rpc: split out helpers for TLS cert path location

We'll want to access these paths from outside the TLS context code,
so split them into a standalone file.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2024-06-06 15:13:44 +01:00
parent a2455fd53d
commit e66c3bcd0c
4 changed files with 285 additions and 61 deletions

View File

@ -1,6 +1,10 @@
gendispatch_prog = find_program('gendispatch.pl') gendispatch_prog = find_program('gendispatch.pl')
socket_sources = [ tlsconfig_sources = files(
'virnettlsconfig.c',
)
socket_sources = tlsconfig_sources + [
'virnettlscontext.c', 'virnettlscontext.c',
'virnetsocket.c', 'virnetsocket.c',
] ]

202
src/rpc/virnettlsconfig.c Normal file
View File

@ -0,0 +1,202 @@
/*
* virnettlsconfig.c: TLS x509 configuration helpers
*
* Copyright (C) 2010-2024 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*/
#include <config.h>
#include "virnettlsconfig.h"
#include "virlog.h"
#include "virutil.h"
#define VIR_FROM_THIS VIR_FROM_RPC
VIR_LOG_INIT("rpc.nettlscontext");
char *virNetTLSConfigUserPKIBaseDir(void)
{
g_autofree char *userdir = virGetUserDirectory();
return g_strdup_printf("%s/.pki/libvirt", userdir);
}
static void virNetTLSConfigTrust(const char *cacertdir,
const char *cacrldir,
char **cacert,
char **cacrl)
{
if (!*cacert)
*cacert = g_strdup_printf("%s/%s", cacertdir, "cacert.pem");
if (!*cacrl)
*cacrl = g_strdup_printf("%s/%s", cacrldir, "cacrl.pem");
VIR_DEBUG("TLS CA cert %s", *cacert);
VIR_DEBUG("TLS CA CRL %s", *cacrl);
}
static void virNetTLSConfigIdentity(int isServer,
const char *certdir,
const char *keydir,
char **cert,
char **key)
{
if (!*key)
*key = g_strdup_printf("%s/%s", keydir,
isServer ? "serverkey.pem" : "clientkey.pem");
if (!*cert)
*cert = g_strdup_printf("%s/%s", certdir,
isServer ? "servercert.pem" : "clientcert.pem");
VIR_DEBUG("TLS key %s", *key);
VIR_DEBUG("TLS cert %s", *cert);
}
void virNetTLSConfigCustomTrust(const char *pkipath,
char **cacert,
char **cacrl)
{
VIR_DEBUG("Locating trust chain in custom dir %s", pkipath);
virNetTLSConfigTrust(pkipath,
pkipath,
cacert,
cacrl);
}
void virNetTLSConfigUserTrust(char **cacert,
char **cacrl)
{
g_autofree char *pkipath = virNetTLSConfigUserPKIBaseDir();
VIR_DEBUG("Locating trust chain in user dir %s", pkipath);
virNetTLSConfigTrust(pkipath,
pkipath,
cacert,
cacrl);
}
void virNetTLSConfigSystemTrust(char **cacert,
char **cacrl)
{
VIR_DEBUG("Locating trust chain in system dir %s", LIBVIRT_PKI_DIR);
virNetTLSConfigTrust(LIBVIRT_CACERT_DIR,
LIBVIRT_CACRL_DIR,
cacert,
cacrl);
}
void virNetTLSConfigCustomIdentity(const char *pkipath,
int isServer,
char **cert,
char **key)
{
VIR_DEBUG("Locating creds in custom dir %s", pkipath);
virNetTLSConfigIdentity(isServer,
pkipath,
pkipath,
cert,
key);
}
void virNetTLSConfigUserIdentity(int isServer,
char **cert,
char **key)
{
g_autofree char *pkipath = virNetTLSConfigUserPKIBaseDir();
VIR_DEBUG("Locating creds in user dir %s", pkipath);
virNetTLSConfigIdentity(isServer,
pkipath,
pkipath,
cert,
key);
}
void virNetTLSConfigSystemIdentity(int isServer,
char **cert,
char **key)
{
VIR_DEBUG("Locating creds in system dir %s", LIBVIRT_PKI_DIR);
virNetTLSConfigIdentity(isServer,
LIBVIRT_CERT_DIR,
LIBVIRT_KEY_DIR,
cert,
key);
}
void virNetTLSConfigCustomCreds(const char *pkipath,
int isServer,
char **cacert,
char **cacrl,
char **cert,
char **key)
{
VIR_DEBUG("Locating creds in custom dir %s", pkipath);
virNetTLSConfigTrust(pkipath,
pkipath,
cacert,
cacrl);
virNetTLSConfigIdentity(isServer,
pkipath,
pkipath,
cert,
key);
}
void virNetTLSConfigUserCreds(int isServer,
char **cacert,
char **cacrl,
char **cert,
char **key)
{
g_autofree char *pkipath = virNetTLSConfigUserPKIBaseDir();
VIR_DEBUG("Locating creds in user dir %s", pkipath);
virNetTLSConfigTrust(pkipath,
pkipath,
cacert,
cacrl);
virNetTLSConfigIdentity(isServer,
pkipath,
pkipath,
cert,
key);
}
void virNetTLSConfigSystemCreds(int isServer,
char **cacert,
char **cacrl,
char **cert,
char **key)
{
VIR_DEBUG("Locating creds in system dir %s", LIBVIRT_PKI_DIR);
virNetTLSConfigTrust(LIBVIRT_CACERT_DIR,
LIBVIRT_CACRL_DIR,
cacert,
cacrl);
virNetTLSConfigIdentity(isServer,
LIBVIRT_CERT_DIR,
LIBVIRT_KEY_DIR,
cert,
key);
}

68
src/rpc/virnettlsconfig.h Normal file
View File

@ -0,0 +1,68 @@
/*
* virnettlsconfig.h: TLS x509 configuration helpers
*
* Copyright (C) 2010-2024 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*/
#pragma once
#include "configmake.h"
#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
#define LIBVIRT_CACERT_DIR LIBVIRT_PKI_DIR "/CA"
#define LIBVIRT_CACRL_DIR LIBVIRT_PKI_DIR "/CA"
#define LIBVIRT_KEY_DIR LIBVIRT_PKI_DIR "/libvirt/private"
#define LIBVIRT_CERT_DIR LIBVIRT_PKI_DIR "/libvirt"
char *virNetTLSConfigUserPKIBaseDir(void);
void virNetTLSConfigCustomTrust(const char *pkipath,
char **cacert,
char **cacrl);
void virNetTLSConfigUserTrust(char **cacert,
char **cacrl);
void virNetTLSConfigSystemTrust(char **cacert,
char **cacrl);
void virNetTLSConfigCustomIdentity(const char *pkipath,
int isServer,
char **cert,
char **key);
void virNetTLSConfigUserIdentity(int isServer,
char **cert,
char **key);
void virNetTLSConfigSystemIdentity(int isServer,
char **cert,
char **key);
void virNetTLSConfigCustomCreds(const char *pkipath,
int isServer,
char **cacert,
char **cacrl,
char **cert,
char **key);
void virNetTLSConfigUserCreds(int isServer,
char **cacert,
char **cacrl,
char **cert,
char **key);
void virNetTLSConfigSystemCreds(int isServer,
char **cacert,
char **cacrl,
char **cert,
char **key);

View File

@ -27,6 +27,7 @@
#include <gnutls/x509.h> #include <gnutls/x509.h>
#include "virnettlscontext.h" #include "virnettlscontext.h"
#include "virnettlsconfig.h"
#include "virstring.h" #include "virstring.h"
#include "viralloc.h" #include "viralloc.h"
@ -36,15 +37,6 @@
#include "virlog.h" #include "virlog.h"
#include "virprobe.h" #include "virprobe.h"
#include "virthread.h" #include "virthread.h"
#include "configmake.h"
#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
#define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
#define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem"
#define LIBVIRT_CLIENTKEY LIBVIRT_PKI_DIR "/libvirt/private/clientkey.pem"
#define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem"
#define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem"
#define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem"
#define VIR_FROM_THIS VIR_FROM_RPC #define VIR_FROM_THIS VIR_FROM_RPC
@ -721,9 +713,6 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
char **cert, char **cert,
char **key) char **key)
{ {
char *userdir = NULL;
char *user_pki_path = NULL;
*cacert = NULL; *cacert = NULL;
*cacrl = NULL; *cacrl = NULL;
*key = NULL; *key = NULL;
@ -736,33 +725,13 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
* files actually exist there * files actually exist there
*/ */
if (pkipath) { if (pkipath) {
VIR_DEBUG("Told to use TLS credentials in %s", pkipath); virNetTLSConfigCustomCreds(pkipath, isServer,
*cacert = g_strdup_printf("%s/%s", pkipath, "cacert.pem"); cacert, cacrl,
*cacrl = g_strdup_printf("%s/%s", pkipath, "cacrl.pem"); cert, key);
*key = g_strdup_printf("%s/%s", pkipath,
isServer ? "serverkey.pem" : "clientkey.pem");
*cert = g_strdup_printf("%s/%s", pkipath,
isServer ? "servercert.pem" : "clientcert.pem");
} else if (tryUserPkiPath) { } else if (tryUserPkiPath) {
/* Check to see if $HOME/.pki contains at least one of the virNetTLSConfigUserCreds(isServer,
* files and if so, use that cacert, cacrl,
*/ cert, key);
userdir = virGetUserDirectory();
user_pki_path = g_strdup_printf("%s/.pki/libvirt", userdir);
VIR_DEBUG("Trying to find TLS user credentials in %s", user_pki_path);
*cacert = g_strdup_printf("%s/%s", user_pki_path, "cacert.pem");
*cacrl = g_strdup_printf("%s/%s", user_pki_path, "cacrl.pem");
*key = g_strdup_printf("%s/%s", user_pki_path,
isServer ? "serverkey.pem" : "clientkey.pem");
*cert = g_strdup_printf("%s/%s", user_pki_path,
isServer ? "servercert.pem" : "clientcert.pem");
/* /*
* If some of the files can't be found, fallback * If some of the files can't be found, fallback
@ -782,28 +751,9 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
} }
} }
/* No explicit path, or user path didn't exist, so virNetTLSConfigSystemCreds(isServer,
* fallback to global defaults cacert, cacrl,
*/ cert, key);
if (!*cacert) {
VIR_DEBUG("Using default TLS CA certificate path");
*cacert = g_strdup(LIBVIRT_CACERT);
}
if (!*cacrl) {
VIR_DEBUG("Using default TLS CA revocation list path");
*cacrl = g_strdup(LIBVIRT_CACRL);
}
if (!*key && !*cert) {
VIR_DEBUG("Using default TLS key/certificate path");
*key = g_strdup(isServer ? LIBVIRT_SERVERKEY : LIBVIRT_CLIENTKEY);
*cert = g_strdup(isServer ? LIBVIRT_SERVERCERT : LIBVIRT_CLIENTCERT);
}
VIR_FREE(user_pki_path);
VIR_FREE(userdir);
return 0; return 0;
} }