External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-07 17:28:15 +00:00
Code

Refactor the certification validation code

Browse Source 
There is some commonality between the code for sanity checking
certs when initializing libvirt and the code for validating
certs during a live TLS session handshake. This patchset splits
up the sanity checking function into several smaller functions
each doing a specific type of check. The cert validation code
is then updated to also call into these functions

* src/rpc/virnettlscontext.c: Refactor cert validation code
This commit is contained in:
Daniel P. Berrange 2011-07-20 15:18:51 +01:00
parent 3b8061c759
commit 637711cbdf
1 changed files with 414 additions and 314 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

728
src/rpc/virnettlscontext.c
View File

@ -97,32 +97,392 @@ static void virNetTLSLog(int level, const char *str) {
} }
static gnutls_x509_crt_t virNetTLSContextSanityCheckCert(bool isServer, static int virNetTLSContextCheckCertTimes(gnutls_x509_crt_t cert,
bool isCA, const char *certFile,
const char *certFile) bool isServer,
bool isCA)
{
time_t now;
if ((now = time(NULL)) == ((time_t)-1)) {
virReportSystemError(errno, "%s",
_("cannot get current time"));
return -1;
}
if (gnutls_x509_crt_get_expiration_time(cert) < now) {
virNetError(VIR_ERR_SYSTEM_ERROR,
(isCA ?
_("The CA certificate %s has expired") :
(isServer ?
_("The server certificate %s has expired") :
_("The client certificate %s has expired"))),
certFile);
return -1;
}
if (gnutls_x509_crt_get_activation_time(cert) > now) {
virNetError(VIR_ERR_SYSTEM_ERROR,
(isCA ?
_("The CA certificate %s is not yet active") :
(isServer ?
_("The server certificate %s is not yet active") :
_("The client certificate %s is not yet active"))),
certFile);
return -1;
}
return 0;
}
static int virNetTLSContextCheckCertBasicConstraints(gnutls_x509_crt_t cert,
const char *certFile,
bool isServer,
bool isCA)
{
int status;
status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL);
VIR_DEBUG("Cert %s basic constraints %d", certFile, status);
if (status > 0) { /* It is a CA cert */
if (!isCA) {
virNetError(VIR_ERR_SYSTEM_ERROR, isServer ?
_("The certificate %s basic constraints show a CA, but we need one for a server") :
_("The certificate %s basic constraints show a CA, but we need one for a client"),
certFile);
return -1;
}
} else if (status == 0) { /* It is not a CA cert */
if (isCA) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("The certificate %s basic constraints do not show a CA"),
certFile);
return -1;
}
} else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { /* Missing basicConstraints */
if (isCA) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("The certificate %s is missing basic constraints for a CA"),
certFile);
return -1;
}
} else { /* General error */
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Unable to query certificate %s basic constraints %s"),
certFile, gnutls_strerror(status));
return -1;
}
return 0;
}
static int virNetTLSContextCheckCertKeyUsage(gnutls_x509_crt_t cert,
const char *certFile,
bool isCA)
{
int status;
unsigned int usage;
unsigned int critical;
status = gnutls_x509_crt_get_key_usage(cert, &usage, &critical);
VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile, status, usage, critical);
if (status < 0) {
if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
} else {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Unable to query certificate %s key usage %s"),
certFile, gnutls_strerror(status));
return -1;
}
}
if (isCA) {
if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) {
if (critical) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Certificate %s usage does not permit certificate signing"),
certFile);
return -1;
} else {
VIR_WARN("Certificate %s usage does not permit certificate signing",
certFile);
}
}
} else {
if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
if (critical) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Certificate %s usage does not permit digital signature"),
certFile);
return -1;
} else {
VIR_WARN("Certificate %s usage does not permit digital signature",
certFile);
}
}
if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
if (critical) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Certificate %s usage does not permit key encipherment"),
certFile);
return -1;
} else {
VIR_WARN("Certificate %s usage does not permit key encipherment",
certFile);
}
}
}
return 0;
}
static int virNetTLSContextCheckCertKeyPurpose(gnutls_x509_crt_t cert,
const char *certFile,
bool isServer)
{
int status;
int i;
unsigned int purposeCritical;
unsigned int critical;
char *buffer;
size_t size;
bool allowClient = false, allowServer = false;
critical = 0;
for (i = 0 ; ; i++) {
size = 0;
status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, NULL);
if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
VIR_DEBUG("No key purpose data available at slot %d", i);
/* If there is no data at all, then we must allow client/server to pass */
if (i == 0)
allowServer = allowClient = true;
break;
}
if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Unable to query certificate %s key purpose %s"),
certFile, gnutls_strerror(status));
return -1;
}
if (VIR_ALLOC_N(buffer, size) < 0) {
virReportOOMError();
return -1;
}
status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, &purposeCritical);
if (status < 0) {
VIR_FREE(buffer);
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Unable to query certificate %s key purpose %s"),
certFile, gnutls_strerror(status));
return -1;
}
if (purposeCritical)
critical = true;
VIR_DEBUG("Key purpose %d %s critical %u", status, buffer, purposeCritical);
if (STREQ(buffer, GNUTLS_KP_TLS_WWW_SERVER)) {
allowServer = true;
} else if (STREQ(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) {
allowClient = true;
} else if (STRNEQ(buffer, GNUTLS_KP_ANY)) {
allowServer = allowClient = true;
}
VIR_FREE(buffer);
}
if (isServer) {
if (!allowServer) {
if (critical) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Certificate %s purpose does not allow use for with a TLS server"),
certFile);
return -1;
} else {
VIR_WARN("Certificate %s purpose does not allow use for with a TLS server",
certFile);
}
}
} else {
if (!allowClient) {
if (critical) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Certificate %s purpose does not allow use for with a TLS client"),
certFile);
return -1;
} else {
VIR_WARN("Certificate %s purpose does not allow use for with a TLS client",
certFile);
}
}
}
return 0;
}
/* Check DN is on tls_allowed_dn_list. */
static int
virNetTLSContextCheckCertDNWhitelist(const char *dname,
const char *const*wildcards)
{
while (*wildcards) {
int ret = fnmatch (*wildcards, dname, 0);
if (ret == 0) /* Succesful match */
return 1;
if (ret != FNM_NOMATCH) {
virNetError(VIR_ERR_INTERNAL_ERROR,
_("Malformed TLS whitelist regular expression '%s'"),
*wildcards);
return -1;
}
wildcards++;
}
/* Log the client's DN for debugging */
VIR_DEBUG("Failed whitelist check for client DN '%s'", dname);
/* This is the most common error: make it informative. */
virNetError(VIR_ERR_SYSTEM_ERROR, "%s",
_("Client's Distinguished Name is not on the list "
"of allowed clients (tls_allowed_dn_list). Use "
"'certtool -i --infile clientcert.pem' to view the"
"Distinguished Name field in the client certificate,"
"or run this daemon with --verbose option."));
return 0;
}
static int
virNetTLSContextCheckCertDN(gnutls_x509_crt_t cert,
const char *certFile,
const char *hostname,
const char *const* whitelist)
{
int ret;
char name[256];
size_t namesize = sizeof name;
memset(name, 0, namesize);
ret = gnutls_x509_crt_get_dn(cert, name, &namesize);
if (ret != 0) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Failed to get certificate %s distinguished name: %s"),
certFile, gnutls_strerror(ret));
return -1;
}
if (whitelist &&
virNetTLSContextCheckCertDNWhitelist(name, whitelist) <= 0)
return -1;
if (hostname &&
!gnutls_x509_crt_check_hostname(cert, hostname)) {
virNetError(VIR_ERR_RPC,
_("Certificate %s owner does not match the hostname %s"),
certFile, hostname);
return -1;
}
return 0;
}
static int virNetTLSContextCheckCert(gnutls_x509_crt_t cert,
const char *certFile,
bool isServer,
bool isCA)
{
if (virNetTLSContextCheckCertTimes(cert, certFile,
isServer, isCA) < 0)
return -1;
if (virNetTLSContextCheckCertBasicConstraints(cert, certFile,
isServer, isCA) < 0)
return -1;
if (virNetTLSContextCheckCertKeyUsage(cert, certFile,
isCA) < 0)
return -1;
if (!isCA &&
virNetTLSContextCheckCertKeyPurpose(cert, certFile,
isServer) < 0)
return -1;
return 0;
}
static int virNetTLSContextCheckCertPair(gnutls_x509_crt_t cert,
const char *certFile,
gnutls_x509_crt_t cacert,
const char *cacertFile,
bool isServer)
{
unsigned int status;
if (gnutls_x509_crt_list_verify(&cert, 1,
&cacert, 1,
NULL, 0,
0, &status) < 0) {
virNetError(VIR_ERR_SYSTEM_ERROR, isServer ?
_("Unable to verify server certificate %s against CA certificate %s") :
_("Unable to verify client certificate %s against CA certificate %s"),
certFile, cacertFile);
return -1;
}
if (status != 0) {
const char *reason = _("Invalid certificate");
if (status & GNUTLS_CERT_INVALID)
reason = _("The certificate is not trusted.");
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
reason = _("The certificate hasn't got a known issuer.");
if (status & GNUTLS_CERT_REVOKED)
reason = _("The certificate has been revoked.");
#ifndef GNUTLS_1_0_COMPAT
if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
reason = _("The certificate uses an insecure algorithm");
#endif
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Our own certificate %s failed validation against %s: %s"),
certFile, cacertFile, reason);
return -1;
}
return 0;
}
static gnutls_x509_crt_t virNetTLSContextLoadCertFromFile(const char *certFile,
bool isServer,
bool isCA)
{ {
gnutls_datum_t data; gnutls_datum_t data;
gnutls_x509_crt_t cert = NULL; gnutls_x509_crt_t cert = NULL;
char *buf = NULL; char *buf = NULL;
int ret = -1; int ret = -1;
time_t now;
int status;
int i;
char *buffer = NULL;
size_t size;
unsigned int usage;
unsigned int critical;
bool allowClient = false, allowServer = false;
VIR_DEBUG("isServer %d isCA %d certFile %s", VIR_DEBUG("isServer %d isCA %d certFile %s",
isServer, isCA, certFile); isServer, isCA, certFile);
if ((now = time(NULL)) == ((time_t)-1)) {
virReportSystemError(errno, "%s",
_("cannot get current time"));
goto cleanup;
}
if (gnutls_x509_crt_init(&cert) < 0) { if (gnutls_x509_crt_init(&cert) < 0) {
virNetError(VIR_ERR_SYSTEM_ERROR, "%s", virNetError(VIR_ERR_SYSTEM_ERROR, "%s",
_("Unable to initialize certificate")); _("Unable to initialize certificate"));
@ -143,180 +503,6 @@ static gnutls_x509_crt_t virNetTLSContextSanityCheckCert(bool isServer,
goto cleanup; goto cleanup;
} }
if (gnutls_x509_crt_get_expiration_time(cert) < now) {
virNetError(VIR_ERR_SYSTEM_ERROR, isServer ?
_("The server certificate %s has expired") :
_("The client certificate %s has expired"),
certFile);
goto cleanup;
}
if (gnutls_x509_crt_get_activation_time(cert) > now) {
virNetError(VIR_ERR_SYSTEM_ERROR, isServer ?
_("The server certificate %s is not yet active") :
_("The client certificate %s is not yet active"),
certFile);
goto cleanup;
}
status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL);
VIR_DEBUG("Cert %s basic constraints %d", certFile, status);
if (status > 0) { /* It is a CA cert */
if (!isCA) {
virNetError(VIR_ERR_SYSTEM_ERROR, isServer ?
_("The certificate %s basic constraints show a CA, but we need one for a server") :
_("The certificate %s basic constraints show a CA, but we need one for a client"),
certFile);
goto cleanup;
}
} else if (status == 0) { /* It is not a CA cert */
if (isCA) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("The certificate %s basic constraints do not show a CA"),
certFile);
goto cleanup;
}
} else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { /* Missing basicConstraints */
if (isCA) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("The certificate %s is missing basic constraints for a CA"),
certFile);
goto cleanup;
}
} else { /* General error */
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Unable to query certificate %s basic constraints %s"),
certFile, gnutls_strerror(status));
goto cleanup;
}
status = gnutls_x509_crt_get_key_usage(cert, &usage, &critical);
VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile, status, usage, critical);
if (status < 0) {
if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
} else {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Unable to query certificate %s key usage %s"),
certFile, gnutls_strerror(status));
goto cleanup;
}
}
if (isCA) {
if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) {
if (critical) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Certificate %s usage does not permit certificate signing"),
certFile);
goto cleanup;
} else {
VIR_WARN("Certificate %s usage does not permit certificate signing",
certFile);
}
}
} else {
if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
if (critical) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Certificate %s usage does not permit digital signature"),
certFile);
goto cleanup;
} else {
VIR_WARN("Certificate %s usage does not permit digital signature",
certFile);
}
}
if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
if (critical) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Certificate %s usage does not permit key encipherment"),
certFile);
goto cleanup;
} else {
VIR_WARN("Certificate %s usage does not permit key encipherment",
certFile);
}
}
}
critical = 0;
for (i = 0 ; ; i++) {
size = 0;
unsigned int purposeCritical;
status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, NULL);
if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
VIR_DEBUG("No key purpose data available at slot %d", i);
/* If there is no data at all, then we must allow client/server to pass */
if (i == 0)
allowServer = allowClient = true;
break;
}
if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Unable to query certificate %s key purpose %s"),
certFile, gnutls_strerror(status));
goto cleanup;
}
if (VIR_ALLOC_N(buffer, size) < 0) {
virReportOOMError();
goto cleanup;
}
status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, &purposeCritical);
if (status < 0) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Unable to query certificate %s key purpose %s"),
certFile, gnutls_strerror(status));
goto cleanup;
}
if (purposeCritical)
critical = true;
VIR_DEBUG("Key purpose %d %s critical %u", status, buffer, purposeCritical);
if (STREQ(buffer, GNUTLS_KP_TLS_WWW_SERVER)) {
allowServer = true;
} else if (STREQ(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) {
allowClient = true;
} else if (STRNEQ(buffer, GNUTLS_KP_ANY)) {
allowServer = allowClient = true;
}
VIR_FREE(buffer);
}
if (!isCA) { /* No purpose checks required for CA certs */
if (isServer && !allowServer) {
if (critical) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Certificate %s purpose does not allow use for with a TLS server"),
certFile);
goto cleanup;
} else {
VIR_WARN("Certificate %s purpose does not allow use for with a TLS server",
certFile);
}
}
if (!isServer && !allowClient) {
if (critical) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Certificate %s purpose does not allow use for with a TLS client"),
certFile);
goto cleanup;
} else {
VIR_WARN("Certificate %s purpose does not allow use for with a TLS client",
certFile);
}
}
}
ret = 0; ret = 0;
cleanup: cleanup:
@ -324,7 +510,6 @@ cleanup:
gnutls_x509_crt_deinit(cert); gnutls_x509_crt_deinit(cert);
cert = NULL; cert = NULL;
} }
VIR_FREE(buffer);
VIR_FREE(buf); VIR_FREE(buf);
return cert; return cert;
} }
@ -337,51 +522,25 @@ static int virNetTLSContextSanityCheckCredentials(bool isServer,
gnutls_x509_crt_t cert = NULL; gnutls_x509_crt_t cert = NULL;
gnutls_x509_crt_t cacert = NULL; gnutls_x509_crt_t cacert = NULL;
int ret = -1; int ret = -1;
unsigned int status;
if (access(certFile, R_OK) == 0) { if ((access(certFile, R_OK) == 0) &&
if (!(cert = virNetTLSContextSanityCheckCert(isServer, false, certFile))) !(cert = virNetTLSContextLoadCertFromFile(certFile, isServer, false)))
goto cleanup; goto cleanup;
} if ((access(cacertFile, R_OK) == 0) &&
if (access(cacertFile, R_OK) == 0) { !(cacert = virNetTLSContextLoadCertFromFile(cacertFile, isServer, false)))
if (!(cacert = virNetTLSContextSanityCheckCert(isServer, true, cacertFile))) goto cleanup;
goto cleanup;
}
if (cert && cacert) { if (cert &&
if (gnutls_x509_crt_list_verify(&cert, 1, virNetTLSContextCheckCert(cert, certFile, isServer, false) < 0)
&cacert, 1, goto cleanup;
NULL, 0,
0, &status) < 0) {
virNetError(VIR_ERR_SYSTEM_ERROR, "%s", isServer ?
_("Unable to verify server certificate against CA certificate") :
_("Unable to verify client certificate against CA certificate"));
goto cleanup;
}
if (status != 0) { if (cacert &&
const char *reason = _("Invalid certificate"); virNetTLSContextCheckCert(cacert, cacertFile, isServer, true) < 0)
goto cleanup;
if (status & GNUTLS_CERT_INVALID) if (cert && cacert &&
reason = _("The certificate is not trusted."); virNetTLSContextCheckCertPair(cert, certFile, cacert, cacertFile, isServer) < 0)
goto cleanup;
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
reason = _("The certificate hasn't got a known issuer.");
if (status & GNUTLS_CERT_REVOKED)
reason = _("The certificate has been revoked.");
#ifndef GNUTLS_1_0_COMPAT
if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
reason = _("The certificate uses an insecure algorithm");
#endif
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Our own certificate %s failed validation against %s: %s"),
certFile, cacertFile, reason);
goto cleanup;
}
}
ret = 0; ret = 0;
@ -760,45 +919,6 @@ void virNetTLSContextRef(virNetTLSContextPtr ctxt)
} }
/* Check DN is on tls_allowed_dn_list. */
static int
virNetTLSContextCheckDN(virNetTLSContextPtr ctxt,
const char *dname)
{
const char *const*wildcards;
/* If the list is not set, allow any DN. */
wildcards = ctxt->x509dnWhitelist;
if (!wildcards)
return 1;
while (*wildcards) {
int ret = fnmatch (*wildcards, dname, 0);
if (ret == 0) /* Succesful match */
return 1;
if (ret != FNM_NOMATCH) {
virNetError(VIR_ERR_INTERNAL_ERROR,
_("Malformed TLS whitelist regular expression '%s'"),
*wildcards);
return -1;
}
wildcards++;
}
/* Log the client's DN for debugging */
VIR_DEBUG("Failed whitelist check for client DN '%s'", dname);
/* This is the most common error: make it informative. */
virNetError(VIR_ERR_SYSTEM_ERROR, "%s",
_("Client's Distinguished Name is not on the list "
"of allowed clients (tls_allowed_dn_list). Use "
"'certtool -i --infile clientcert.pem' to view the"
"Distinguished Name field in the client certificate,"
"or run this daemon with --verbose option."));
return 0;
}
static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt, static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
virNetTLSSessionPtr sess) virNetTLSSessionPtr sess)
{ {
@ -806,11 +926,6 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
unsigned int status; unsigned int status;
const gnutls_datum_t *certs; const gnutls_datum_t *certs;
unsigned int nCerts, i; unsigned int nCerts, i;
time_t now;
char name[256];
size_t namesize = sizeof name;
memset(name, 0, namesize);
if ((ret = gnutls_certificate_verify_peers2(sess->session, &status)) < 0){ if ((ret = gnutls_certificate_verify_peers2(sess->session, &status)) < 0){
virNetError(VIR_ERR_SYSTEM_ERROR, virNetError(VIR_ERR_SYSTEM_ERROR,
@ -819,12 +934,6 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
goto authdeny; goto authdeny;
} }
if ((now = time(NULL)) == ((time_t)-1)) {
virReportSystemError(errno, "%s",
_("cannot get current time"));
goto authfail;
}
if (status != 0) { if (status != 0) {
const char *reason = _("Invalid certificate"); const char *reason = _("Invalid certificate");
@ -876,46 +985,37 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
goto authfail; goto authfail;
} }
if (gnutls_x509_crt_get_expiration_time(cert) < now) { if (virNetTLSContextCheckCertTimes(cert, "[session]",
/* Warning is reversed from what you expect, since with sess->isServer, i > 0) < 0) {
* this code it is the Server checking the client and
* vica-versa */
virNetError(VIR_ERR_SYSTEM_ERROR, "%s", sess->isServer ?
_("The client certificate has expired") :
_("The server certificate has expired"));
gnutls_x509_crt_deinit(cert);
goto authdeny;
}
if (gnutls_x509_crt_get_activation_time(cert) > now) {
/* client/server order reversed. see above */
virNetError(VIR_ERR_SYSTEM_ERROR, "%s", sess->isServer ?
_("The client certificate is not yet active") :
_("The server certificate is not yet active"));
gnutls_x509_crt_deinit(cert); gnutls_x509_crt_deinit(cert);
goto authdeny; goto authdeny;
} }
if (i == 0) { if (i == 0) {
ret = gnutls_x509_crt_get_dn(cert, name, &namesize); if (virNetTLSContextCheckCertDN(cert, "[session]", sess->hostname,
if (ret != 0) { ctxt->x509dnWhitelist) < 0) {
virNetError(VIR_ERR_SYSTEM_ERROR,
_("Failed to get certificate distinguished name: %s"),
gnutls_strerror(ret));
gnutls_x509_crt_deinit(cert);
goto authfail;
}
if (virNetTLSContextCheckDN(ctxt, name) <= 0) {
gnutls_x509_crt_deinit(cert); gnutls_x509_crt_deinit(cert);
goto authdeny; goto authdeny;
} }
if (sess->hostname && /* !sess->isServer, since on the client, we're validating the
!gnutls_x509_crt_check_hostname(cert, sess->hostname)) { * server's cert, and on the server, the client's cert
virNetError(VIR_ERR_RPC, */
_("Certificate's owner does not match the hostname (%s)"), if (virNetTLSContextCheckCertBasicConstraints(cert, "[session]",
sess->hostname); !sess->isServer, false) < 0) {
gnutls_x509_crt_deinit(cert);
goto authdeny;
}
if (virNetTLSContextCheckCertKeyUsage(cert, "[session]",
false) < 0) {
gnutls_x509_crt_deinit(cert);
goto authdeny;
}
/* !sess->isServer - as above */
if (virNetTLSContextCheckCertKeyPurpose(cert, "[session]",
!sess->isServer) < 0) {
gnutls_x509_crt_deinit(cert); gnutls_x509_crt_deinit(cert);
goto authdeny; goto authdeny;
} }