rpc: split out helpers for TLS cert path location

We'll want to access these paths from outside the TLS context code, so split them into a standalone file. Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2024-12-22 05:35:25 +00:00 · 2024-06-06 15:13:44 +01:00 · 2024-06-06 15:13:44 +01:00 · e66c3bcd0c
commit e66c3bcd0c
parent a2455fd53d
4 changed files with 285 additions and 61 deletions
--- a/src/rpc/meson.build
+++ b/src/rpc/meson.build
@ -1,6 +1,10 @@
 gendispatch_prog = find_program('gendispatch.pl')

-socket_sources = [
+tlsconfig_sources = files(
+  'virnettlsconfig.c',
+)
+
+socket_sources = tlsconfig_sources + [
  'virnettlscontext.c',
  'virnetsocket.c',
 ]
--- a/src/rpc/virnettlsconfig.c
+++ b/src/rpc/virnettlsconfig.c
@ -0,0 +1,202 @@
+/*
+ * virnettlsconfig.c: TLS x509 configuration helpers
+ *
+ * Copyright (C) 2010-2024 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#include "virnettlsconfig.h"
+#include "virlog.h"
+#include "virutil.h"
+
+#define VIR_FROM_THIS VIR_FROM_RPC
+
+VIR_LOG_INIT("rpc.nettlscontext");
+
+char *virNetTLSConfigUserPKIBaseDir(void)
+{
+    g_autofree char *userdir = virGetUserDirectory();
+
+    return g_strdup_printf("%s/.pki/libvirt", userdir);
+}
+
+static void virNetTLSConfigTrust(const char *cacertdir,
+                                 const char *cacrldir,
+                                 char **cacert,
+                                 char **cacrl)
+{
+    if (!*cacert)
+        *cacert = g_strdup_printf("%s/%s", cacertdir, "cacert.pem");
+    if (!*cacrl)
+        *cacrl = g_strdup_printf("%s/%s", cacrldir, "cacrl.pem");
+
+    VIR_DEBUG("TLS CA cert %s", *cacert);
+    VIR_DEBUG("TLS CA CRL %s", *cacrl);
+}
+
+static void virNetTLSConfigIdentity(int isServer,
+                                    const char *certdir,
+                                    const char *keydir,
+                                    char **cert,
+                                    char **key)
+{
+    if (!*key)
+        *key = g_strdup_printf("%s/%s", keydir,
+                               isServer ? "serverkey.pem" : "clientkey.pem");
+    if (!*cert)
+        *cert = g_strdup_printf("%s/%s", certdir,
+                                isServer ? "servercert.pem" : "clientcert.pem");
+
+    VIR_DEBUG("TLS key %s", *key);
+    VIR_DEBUG("TLS cert %s", *cert);
+}
+
+void virNetTLSConfigCustomTrust(const char *pkipath,
+                                char **cacert,
+                                char **cacrl)
+{
+    VIR_DEBUG("Locating trust chain in custom dir %s", pkipath);
+    virNetTLSConfigTrust(pkipath,
+                         pkipath,
+                         cacert,
+                         cacrl);
+}
+
+void virNetTLSConfigUserTrust(char **cacert,
+                              char **cacrl)
+{
+    g_autofree char *pkipath = virNetTLSConfigUserPKIBaseDir();
+
+    VIR_DEBUG("Locating trust chain in user dir %s", pkipath);
+
+    virNetTLSConfigTrust(pkipath,
+                         pkipath,
+                         cacert,
+                         cacrl);
+}
+
+void virNetTLSConfigSystemTrust(char **cacert,
+                                char **cacrl)
+{
+    VIR_DEBUG("Locating trust chain in system dir %s", LIBVIRT_PKI_DIR);
+
+    virNetTLSConfigTrust(LIBVIRT_CACERT_DIR,
+                         LIBVIRT_CACRL_DIR,
+                         cacert,
+                         cacrl);
+}
+
+void virNetTLSConfigCustomIdentity(const char *pkipath,
+                                   int isServer,
+                                   char **cert,
+                                   char **key)
+{
+    VIR_DEBUG("Locating creds in custom dir %s", pkipath);
+    virNetTLSConfigIdentity(isServer,
+                            pkipath,
+                            pkipath,
+                            cert,
+                            key);
+}
+
+void virNetTLSConfigUserIdentity(int isServer,
+                                 char **cert,
+                                 char **key)
+{
+    g_autofree char *pkipath = virNetTLSConfigUserPKIBaseDir();
+
+    VIR_DEBUG("Locating creds in user dir %s", pkipath);
+
+    virNetTLSConfigIdentity(isServer,
+                            pkipath,
+                            pkipath,
+                            cert,
+                            key);
+}
+
+void virNetTLSConfigSystemIdentity(int isServer,
+                                   char **cert,
+                                   char **key)
+{
+    VIR_DEBUG("Locating creds in system dir %s", LIBVIRT_PKI_DIR);
+
+    virNetTLSConfigIdentity(isServer,
+                            LIBVIRT_CERT_DIR,
+                            LIBVIRT_KEY_DIR,
+                            cert,
+                            key);
+}
+
+void virNetTLSConfigCustomCreds(const char *pkipath,
+                                int isServer,
+                                char **cacert,
+                                char **cacrl,
+                                char **cert,
+                                char **key)
+{
+    VIR_DEBUG("Locating creds in custom dir %s", pkipath);
+    virNetTLSConfigTrust(pkipath,
+                         pkipath,
+                         cacert,
+                         cacrl);
+    virNetTLSConfigIdentity(isServer,
+                            pkipath,
+                            pkipath,
+                            cert,
+                            key);
+}
+
+void virNetTLSConfigUserCreds(int isServer,
+                              char **cacert,
+                              char **cacrl,
+                              char **cert,
+                              char **key)
+{
+    g_autofree char *pkipath = virNetTLSConfigUserPKIBaseDir();
+
+    VIR_DEBUG("Locating creds in user dir %s", pkipath);
+
+    virNetTLSConfigTrust(pkipath,
+                         pkipath,
+                         cacert,
+                         cacrl);
+    virNetTLSConfigIdentity(isServer,
+                            pkipath,
+                            pkipath,
+                            cert,
+                            key);
+}
+
+void virNetTLSConfigSystemCreds(int isServer,
+                                char **cacert,
+                                char **cacrl,
+                                char **cert,
+                                char **key)
+{
+    VIR_DEBUG("Locating creds in system dir %s", LIBVIRT_PKI_DIR);
+
+    virNetTLSConfigTrust(LIBVIRT_CACERT_DIR,
+                         LIBVIRT_CACRL_DIR,
+                         cacert,
+                         cacrl);
+    virNetTLSConfigIdentity(isServer,
+                            LIBVIRT_CERT_DIR,
+                            LIBVIRT_KEY_DIR,
+                            cert,
+                            key);
+}
--- a/src/rpc/virnettlsconfig.h
+++ b/src/rpc/virnettlsconfig.h
@ -0,0 +1,68 @@
+/*
+ * virnettlsconfig.h: TLS x509 configuration helpers
+ *
+ * Copyright (C) 2010-2024 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+#pragma once
+
+#include "configmake.h"
+
+#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
+#define LIBVIRT_CACERT_DIR LIBVIRT_PKI_DIR "/CA"
+#define LIBVIRT_CACRL_DIR LIBVIRT_PKI_DIR "/CA"
+#define LIBVIRT_KEY_DIR LIBVIRT_PKI_DIR "/libvirt/private"
+#define LIBVIRT_CERT_DIR LIBVIRT_PKI_DIR "/libvirt"
+
+char *virNetTLSConfigUserPKIBaseDir(void);
+
+void virNetTLSConfigCustomTrust(const char *pkipath,
+                                char **cacert,
+                                char **cacrl);
+void virNetTLSConfigUserTrust(char **cacert,
+                              char **cacrl);
+void virNetTLSConfigSystemTrust(char **cacert,
+                                char **cacrl);
+
+void virNetTLSConfigCustomIdentity(const char *pkipath,
+                                   int isServer,
+                                   char **cert,
+                                   char **key);
+void virNetTLSConfigUserIdentity(int isServer,
+                                 char **cert,
+                                 char **key);
+void virNetTLSConfigSystemIdentity(int isServer,
+                                   char **cert,
+                                   char **key);
+
+
+void virNetTLSConfigCustomCreds(const char *pkipath,
+                                int isServer,
+                                char **cacert,
+                                char **cacrl,
+                                char **cert,
+                                char **key);
+void virNetTLSConfigUserCreds(int isServer,
+                              char **cacert,
+                              char **cacrl,
+                              char **cert,
+                              char **key);
+void virNetTLSConfigSystemCreds(int isServer,
+                                char **cacert,
+                                char **cacrl,
+                                char **cert,
+                                char **key);
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@ -27,6 +27,7 @@
 #include <gnutls/x509.h>

 #include "virnettlscontext.h"
+#include "virnettlsconfig.h"
 #include "virstring.h"

 #include "viralloc.h"
@ -36,15 +37,6 @@
 #include "virlog.h"
 #include "virprobe.h"
 #include "virthread.h"
-#include "configmake.h"
-
-#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
-#define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
-#define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem"
-#define LIBVIRT_CLIENTKEY LIBVIRT_PKI_DIR "/libvirt/private/clientkey.pem"
-#define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem"
-#define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem"
-#define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem"

 #define VIR_FROM_THIS VIR_FROM_RPC

@ -721,9 +713,6 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
                                             char **cert,
                                             char **key)
 {
-    char *userdir = NULL;
-    char *user_pki_path = NULL;
-
    *cacert = NULL;
    *cacrl = NULL;
    *key = NULL;
@ -736,33 +725,13 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
     * files actually exist there
     */
    if (pkipath) {
-        VIR_DEBUG("Told to use TLS credentials in %s", pkipath);
-        *cacert = g_strdup_printf("%s/%s", pkipath, "cacert.pem");
-        *cacrl = g_strdup_printf("%s/%s", pkipath, "cacrl.pem");
-        *key = g_strdup_printf("%s/%s", pkipath,
-                               isServer ? "serverkey.pem" : "clientkey.pem");
-
-        *cert = g_strdup_printf("%s/%s", pkipath,
-                                isServer ? "servercert.pem" : "clientcert.pem");
+        virNetTLSConfigCustomCreds(pkipath, isServer,
+                                   cacert, cacrl,
+                                   cert, key);
    } else if (tryUserPkiPath) {
-        /* Check to see if $HOME/.pki contains at least one of the
-         * files and if so, use that
-         */
-        userdir = virGetUserDirectory();
-
-        user_pki_path = g_strdup_printf("%s/.pki/libvirt", userdir);
-
-        VIR_DEBUG("Trying to find TLS user credentials in %s", user_pki_path);
-
-        *cacert = g_strdup_printf("%s/%s", user_pki_path, "cacert.pem");
-
-        *cacrl = g_strdup_printf("%s/%s", user_pki_path, "cacrl.pem");
-
-        *key = g_strdup_printf("%s/%s", user_pki_path,
-                               isServer ? "serverkey.pem" : "clientkey.pem");
-
-        *cert = g_strdup_printf("%s/%s", user_pki_path,
-                                isServer ? "servercert.pem" : "clientcert.pem");
+        virNetTLSConfigUserCreds(isServer,
+                                 cacert, cacrl,
+                                 cert, key);

        /*
         * If some of the files can't be found, fallback
@ -782,28 +751,9 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
        }
    }

-    /* No explicit path, or user path didn't exist, so
-     * fallback to global defaults
-     */
-    if (!*cacert) {
-        VIR_DEBUG("Using default TLS CA certificate path");
-        *cacert = g_strdup(LIBVIRT_CACERT);
-    }
-
-    if (!*cacrl) {
-        VIR_DEBUG("Using default TLS CA revocation list path");
-        *cacrl = g_strdup(LIBVIRT_CACRL);
-    }
-
-    if (!*key && !*cert) {
-        VIR_DEBUG("Using default TLS key/certificate path");
-        *key = g_strdup(isServer ? LIBVIRT_SERVERKEY : LIBVIRT_CLIENTKEY);
-
-        *cert = g_strdup(isServer ? LIBVIRT_SERVERCERT : LIBVIRT_CLIENTCERT);
-    }
-
-    VIR_FREE(user_pki_path);
-    VIR_FREE(userdir);
+    virNetTLSConfigSystemCreds(isServer,
+                               cacert, cacrl,
+                               cert, key);

    return 0;
 }