
222         }
223 
224         buffer = g_new0(char, size);
225 
226         status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer,
227                                                      &size, &purposeCritical);
228 
229         if (status < 0) {
230             trace_qcrypto_tls_creds_x509_check_key_purpose(
231                 creds, certFile, status, "<none>", purposeCritical);
232             g_free(buffer);
233             error_setg(errp,
234                        "Unable to query certificate %s key purpose: %s",
235                        certFile, gnutls_strerror(status));
236             return -1;
237         }
238         trace_qcrypto_tls_creds_x509_check_key_purpose(
239             creds, certFile, status, buffer, purposeCritical);
240         if (purposeCritical) {
241             critical = true;
242         }
243 
244         if (g_str_equal(buffer, GNUTLS_KP_TLS_WWW_SERVER)) {
245             allowServer = true;
246         } else if (g_str_equal(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) {
247             allowClient = true;
248         } else if (g_str_equal(buffer, GNUTLS_KP_ANY)) {
249             allowServer = allowClient = true;
250         }
251 
252         g_free(buffer);
253         buffer = NULL;
254     }
255 
256     if (isServer) {
257         if (!allowServer) {
258             if (critical) {
259                 error_setg(errp,
260                            "Certificate %s purpose does not allow "
261                            "use with a TLS server", certFile);
262                 return -1;
263             }
264         }
265     } else {
266         if (!allowClient) {
267             if (critical) {
268                 error_setg(errp,
269                            "Certificate %s purpose does not allow use "
270                            "with a TLS client", certFile);
271                 return -1;
272             }
273         }
274     }
275 
276     return 0;
277 }
278 
279 
280 static int
281 qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509 *creds,
282                              gnutls_x509_crt_t cert,
283                              const char *certFile,
284                              bool isServer,
285                              bool isCA,
286                              Error **errp)
287 {
288     if (qcrypto_tls_creds_check_cert_times(cert, certFile,
289                                            isServer, isCA,
290                                            errp) < 0) {
291         return -1;
292     }
293 
294     if (qcrypto_tls_creds_check_cert_basic_constraints(creds,
295                                                        cert, certFile,
296                                                        isServer, isCA,
297                                                        errp) < 0) {
298         return -1;
299     }
300 
301     if (qcrypto_tls_creds_check_cert_key_usage(creds,
302                                                cert, certFile,
303                                                isCA, errp) < 0) {
304         return -1;
305     }
306 
307     if (!isCA &&
308         qcrypto_tls_creds_check_cert_key_purpose(creds,
309                                                  cert, certFile,
310                                                  isServer, errp) < 0) {
311         return -1;
312     }
313 
314     return 0;
315 }
316 
317 
318 static int
319 qcrypto_tls_creds_check_cert_pair(gnutls_x509_crt_t cert,
320                                   const char *certFile,
321                                   gnutls_x509_crt_t *cacerts,
322                                   size_t ncacerts,
323                                   const char *cacertFile,
324                                   bool isServer,
325                                   Error **errp)
326 {
327     unsigned int status;
328 
329     if (gnutls_x509_crt_list_verify(&cert, 1,
330                                     cacerts, ncacerts,
331                                     NULL, 0,
332                                     0, &status) < 0) {
333         error_setg(errp, isServer ?
334                    "Unable to verify server certificate %s against "
335                    "CA certificate %s" :
336                    "Unable to verify client certificate %s against "
337                    "CA certificate %s",
338                    certFile, cacertFile);
339         return -1;
340     }
341 
342     if (status != 0) {
343         const char *reason = "Invalid certificate";
344 
345         if (status & GNUTLS_CERT_INVALID) {
346             reason = "The certificate is not trusted";
347         }
348 
349         if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
350             reason = "The certificate hasn't got a known issuer";
351         }
352 
353         if (status & GNUTLS_CERT_REVOKED) {
354             reason = "The certificate has been revoked";
355         }
356 
357         if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
358             reason = "The certificate uses an insecure algorithm";
359         }
360 
361         error_setg(errp,
362                    "Our own certificate %s failed validation against %s: %s",
363                    certFile, cacertFile, reason);
364         return -1;
365     }
366 
367     return 0;
368 }
369 
370 
371 static gnutls_x509_crt_t
372 qcrypto_tls_creds_load_cert(QCryptoTLSCredsX509 *creds,
373                             const char *certFile,
374                             bool isServer,
375                             Error **errp)
376 {
377     gnutls_datum_t data;
378     gnutls_x509_crt_t cert = NULL;
379     g_autofree char *buf = NULL;
380     gsize buflen;
381     GError *gerr = NULL;
382     int ret = -1;
383     int err;
384 
385     trace_qcrypto_tls_creds_x509_load_cert(creds, isServer, certFile);
386 
387     err = gnutls_x509_crt_init(&cert);
388     if (err < 0) {
389         error_setg(errp, "Unable to initialize certificate: %s",
390                    gnutls_strerror(err));
391         goto cleanup;
392     }
393 
394     if (!g_file_get_contents(certFile, &buf, &buflen, &gerr)) {
395         error_setg(errp, "Cannot load CA cert list %s: %s",
396                    certFile, gerr->message);
397         g_error_free(gerr);
398         goto cleanup;
399     }
400 
401     data.data = (unsigned char *)buf;
402     data.size = strlen(buf);
403 
404     err = gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM);
405     if (err < 0) {
406         error_setg(errp, isServer ?
407                    "Unable to import server certificate %s: %s" :
408                    "Unable to import client certificate %s: %s",
409                    certFile,
410                    gnutls_strerror(err));
411         goto cleanup;
412     }
413 
414     ret = 0;
415 
416  cleanup:
417     if (ret != 0) {
418         gnutls_x509_crt_deinit(cert);
419         cert = NULL;
420     }
421     return cert;
422 }
423 
424 
425 static int
426 qcrypto_tls_creds_load_ca_cert_list(QCryptoTLSCredsX509 *creds,
427                                     const char *certFile,
428                                     gnutls_x509_crt_t *certs,
429                                     unsigned int certMax,
430                                     size_t *ncerts,
431                                     Error **errp)
432 {
433     gnutls_datum_t data;
434     g_autofree char *buf = NULL;
435     gsize buflen;
436     GError *gerr = NULL;
437 
438     *ncerts = 0;
439     trace_qcrypto_tls_creds_x509_load_cert_list(creds, certFile);
440 
441     if (!g_file_get_contents(certFile, &buf, &buflen, &gerr)) {
442         error_setg(errp, "Cannot load CA cert list %s: %s",
443                    certFile, gerr->message);
444         g_error_free(gerr);
445         return -1;
446     }
447 
448     data.data = (unsigned char *)buf;
449     data.size = strlen(buf);
450 
451     if (gnutls_x509_crt_list_import(certs, &certMax, &data,
452                                     GNUTLS_X509_FMT_PEM, 0) < 0) {
453         error_setg(errp,
454                    "Unable to import CA certificate list %s",
455                    certFile);
456         return -1;
457     }
458     *ncerts = certMax;
459 
460     return 0;
461 }
462 
463 
464 #define MAX_CERTS 16
465 static int
466 qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509 *creds,
467                                     bool isServer,
468                                     const char *cacertFile,
469                                     const char *certFile,
470                                     Error **errp)
471 {
472     gnutls_x509_crt_t cert = NULL;
473     gnutls_x509_crt_t cacerts[MAX_CERTS];
474     size_t ncacerts = 0;
475     size_t i;
476     int ret = -1;
477 
478     memset(cacerts, 0, sizeof(cacerts));
479     if (certFile &&
480         access(certFile, R_OK) == 0) {
481         cert = qcrypto_tls_creds_load_cert(creds,
482                                            certFile, isServer,
483                                            errp);
484         if (!cert) {
485             goto cleanup;
486         }
487     }
488     if (access(cacertFile, R_OK) == 0) {
489         if (qcrypto_tls_creds_load_ca_cert_list(creds,
490                                                 cacertFile, cacerts,
491                                                 MAX_CERTS, &ncacerts,
492                                                 errp) < 0) {
493             goto cleanup;
494         }
495     }
496 
497     if (cert &&
498         qcrypto_tls_creds_check_cert(creds,
499                                      cert, certFile, isServer,
500                                      false, errp) < 0) {
501         goto cleanup;
502     }
503 
504     for (i = 0; i < ncacerts; i++) {
505         if (qcrypto_tls_creds_check_cert(creds,
506                                          cacerts[i], cacertFile,
507                                          isServer, true, errp) < 0) {
508             goto cleanup;
509         }
510     }
511 
512     if (cert && ncacerts &&
513         qcrypto_tls_creds_check_cert_pair(cert, certFile, cacerts,
514                                           ncacerts, cacertFile,
515                                           isServer, errp) < 0) {
516         goto cleanup;
517     }
518 
519     ret = 0;
520 
521  cleanup:
522     if (cert) {
523         gnutls_x509_crt_deinit(cert);
524     }
525     for (i = 0; i < ncacerts; i++) {
526         gnutls_x509_crt_deinit(cacerts[i]);
527     }
528     return ret;
529 }
530 
531 
532 static int
533 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
534                             Error **errp)
535 {
536     char *cacert = NULL, *cacrl = NULL, *cert = NULL,
537         *key = NULL, *dhparams = NULL;
538     int ret;
539     int rv = -1;
540 
541     trace_qcrypto_tls_creds_x509_load(creds,
542             creds->parent_obj.dir ? creds->parent_obj.dir : "<nodir>");
543 
544     if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
545         if (qcrypto_tls_creds_get_path(&creds->parent_obj,
546                                        QCRYPTO_TLS_CREDS_X509_CA_CERT,
547                                        true, &cacert, errp) < 0 ||
548             qcrypto_tls_creds_get_path(&creds->parent_obj,
549                                        QCRYPTO_TLS_CREDS_X509_CA_CRL,
550                                        false, &cacrl, errp) < 0 ||
551             qcrypto_tls_creds_get_path(&creds->parent_obj,
552                                        QCRYPTO_TLS_CREDS_X509_SERVER_CERT,
553                                        true, &cert, errp) < 0 ||
554             qcrypto_tls_creds_get_path(&creds->parent_obj,
555                                        QCRYPTO_TLS_CREDS_X509_SERVER_KEY,
556                                        true, &key, errp) < 0 ||
557             qcrypto_tls_creds_get_path(&creds->parent_obj,
558                                        QCRYPTO_TLS_CREDS_DH_PARAMS,
559                                        false, &dhparams, errp) < 0) {
560             goto cleanup;
561         }
562     } else {
563         if (qcrypto_tls_creds_get_path(&creds->parent_obj,
564                                        QCRYPTO_TLS_CREDS_X509_CA_CERT,
565                                        true, &cacert, errp) < 0 ||
566             qcrypto_tls_creds_get_path(&creds->parent_obj,
567                                        QCRYPTO_TLS_CREDS_X509_CLIENT_CERT,
568                                        false, &cert, errp) < 0 ||
569             qcrypto_tls_creds_get_path(&creds->parent_obj,
570                                        QCRYPTO_TLS_CREDS_X509_CLIENT_KEY,
571                                        false, &key, errp) < 0) {
572             goto cleanup;
573         }
574     }
575 
576     if (creds->sanityCheck &&
577         qcrypto_tls_creds_x509_sanity_check(creds,
578             creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
579             cacert, cert, errp) < 0) {
580         goto cleanup;
581     }
582 
583     ret = gnutls_certificate_allocate_credentials(&creds->data);
584     if (ret < 0) {
585         error_setg(errp, "Cannot allocate credentials: '%s'",
586                    gnutls_strerror(ret));
587         goto cleanup;
588     }
589 
590     ret = gnutls_certificate_set_x509_trust_file(creds->data,
591                                                  cacert,
592                                                  GNUTLS_X509_FMT_PEM);
593     if (ret < 0) {
594         error_setg(errp, "Cannot load CA certificate '%s': %s",
595                    cacert, gnutls_strerror(ret));
596         goto cleanup;
597     }
598 
599     if (cert != NULL && key != NULL) {
600         char *password = NULL;
601         if (creds->passwordid) {
602             password = qcrypto_secret_lookup_as_utf8(creds->passwordid,
603                                                      errp);
604             if (!password) {
605                 goto cleanup;
606             }
607         }
608         ret = gnutls_certificate_set_x509_key_file2(creds->data,
609                                                     cert, key,
610                                                     GNUTLS_X509_FMT_PEM,
611                                                     password,
612                                                     0);
613         g_free(password);
614         if (ret < 0) {
615             error_setg(errp, "Cannot load certificate '%s' & key '%s': %s",
616                        cert, key, gnutls_strerror(ret));
617             goto cleanup;
618         }
619     }
620 
621     if (cacrl != NULL) {
622         ret = gnutls_certificate_set_x509_crl_file(creds->data,
623                                                    cacrl,
624                                                    GNUTLS_X509_FMT_PEM);
625         if (ret < 0) {
626             error_setg(errp, "Cannot load CRL '%s': %s",
627                        cacrl, gnutls_strerror(ret));
628             goto cleanup;
629         }
630     }
631 
632     if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
633         if (qcrypto_tls_creds_get_dh_params_file(&creds->parent_obj, dhparams,
634                                                  &creds->parent_obj.dh_params,
635                                                  errp) < 0) {
636             goto cleanup;
637         }
638         gnutls_certificate_set_dh_params(creds->data,
639                                          creds->parent_obj.dh_params);
640     }
641 
642     rv = 0;
643  cleanup:
644     g_free(cacert);
645     g_free(cacrl);
646     g_free(cert);
647     g_free(key);
648     g_free(dhparams);
649     return rv;
650 }
651 
652 
653 static void
654 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds)
655 {
656     if (creds->data) {
657         gnutls_certificate_free_credentials(creds->data);
658         creds->data = NULL;
659     }
660     if (creds->parent_obj.dh_params) {
661         gnutls_dh_params_deinit(creds->parent_obj.dh_params);
662         creds->parent_obj.dh_params = NULL;
663     }
664 }
665 
666 
667 #else /* ! CONFIG_GNUTLS */
668 
669 
670 static void
671 qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds G_GNUC_UNUSED,
672                             Error **errp)
673 {
674     error_setg(errp, "TLS credentials support requires GNUTLS");
675 }
676 
677 
678 static void
679 qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds G_GNUC_UNUSED)
680 {
681     /* nada */
682 }
683 
684 
685 #endif /* ! CONFIG_GNUTLS */
686 
687 
688 static void
689 qcrypto_tls_creds_x509_prop_set_loaded(Object *obj,
690                                        bool value,
691                                        Error **errp)
692 {
693     QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
694 
695     qcrypto_tls_creds_x509_unload(creds);
696     if (value) {
697         qcrypto_tls_creds_x509_load(creds, errp);
698     }
699 }
700 
701 
702 #ifdef CONFIG_GNUTLS
703 
704 
705 static bool
706 qcrypto_tls_creds_x509_prop_get_loaded(Object *obj,
707                                        Error **errp G_GNUC_UNUSED)
708 {
709     QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
710 
711     return creds->data != NULL;
712 }
713 
714 
715 #else /* ! CONFIG_GNUTLS */
716 
717 
718 static bool
719 qcrypto_tls_creds_x509_prop_get_loaded(Object *obj G_GNUC_UNUSED,
720                                        Error **errp G_GNUC_UNUSED)
721 {
722     return false;
723 }
724 
725 
726 #endif /* ! CONFIG_GNUTLS */
727 
728 
729 static void
730 qcrypto_tls_creds_x509_prop_set_sanity(Object *obj,
731                                        bool value,
732                                        Error **errp G_GNUC_UNUSED)
733 {
734     QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
735 
736     creds->sanityCheck = value;
737 }
738 
739 
740 static void
741 qcrypto_tls_creds_x509_prop_set_passwordid(Object *obj,
742                                            const char *value,
743                                            Error **errp G_GNUC_UNUSED)
744 {
745     QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
746 
747     creds->passwordid = g_strdup(value);
748 }
749 
750 
751 static char *
752 qcrypto_tls_creds_x509_prop_get_passwordid(Object *obj,
753                                            Error **errp G_GNUC_UNUSED)
754 {
755     QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
756 
757     return g_strdup(creds->passwordid);
758 }
759 
760 
761 static bool
762 qcrypto_tls_creds_x509_prop_get_sanity(Object *obj,
763                                        Error **errp G_GNUC_UNUSED)
764 {
765     QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
766 
767     return creds->sanityCheck;
768 }
769 
770 
771 #ifdef CONFIG_GNUTLS
772 
773 
774 static bool
775 qcrypto_tls_creds_x509_reload(QCryptoTLSCreds *creds, Error **errp)
776 {
777     QCryptoTLSCredsX509 *x509_creds = QCRYPTO_TLS_CREDS_X509(creds);
778     Error *local_err = NULL;
779     gnutls_certificate_credentials_t creds_data = x509_creds->data;
780     gnutls_dh_params_t creds_dh_params = x509_creds->parent_obj.dh_params;
781 
782     x509_creds->data = NULL;
783     x509_creds->parent_obj.dh_params = NULL;
784     qcrypto_tls_creds_x509_load(x509_creds, &local_err);
785     if (local_err) {
786         qcrypto_tls_creds_x509_unload(x509_creds);
787         x509_creds->data = creds_data;
788         x509_creds->parent_obj.dh_params = creds_dh_params;
789         error_propagate(errp, local_err);
790         return false;
791     }
792 
793     if (creds_data) {
794         gnutls_certificate_free_credentials(creds_data);
795     }
796     if (creds_dh_params) {
797         gnutls_dh_params_deinit(creds_dh_params);
798     }
799     return true;
800 }
801 
802 
803 #else /* ! CONFIG_GNUTLS */
804 
805 
806 static bool
807 qcrypto_tls_creds_x509_reload(QCryptoTLSCreds *creds, Error **errp)
808 {
809     return false;
810 }
811 
812 
813 #endif /* ! CONFIG_GNUTLS */
814 
815 
816 static void
817 qcrypto_tls_creds_x509_complete(UserCreatable *uc, Error **errp)
818 {
819     object_property_set_bool(OBJECT(uc), "loaded", true, errp);
820 }
821 
822 
823 static void
824 qcrypto_tls_creds_x509_init(Object *obj)
825 {
826     QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
827 
828     creds->sanityCheck = true;
829 }
830 
831 
832 static void
833 qcrypto_tls_creds_x509_finalize(Object *obj)
834 {
835     QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
836 
837     g_free(creds->passwordid);
838     qcrypto_tls_creds_x509_unload(creds);
839 }
840 
841 
842 static void
843 qcrypto_tls_creds_x509_class_init(ObjectClass *oc, void *data)
844 {
845     UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
846     QCryptoTLSCredsClass *ctcc = QCRYPTO_TLS_CREDS_CLASS(oc);
847 
848     ctcc->reload = qcrypto_tls_creds_x509_reload;
849 
850     ucc->complete = qcrypto_tls_creds_x509_complete;
851 
852     object_class_property_add_bool(oc, "loaded",
853                                    qcrypto_tls_creds_x509_prop_get_loaded,
854                                    qcrypto_tls_creds_x509_prop_set_loaded);
855     object_class_property_add_bool(oc, "sanity-check",
856                                    qcrypto_tls_creds_x509_prop_get_sanity,
857                                    qcrypto_tls_creds_x509_prop_set_sanity);
858     object_class_property_add_str(oc, "passwordid",
859                                   qcrypto_tls_creds_x509_prop_get_passwordid,
860                                   qcrypto_tls_creds_x509_prop_set_passwordid);
861 }
862 
863 
864 static const TypeInfo qcrypto_tls_creds_x509_info = {
865     .parent = TYPE_QCRYPTO_TLS_CREDS,
866     .name = TYPE_QCRYPTO_TLS_CREDS_X509,
867     .instance_size = sizeof(QCryptoTLSCredsX509),
868     .instance_init = qcrypto_tls_creds_x509_init,
869     .instance_finalize = qcrypto_tls_creds_x509_finalize,
870     .class_size = sizeof(QCryptoTLSCredsX509Class),
871     .class_init = qcrypto_tls_creds_x509_class_init,
872     .interfaces = (InterfaceInfo[]) {
873         { TYPE_USER_CREATABLE },
874         { }
875     }
876 };
877 
878 
879 static void
880 qcrypto_tls_creds_x509_register_types(void)
881 {
882     type_register_static(&qcrypto_tls_creds_x509_info);
883 }
884 
885 
886 type_init(qcrypto_tls_creds_x509_register_types);
887