From nobody Thu Sep 19 00:56:50 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1717771360730788.8551569741996; Fri, 7 Jun 2024 07:42:40 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id C801E25DB; Fri, 7 Jun 2024 10:42:38 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 4C7DA259E; Fri, 7 Jun 2024 10:40:02 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 9FC5B24A8; Fri, 7 Jun 2024 10:39:58 -0400 (EDT) Received: from mx1.osci.io (polly.osci.io [8.43.85.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 042A02485 for ; Fri, 7 Jun 2024 10:39:53 -0400 (EDT) Received: by mx1.osci.io (Postfix, from userid 994) id E553F2254B; Fri, 7 Jun 2024 10:39:52 -0400 (EDT) Received: from mx3.osci.io (carla.osci.io [IPv6:2607:f0d0:1e02:35::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits)) (No client certificate requested) by mx1.osci.io (Postfix) with ESMTPS id E8CCA22467 for ; Fri, 7 Jun 2024 10:39:45 -0400 (EDT) Received: by mx3.osci.io (Postfix, from userid 990) id CE8F730721D2; Fri, 7 Jun 2024 09:33:02 -0500 (CDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by mx3.osci.io (Postfix) with ESMTPS id 9FF3C30721D9 for ; Fri, 7 Jun 2024 09:33:00 -0500 (CDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-47-T6RziESNN6epp4A_bPFM6A-1; Fri, 07 Jun 2024 10:26:25 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4C9DE3806706 for ; Fri, 7 Jun 2024 14:26:25 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.39.193.232]) by smtp.corp.redhat.com (Postfix) with ESMTP id C4967492BC6; Fri, 7 Jun 2024 14:26:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.4 X-Greylist: delayed 375 seconds by postgrey-1.37 at polly.osci.io; Fri, 07 Jun 2024 10:39:45 EDT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717770387; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MbNl9jAhJpt8YD9GrbpFCfJGtKzMTGQZ73/hbZBE970=; b=J8Dlz8goDoNdMdPdVrY95PkiaJcGnLzWobpLMPKtlnUT90MvRmBOr8+wfyTcQFGA4BE0LH k6b9Efl0+jfzWWSmMTyDR/1rRQ2h9R+aINNdOv3J9FRNsrPaYA9I4RtEBm/GwRqn7ji/CB 61VNWZZS5G+q5P/rJoqBe6VkfCVxUaQ= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717770517; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MbNl9jAhJpt8YD9GrbpFCfJGtKzMTGQZ73/hbZBE970=; b=bnXKx9Ftdt+TbwCCDhWXMz6lf38QwgFw/fnhHNE1VFwu9eHuAEz/41l+w7v6PHquxE6EiO ymvfHAEiB6PK/aoprhk61oY+eyOdnnfO9+/dstspwM99jNJffmXWmvAQooGGQNhunDVUsJ p6bV6y0ABiyyJxGlpXHwt82dRioXCcM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717770648; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MbNl9jAhJpt8YD9GrbpFCfJGtKzMTGQZ73/hbZBE970=; b=CcoCUEyYjIk5lp0X5qn6kXf9Cb6GdqQRoNAi8njQq2xOCFrVo6xYWTLIUPZh5+GgCSBTHL 1+2BbYoEARFWNGSyW0aBfQxK/9Z7cdES+CbrRyPI/WdCC8fOgVTwGHdEmg7zHcNF1RWN6E Zr/AEfOHbmptLFKr7cvJnU58VSgmsVs= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717770780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MbNl9jAhJpt8YD9GrbpFCfJGtKzMTGQZ73/hbZBE970=; b=dOY/RJc814JKkQWRlkM2hYDm4cbHJUR/erExelRKkKTTWWuZR2CV4U6jVv5t1pA1Z056LC LudGBCvLWrJwKCm1moHuVmzO0iWf3fIEolAOb0Jeu7j5uDULfAbmRldLcEUhOOiyCm+kFI hVmAllBtoOrUJKz4n0igtezkdCJG44M= X-MC-Unique: T6RziESNN6epp4A_bPFM6A-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: devel@lists.libvirt.org Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 9/9] tools: support validating user/custom PKI certs Date: Fri, 7 Jun 2024 15:26:16 +0100 Message-ID: <20240607142616.749339-10-berrange@redhat.com> In-Reply-To: <20240607142616.749339-1-berrange@redhat.com> References: <20240607142616.749339-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: H2MF2655UTB6Y62M5J3QREKDEU44KFWH X-Message-ID-Hash: H2MF2655UTB6Y62M5J3QREKDEU44KFWH X-MailFrom: SRS0=RZ0v=NJ=redhat.com=berrange@osci.io X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (found 4 invalid signatures) X-ZM-MESSAGEID: 1717771361879100001 Content-Type: text/plain; charset="utf-8" The virt-pki-validate command can validate the system certificate directories. The remote driver, however, also supports a standard per-user certs location, as well as a runtime custom path. This extends the validation tool to be able to cope with these alternate locations too. Signed-off-by: Daniel P. Berrang=C3=A9 --- docs/manpages/virt-pki-validate.rst | 5 +- tools/virt-pki-validate.c | 289 +++++++++++++++++++--------- 2 files changed, 206 insertions(+), 88 deletions(-) diff --git a/docs/manpages/virt-pki-validate.rst b/docs/manpages/virt-pki-v= alidate.rst index cf17bad790..932c677cfc 100644 --- a/docs/manpages/virt-pki-validate.rst +++ b/docs/manpages/virt-pki-validate.rst @@ -15,7 +15,7 @@ SYNOPSIS =3D=3D=3D=3D=3D=3D=3D=3D =20 =20 -``virt-pki-validate`` [*OPTION*] +``virt-pki-validate`` [*OPTION*] [trust|server|client] =20 =20 DESCRIPTION @@ -26,6 +26,9 @@ a secure libvirt server or client using the TLS encryptio= n protocol. It will report any missing certificate or key files on the host. It should be run as root to ensure it can read all the necessary files =20 +With no arguments it will check the trusted CA config, the server +config and the client config. The optional positional argument can +be used to restrict the checks to just one of these three sets. =20 OPTIONS =3D=3D=3D=3D=3D=3D=3D diff --git a/tools/virt-pki-validate.c b/tools/virt-pki-validate.c index 556664dd29..656f29fdc5 100644 --- a/tools/virt-pki-validate.c +++ b/tools/virt-pki-validate.c @@ -60,40 +60,77 @@ virPKIValidateFile(const char *file, } while (0) =20 static bool -virPKIValidateTrust(void) +virPKIValidateTrust(bool system, const char *path) { g_autofree char *cacert =3D NULL, *cacrl =3D NULL; bool ok =3D true; =20 - virNetTLSConfigSystemTrust(&cacert, - &cacrl); - - FILE_REQUIRE_EXISTS("TRUST", - LIBVIRT_PKI_DIR, - _("Checking if system PKI dir exists"), - _("The system PKI dir %1$s is usually installed as= part of the base filesystem or openssl packages"), - LIBVIRT_PKI_DIR); - - FILE_REQUIRE_ACCESS("TRUST", - LIBVIRT_PKI_DIR, - _("Checking system PKI dir access"), - 0, 0, 0755, - _("The system PKI dir %1$s must be accessible to a= ll users. As root, run: chown root.root; chmod 0755 %2$s"), - LIBVIRT_PKI_DIR, LIBVIRT_PKI_DIR); - - - FILE_REQUIRE_EXISTS("TRUST", - LIBVIRT_CACERT_DIR, - _("Checking if system CA dir exists"), - _("The system CA dir %1$s is usually installed as = part of the base filesystem or openssl packages"), - LIBVIRT_CACERT_DIR); - - FILE_REQUIRE_ACCESS("TRUST", - LIBVIRT_CACERT_DIR, - _("Checking system CA dir access"), - 0, 0, 0755, - _("The system CA dir %1$s must be accessible to al= l users. As root, run: chown root.root; chmod 0755 %2$s"), - LIBVIRT_CACERT_DIR, LIBVIRT_CACERT_DIR); + if (system) { + virNetTLSConfigSystemTrust(&cacert, + &cacrl); + + FILE_REQUIRE_EXISTS("TRUST", + LIBVIRT_PKI_DIR, + _("Checking if system PKI dir exists"), + _("The system PKI dir %1$s is usually installe= d as part of the base filesystem or openssl packages"), + LIBVIRT_PKI_DIR); + + FILE_REQUIRE_ACCESS("TRUST", + LIBVIRT_PKI_DIR, + _("Checking system PKI dir access"), + 0, 0, 0755, + _("The system PKI dir %1$s must be accessible = to all users. As root, run: chown root.root; chmod 0755 %2$s"), + LIBVIRT_PKI_DIR, LIBVIRT_PKI_DIR); + + + FILE_REQUIRE_EXISTS("TRUST", + LIBVIRT_CACERT_DIR, + _("Checking if system CA dir exists"), + _("The system CA dir %1$s is usually installed= as part of the base filesystem or openssl packages"), + LIBVIRT_CACERT_DIR); + + FILE_REQUIRE_ACCESS("TRUST", + LIBVIRT_CACERT_DIR, + _("Checking system CA dir access"), + 0, 0, 0755, + _("The system CA dir %1$s must be accessible t= o all users. As root, run: chown root.root; chmod 0755 %2$s"), + LIBVIRT_CACERT_DIR, LIBVIRT_CACERT_DIR); + } else if (path) { + virNetTLSConfigCustomTrust(path, + &cacert, + &cacrl); + + FILE_REQUIRE_EXISTS("TRUST", + path, + _("Checking if custom PKI base dir exists"), + _("Create the dir %1$s"), + path); + + FILE_REQUIRE_ACCESS("TRUST", + path, + _("Checking custom PKI base dir access"), + getuid(), getgid(), 0700, + _("The PKI base dir %1$s must not be accessibl= e to other users. Run: chown %2$d.%3$d %4$s; chmod 0700 %5$s"), + path, getuid(), getgid(), path, path); + } else { + g_autofree char *pkipath =3D virNetTLSConfigUserPKIBaseDir(); + + virNetTLSConfigUserTrust(&cacert, + &cacrl); + + FILE_REQUIRE_EXISTS("TRUST", + pkipath, + _("Checking if user PKI base dir exists"), + _("Create the dir %1$s"), + pkipath); + + FILE_REQUIRE_ACCESS("TRUST", + pkipath, + _("Checking user PKI base dir access"), + getuid(), getgid(), 0700, + _("The PKI base dir %1$s must not be accessibl= e to other users. Run: chown %2$d.%3$d %4$s; chmod 0700 %5$s"), + pkipath, getuid(), getgid(), pkipath, pkipath); + } =20 FILE_REQUIRE_EXISTS("TRUST", cacert, @@ -101,56 +138,81 @@ virPKIValidateTrust(void) _("The machine cannot act as a client or server. S= ee https://libvirt.org/kbase/tlscerts.html#setting-up-a-certificate-authori= ty-ca on how to install %1$s"), cacert); =20 - FILE_REQUIRE_ACCESS("TRUST", - cacert, - _("Checking CA cert access"), - 0, 0, 0644, - _("The CA certificate %1$s must be accessible to a= ll users. As root run: chown root.root %2$s; chmod 0644 %3$s"), - cacert, cacert, cacert); + if (system) { + FILE_REQUIRE_ACCESS("TRUST", + cacert, + _("Checking CA cert access"), + 0, 0, 0644, + _("The CA certificate %1$s must be accessible = to all users. As root run: chown root.root %2$s; chmod 0644 %3$s"), + cacert, cacert, cacert); + } else { + FILE_REQUIRE_ACCESS("TRUST", + cacert, + _("Checking CA cert access"), + getuid(), getgid(), 0600, + _("The CA certificate %1$s must not be accessi= ble to other users. As this user, run: chown %2$d.%3$d %4$s; chmod 0600 %5$= s"), + cacert, getuid(), getgid(), cacert, cacert); + } =20 done: return ok; } =20 static bool -virPKIValidateIdentity(bool isServer) +virPKIValidateIdentity(bool isServer, bool system, const char *path) { g_autofree char *cacert =3D NULL, *cacrl =3D NULL; g_autofree char *cert =3D NULL, *key =3D NULL; bool ok =3D true; const char *scope =3D isServer ? "SERVER" : "CLIENT"; =20 - virNetTLSConfigSystemTrust(&cacert, - &cacrl); - virNetTLSConfigSystemIdentity(isServer, - &cert, - &key); - - FILE_REQUIRE_EXISTS(scope, - LIBVIRT_CERT_DIR, - _("Checking if system cert dir exists"), - _("The system cert dir %1$s is usually installed a= s part of the libvirt package"), - LIBVIRT_CERT_DIR); - - FILE_REQUIRE_ACCESS(scope, - LIBVIRT_CERT_DIR, - _("Checking system cert dir access"), - 0, 0, 0755, - _("The system cert dir %1$s must be accessible to = all users. As root, run: chown root.root; chmod 0755 %2$s"), - LIBVIRT_PKI_DIR, LIBVIRT_PKI_DIR); - - FILE_REQUIRE_EXISTS(scope, - LIBVIRT_KEY_DIR, - _("Checking if system key dir exists"), - _("The system key dir %1$s is usually installed as= part of the libvirt package"), - LIBVIRT_KEY_DIR); - - FILE_REQUIRE_ACCESS(scope, - LIBVIRT_KEY_DIR, - _("Checking system key dir access"), - 0, 0, 0755, - _("The system key dir %1$s must be accessible to a= ll users. As root, run: chown root.root; chmod 0755 %2$s"), - LIBVIRT_KEY_DIR, LIBVIRT_PKI_DIR); + if (system) { + virNetTLSConfigSystemTrust(&cacert, + &cacrl); + virNetTLSConfigSystemIdentity(isServer, + &cert, + &key); + + FILE_REQUIRE_EXISTS(scope, + LIBVIRT_CERT_DIR, + _("Checking if system cert dir exists"), + _("The system cert dir %1$s is usually install= ed as part of the libvirt package"), + LIBVIRT_CERT_DIR); + + FILE_REQUIRE_ACCESS(scope, + LIBVIRT_CERT_DIR, + _("Checking system cert dir access"), + 0, 0, 0755, + _("The system cert dir %1$s must be accessible= to all users. As root, run: chown root.root; chmod 0755 %2$s"), + LIBVIRT_PKI_DIR, LIBVIRT_PKI_DIR); + + FILE_REQUIRE_EXISTS(scope, + LIBVIRT_KEY_DIR, + _("Checking if system key dir exists"), + _("The system key dir %1$s is usually installe= d as part of the libvirt package"), + LIBVIRT_KEY_DIR); + + FILE_REQUIRE_ACCESS(scope, + LIBVIRT_KEY_DIR, + _("Checking system key dir access"), + 0, 0, 0755, + _("The system key dir %1$s must be accessible = to all users. As root, run: chown root.root; chmod 0755 %2$s"), + LIBVIRT_KEY_DIR, LIBVIRT_PKI_DIR); + } else if (path) { + virNetTLSConfigCustomTrust(path, + &cacert, + &cacrl); + virNetTLSConfigCustomIdentity(path, + isServer, + &cert, + &key); + } else { + virNetTLSConfigUserTrust(&cacert, + &cacrl); + virNetTLSConfigUserIdentity(isServer, + &cert, + &key); + } =20 FILE_REQUIRE_EXISTS(scope, key, @@ -160,14 +222,25 @@ virPKIValidateIdentity(bool isServer) _("The machine cannot act as a client. See https:/= /libvirt.org/kbase/tlscerts.html#issuing-client-certificates on how to rege= nerate %1$s"), key); =20 - FILE_REQUIRE_ACCESS(scope, - key, - _("Checking key access"), - 0, 0, isServer ? 0600 : 0644, - isServer ? - _("The server key %1$s must not be accessible to u= nprivileged users. As root run: chown root.root %2$s; chmod 0600 %3$s") : - _("The client key %1$s must be accessible to all u= sers. As root run: chown root.root %2$s; chmod 0644 %3$s"), - key, key, key); + if (system) { + FILE_REQUIRE_ACCESS(scope, + key, + _("Checking key access"), + 0, 0, isServer ? 0600 : 0644, + isServer ? + _("The server key %1$s must not be accessible = to unprivileged users. As root run: chown root.root %2$s; chmod 0600 %3$s")= : + _("The client key %1$s must be accessible to a= ll users. As root run: chown root.root %2$s; chmod 0644 %3$s"), + key, key, key); + } else { + FILE_REQUIRE_ACCESS(scope, + key, + _("Checking key access"), + getuid(), getgid(), 0600, + isServer ? + _("The server key %1$s must be not be accessib= le to other users. As this user, run: chown %2$d.%3$d %4$s; chmod 0600 %5$s= ") : + _("The client key %1$s must be not be accessib= le to other users. As this user, run: chown %2$d.%3$d %4$s; chmod 0600 %5$s= "), + key, getuid(), getgid(), key, key); + } =20 FILE_REQUIRE_EXISTS(scope, cert, @@ -177,14 +250,25 @@ virPKIValidateIdentity(bool isServer) _("The machine cannot act as a client. See https:/= /libvirt.org/kbase/tlscerts.html#issuing-client-certificates on how to rege= nerate %1$s"), cert); =20 - FILE_REQUIRE_ACCESS(scope, - cert, - _("Checking cert access"), - 0, 0, 0644, - isServer ? - _("The server cert %1$s must be accessible to all = users. As root run: chown root.root %2$s; chmod 0644 %3$s") : - _("The client cert %1$s must be accessible to all = users. As root run: chown root.root %2$s; chmod 0644 %3$s"), - cert, cert, cert); + if (system) { + FILE_REQUIRE_ACCESS(scope, + cert, + _("Checking cert access"), + 0, 0, 0644, + isServer ? + _("The server cert %1$s must be accessible to = all users. As root run: chown root.root %2$s; chmod 0644 %3$s") : + _("The client cert %1$s must be accessible to = all users. As root run: chown root.root %2$s; chmod 0644 %3$s"), + cert, cert, cert); + } else { + FILE_REQUIRE_ACCESS(scope, + cert, + _("Checking cert access"), + getuid(), getgid(), 0600, + isServer ? + _("The server cert %1$s must be restricted to = this user. As this user, run: chown %2$d.%3$d %4$s; chmod 0600 %5$s") : + _("The client cert %1$s must be restricted to = this user. As this user, run: chown %2$d.%3$d %4$s; chmod 0600 %5$s"), + cert, getuid(), getgid(), cert, cert); + } =20 virValidateCheck(scope, "%s", _("Checking cert properties")); =20 @@ -239,6 +323,9 @@ print_usage(const char *progname, "Validate TLS certificate configuration\n" "\n" "options:\n" + " -s | --system validate system certificates (default)\= n" + " -u | --user validate user certificates\n" + " -p DIR | --path DIR validate custom certificate path\n" " -h | --help display this help and exit\n" " -v | --version output version information and exit\n"), progname); @@ -247,6 +334,9 @@ print_usage(const char *progname, int main(int argc, char **argv) { const char *scope =3D NULL; + bool system =3D false; + bool user =3D false; + const char *path =3D NULL; bool quiet =3D false; int arg =3D 0; bool ok =3D true; @@ -254,6 +344,9 @@ int main(int argc, char **argv) struct option opt[] =3D { { "help", no_argument, NULL, 'h' }, { "version", no_argument, NULL, 'v' }, + { "system", no_argument, NULL, 's' }, + { "user", no_argument, NULL, 'u' }, + { "path", required_argument, NULL, 'p' }, { NULL, 0, NULL, 0 }, }; =20 @@ -262,6 +355,18 @@ int main(int argc, char **argv) =20 while ((arg =3D getopt_long(argc, argv, "hvsup:", opt, NULL)) !=3D -1)= { switch (arg) { + case 's': + system =3D true; + break; + + case 'u': + user =3D true; + break; + + case 'p': + path =3D optarg; + break; + case 'v': printf("%s\n", PACKAGE_VERSION); return EXIT_SUCCESS; @@ -292,14 +397,24 @@ int main(int argc, char **argv) =20 virValidateSetQuiet(quiet); =20 + if ((system && user) || + (system && path) || + (user && path)) { + g_printerr("--system, --user & --path are mutually exclusive\n"); + return EXIT_FAILURE; + } + + if (!system && !user && !path) + system =3D true; + if ((!scope || g_str_equal(scope, "trust")) && - !virPKIValidateTrust()) + !virPKIValidateTrust(system, path)) ok =3D false; if ((!scope || g_str_equal(scope, "server")) && - !virPKIValidateIdentity(true)) + !virPKIValidateIdentity(true, system, path)) ok =3D false; if ((!scope || g_str_equal(scope, "client")) && - !virPKIValidateIdentity(false)) + !virPKIValidateIdentity(false, system, path)) ok =3D false; =20 if (!ok) --=20 2.43.0