From nobody Thu Sep 19 01:09:40 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1717770855563767.3912273404773; Fri, 7 Jun 2024 07:34:15 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id F3D3F2577; Fri, 7 Jun 2024 10:34:13 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id F25F82471; Fri, 7 Jun 2024 10:26:42 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 7009523C0; Fri, 7 Jun 2024 10:26:33 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id D10212372 for ; Fri, 7 Jun 2024 10:26:27 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-122-Bvj3hau7MJurXfFx9sFXTA-1; Fri, 07 Jun 2024 10:26:24 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8DC6785A5B5 for ; Fri, 7 Jun 2024 14:26:24 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.39.193.232]) by smtp.corp.redhat.com (Postfix) with ESMTP id E43EA492BC6; Fri, 7 Jun 2024 14:26:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: * X-Spam-Status: No, score=1.9 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,LOTS_OF_MONEY,MAILING_LIST_MULTI, MONEY_NOHTML,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717770386; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=b5xzPIC+AW6BNH8u9iSBQO5BcDrA8i4lrrNp8bsl2TM=; b=BKlLmH/mveOzX55VjrzTeQircE044oL2kgZjSL1dd3JV7Jtij/7HY3dpC13l+ZjFwJoFTV l5jFc47BaTQ1TnpjUNai7OfXWMn1zAPj+X+6x1C8O0SERPKKmxcA/GxPBEdx0l8jDERPA1 UuW8ew/fVrzyVEyG0pB7yaSB54fcE6Y= X-MC-Unique: Bvj3hau7MJurXfFx9sFXTA-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: devel@lists.libvirt.org Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 8/9] tools: reimplement virt-pki-validate in C Date: Fri, 7 Jun 2024 15:26:15 +0100 Message-ID: <20240607142616.749339-9-berrange@redhat.com> In-Reply-To: <20240607142616.749339-1-berrange@redhat.com> References: <20240607142616.749339-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: YLIATJK75IXY57QIJXPR5SWT4BICOSM4 X-Message-ID-Hash: YLIATJK75IXY57QIJXPR5SWT4BICOSM4 X-MailFrom: berrange@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1717770857477100001 Content-Type: text/plain; charset="utf-8" The virt-pki-validate tool is currently a shell script. We have a general goal of eliminating use of shell in the project. By doing a new implementation in C, we can also make use of our more thorough sanity checking code to validate the certificate setup. This new implementation the same output format as the host validation tool for a more consistent user experiance. It also eliminates the requirement to have certtool installed on libvirt hosts, which has been an issue for Fedora flatpak packages since certtool isn't in the default platform runtime. Signed-off-by: Daniel P. Berrang=C3=A9 --- docs/manpages/virt-pki-validate.rst | 4 +- libvirt.spec.in | 2 - po/POTFILES | 1 + tools/meson.build | 30 ++- tools/virt-pki-validate.c | 309 ++++++++++++++++++++++++++++ tools/virt-pki-validate.in | 295 -------------------------- 6 files changed, 337 insertions(+), 304 deletions(-) create mode 100644 tools/virt-pki-validate.c delete mode 100644 tools/virt-pki-validate.in diff --git a/docs/manpages/virt-pki-validate.rst b/docs/manpages/virt-pki-v= alidate.rst index 53d5fbe269..cf17bad790 100644 --- a/docs/manpages/virt-pki-validate.rst +++ b/docs/manpages/virt-pki-validate.rst @@ -48,7 +48,7 @@ failure a non-zero status will be set. AUTHOR =3D=3D=3D=3D=3D=3D =20 -Daniel Veillard +Daniel Veillard, Daniel P. Berrang=C3=A9 =20 =20 BUGS @@ -70,7 +70,7 @@ Alternatively, you may report bugs to your software distr= ibutor / vendor. COPYRIGHT =3D=3D=3D=3D=3D=3D=3D=3D=3D =20 -Copyright (C) 2006-2012 by Red Hat, Inc. +Copyright (C) 2006-2024 by Red Hat, Inc. =20 =20 LICENSE diff --git a/libvirt.spec.in b/libvirt.spec.in index 244e5e824c..2570c2458a 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1032,8 +1032,6 @@ capabilities of VirtualBox %package client Summary: Client side utilities of the libvirt library Requires: libvirt-libs =3D %{version}-%{release} -# Needed by virt-pki-validate script. -Requires: gnutls-utils =20 # Ensure smooth upgrades Obsoletes: libvirt-bash-completion < 7.3.0 diff --git a/po/POTFILES b/po/POTFILES index cb73d07904..4bfbb91164 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -391,6 +391,7 @@ tools/virt-host-validate-qemu.c tools/virt-host-validate.c tools/virt-login-shell-helper.c tools/virt-pki-query-dn.c +tools/virt-pki-validate.c tools/virt-validate-common.c tools/vsh-table.c tools/vsh.c diff --git a/tools/meson.build b/tools/meson.build index feb6b7c3ad..a58f5d4175 100644 --- a/tools/meson.build +++ b/tools/meson.build @@ -255,13 +255,33 @@ configure_file( install_mode: 'rwxr-xr-x', ) =20 -configure_file( - input: 'virt-pki-validate.in', - output: '@BASENAME@', - configuration: tools_conf, +executable( + 'virt-pki-validate', + tlsconfig_sources + [ + 'virt-validate-common.c', + 'virt-pki-validate.c', + ], + dependencies: [ + glib_dep, + gnutls_dep, + ], + include_directories: [ + libvirt_inc, + src_inc_dir, + top_inc_dir, + util_inc_dir, + rpc_inc_dir, + ], + link_args: ( + libvirt_relro + + libvirt_no_indirect + + libvirt_no_undefined + ), + link_with: [ + libvirt_lib + ], install: true, install_dir: bindir, - install_mode: 'rwxr-xr-x', ) =20 executable( diff --git a/tools/virt-pki-validate.c b/tools/virt-pki-validate.c new file mode 100644 index 0000000000..556664dd29 --- /dev/null +++ b/tools/virt-pki-validate.c @@ -0,0 +1,309 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include +#include "internal.h" + +#include +#include +#include + +#include +#include + +#include "virgettext.h" +#include "virfile.h" +#include "virnettlsconfig.h" +#include "virnettlscert.h" +#include "virutil.h" +#include "virt-validate-common.h" + +static bool +virPKIValidateFile(const char *file, + uid_t owner, + gid_t group, + mode_t mode) +{ + struct stat sb; + if (stat(file, &sb) < 0) + return false; + + if (sb.st_uid !=3D owner || + sb.st_gid !=3D group) + return false; + + return (sb.st_mode & 0777) =3D=3D mode; +} + +#define FILE_REQUIRE_EXISTS(scope, path, message, hint, ...) \ + do { \ + virValidateCheck(scope, "%s", message); \ + if (!virFileExists(path)) { \ + virValidateFail(VIR_VALIDATE_FAIL, hint, __VA_ARGS__); \ + ok =3D false; \ + goto done; \ + } else { \ + virValidatePass(); \ + } \ + } while (0) + +#define FILE_REQUIRE_ACCESS(scope, path, message, uid, gid, mode, hint, ..= .) \ + do { \ + virValidateCheck(scope, "%s", message); \ + if (!virPKIValidateFile(path, uid, gid, mode)) { \ + virValidateFail(VIR_VALIDATE_FAIL, hint, __VA_ARGS__); \ + ok =3D false; \ + } else { \ + virValidatePass(); \ + } \ + } while (0) + +static bool +virPKIValidateTrust(void) +{ + g_autofree char *cacert =3D NULL, *cacrl =3D NULL; + bool ok =3D true; + + virNetTLSConfigSystemTrust(&cacert, + &cacrl); + + FILE_REQUIRE_EXISTS("TRUST", + LIBVIRT_PKI_DIR, + _("Checking if system PKI dir exists"), + _("The system PKI dir %1$s is usually installed as= part of the base filesystem or openssl packages"), + LIBVIRT_PKI_DIR); + + FILE_REQUIRE_ACCESS("TRUST", + LIBVIRT_PKI_DIR, + _("Checking system PKI dir access"), + 0, 0, 0755, + _("The system PKI dir %1$s must be accessible to a= ll users. As root, run: chown root.root; chmod 0755 %2$s"), + LIBVIRT_PKI_DIR, LIBVIRT_PKI_DIR); + + + FILE_REQUIRE_EXISTS("TRUST", + LIBVIRT_CACERT_DIR, + _("Checking if system CA dir exists"), + _("The system CA dir %1$s is usually installed as = part of the base filesystem or openssl packages"), + LIBVIRT_CACERT_DIR); + + FILE_REQUIRE_ACCESS("TRUST", + LIBVIRT_CACERT_DIR, + _("Checking system CA dir access"), + 0, 0, 0755, + _("The system CA dir %1$s must be accessible to al= l users. As root, run: chown root.root; chmod 0755 %2$s"), + LIBVIRT_CACERT_DIR, LIBVIRT_CACERT_DIR); + + FILE_REQUIRE_EXISTS("TRUST", + cacert, + _("Checking if CA cert exists"), + _("The machine cannot act as a client or server. S= ee https://libvirt.org/kbase/tlscerts.html#setting-up-a-certificate-authori= ty-ca on how to install %1$s"), + cacert); + + FILE_REQUIRE_ACCESS("TRUST", + cacert, + _("Checking CA cert access"), + 0, 0, 0644, + _("The CA certificate %1$s must be accessible to a= ll users. As root run: chown root.root %2$s; chmod 0644 %3$s"), + cacert, cacert, cacert); + + done: + return ok; +} + +static bool +virPKIValidateIdentity(bool isServer) +{ + g_autofree char *cacert =3D NULL, *cacrl =3D NULL; + g_autofree char *cert =3D NULL, *key =3D NULL; + bool ok =3D true; + const char *scope =3D isServer ? "SERVER" : "CLIENT"; + + virNetTLSConfigSystemTrust(&cacert, + &cacrl); + virNetTLSConfigSystemIdentity(isServer, + &cert, + &key); + + FILE_REQUIRE_EXISTS(scope, + LIBVIRT_CERT_DIR, + _("Checking if system cert dir exists"), + _("The system cert dir %1$s is usually installed a= s part of the libvirt package"), + LIBVIRT_CERT_DIR); + + FILE_REQUIRE_ACCESS(scope, + LIBVIRT_CERT_DIR, + _("Checking system cert dir access"), + 0, 0, 0755, + _("The system cert dir %1$s must be accessible to = all users. As root, run: chown root.root; chmod 0755 %2$s"), + LIBVIRT_PKI_DIR, LIBVIRT_PKI_DIR); + + FILE_REQUIRE_EXISTS(scope, + LIBVIRT_KEY_DIR, + _("Checking if system key dir exists"), + _("The system key dir %1$s is usually installed as= part of the libvirt package"), + LIBVIRT_KEY_DIR); + + FILE_REQUIRE_ACCESS(scope, + LIBVIRT_KEY_DIR, + _("Checking system key dir access"), + 0, 0, 0755, + _("The system key dir %1$s must be accessible to a= ll users. As root, run: chown root.root; chmod 0755 %2$s"), + LIBVIRT_KEY_DIR, LIBVIRT_PKI_DIR); + + FILE_REQUIRE_EXISTS(scope, + key, + _("Checking if key exists"), + isServer ? + _("The machine cannot act as a server. See https:/= /libvirt.org/kbase/tlscerts.html#issuing-server-certificates on how to rege= nerate %1$s") : + _("The machine cannot act as a client. See https:/= /libvirt.org/kbase/tlscerts.html#issuing-client-certificates on how to rege= nerate %1$s"), + key); + + FILE_REQUIRE_ACCESS(scope, + key, + _("Checking key access"), + 0, 0, isServer ? 0600 : 0644, + isServer ? + _("The server key %1$s must not be accessible to u= nprivileged users. As root run: chown root.root %2$s; chmod 0600 %3$s") : + _("The client key %1$s must be accessible to all u= sers. As root run: chown root.root %2$s; chmod 0644 %3$s"), + key, key, key); + + FILE_REQUIRE_EXISTS(scope, + cert, + _("Checking if cert exists"), + isServer ? + _("The machine cannot act as a server. See https:/= /libvirt.org/kbase/tlscerts.html#issuing-server-certificates on how to rege= nerate %1$s") : + _("The machine cannot act as a client. See https:/= /libvirt.org/kbase/tlscerts.html#issuing-client-certificates on how to rege= nerate %1$s"), + cert); + + FILE_REQUIRE_ACCESS(scope, + cert, + _("Checking cert access"), + 0, 0, 0644, + isServer ? + _("The server cert %1$s must be accessible to all = users. As root run: chown root.root %2$s; chmod 0644 %3$s") : + _("The client cert %1$s must be accessible to all = users. As root run: chown root.root %2$s; chmod 0644 %3$s"), + cert, cert, cert); + + virValidateCheck(scope, "%s", _("Checking cert properties")); + + if (virNetTLSCertSanityCheck(isServer, + cacert, + cert) < 0) { + virValidateFail(VIR_VALIDATE_FAIL, "%s", + virGetLastErrorMessage()); + ok =3D false; + } else { + virValidatePass(); + } + + if (isServer) { + gnutls_x509_crt_t crt; + + virValidateCheck(scope, "%s", _("Checking cert hostname match")); + + if (!(crt =3D virNetTLSCertLoadFromFile(cert, true))) { + virValidateFail(VIR_VALIDATE_FAIL, + _("Unable to load %1$s: %2$s"), + cert, virGetLastErrorMessage()); + } else { + g_autofree char *hostname =3D virGetHostname(); + int ret =3D gnutls_x509_crt_check_hostname(crt, hostname); + gnutls_x509_crt_deinit(crt); + if (!ret) { + /* Only warning, since there can be valid reasons for mis-= match */ + virValidateFail(VIR_VALIDATE_WARN, + _("Certificate %1$s owner does not match t= he hostname %2$s"), + cert, hostname); + ok =3D false; + } else { + virValidatePass(); + } + } + } + + done: + return ok; +} + + +static void +print_usage(const char *progname, + FILE *out) +{ + fprintf(out, + _("Usage:\n" + " %1$s { -v | -h } [TRUST|SERVER|CLIENT]\n" + "\n" + "Validate TLS certificate configuration\n" + "\n" + "options:\n" + " -h | --help display this help and exit\n" + " -v | --version output version information and exit\n"), + progname); +} + +int main(int argc, char **argv) +{ + const char *scope =3D NULL; + bool quiet =3D false; + int arg =3D 0; + bool ok =3D true; + const char *progname =3D argv[0]; + struct option opt[] =3D { + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'v' }, + { NULL, 0, NULL, 0 }, + }; + + if (virGettextInitialize() < 0) + return EXIT_FAILURE; + + while ((arg =3D getopt_long(argc, argv, "hvsup:", opt, NULL)) !=3D -1)= { + switch (arg) { + case 'v': + printf("%s\n", PACKAGE_VERSION); + return EXIT_SUCCESS; + + case 'h': + print_usage(progname, stdout); + return EXIT_SUCCESS; + + case 'q': + quiet =3D true; + break; + + case '?': + default: + print_usage(progname, stderr); + return EXIT_FAILURE; + } + } + + if ((argc - optind) > 2) { + fprintf(stderr, _("%1$s: too many command line arguments\n"), argv= [0]); + print_usage(progname, stderr); + return EXIT_FAILURE; + } + + if (argc > 1) + scope =3D argv[optind]; + + virValidateSetQuiet(quiet); + + if ((!scope || g_str_equal(scope, "trust")) && + !virPKIValidateTrust()) + ok =3D false; + if ((!scope || g_str_equal(scope, "server")) && + !virPKIValidateIdentity(true)) + ok =3D false; + if ((!scope || g_str_equal(scope, "client")) && + !virPKIValidateIdentity(false)) + ok =3D false; + + if (!ok) + return EXIT_FAILURE; + + return EXIT_SUCCESS; +} diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in deleted file mode 100644 index c77daa9862..0000000000 --- a/tools/virt-pki-validate.in +++ /dev/null @@ -1,295 +0,0 @@ -#!/bin/sh -# -# This shell script checks the TLS certificates and options needed -# for the secure client/server support of libvirt as documented at -# https://libvirt.org/kbase/tlscerts.html -# -# Copyright (C) 2009-2013 Red Hat, Inc. -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library. If not, see -# . -# -# Daniel Veillard -# - -case $1 in - -h | --h | --he | --hel | --help) - cat <&2 - exit 1 ;; -esac - -if test $# !=3D 0; then - echo "$0: unrecognized argument '$1'" >&2 - exit 1 -fi - -USER=3D`who am i | awk '{ print $1 }'` -SERVER=3D1 -CLIENT=3D1 -PORT=3D16514 -# -# First get certtool -# -CERTOOL=3D`which certtool 2>/dev/null` -if [ ! -x "$CERTOOL" ] -then - echo "Could not locate the certtool program" - echo "make sure the gnutls-utils (or gnutls-bin) package is installed" - exit 1 -fi -echo Found "$CERTOOL" - -# -# Check the directory structure -# -SYSCONFDIR=3D"@sysconfdir@" -PKI=3D"$SYSCONFDIR/pki" -if [ ! -d "$PKI" ] -then - echo the $PKI directory is missing, it is usually - echo installed as part of the filesystem or openssl packages - exit 1 -fi - -if [ ! -r "$PKI" ] -then - echo the $PKI directory is not readable by $USER - echo "as root do: chmod a+rx $PKI" - exit 1 -fi -if [ ! -x "$PKI" ] -then - echo the $PKI directory is not listable by $USER - echo "as root do: chmod a+rx $PKI" - exit 1 -fi - -CA=3D"$PKI/CA" -if [ ! -d "$CA" ] -then - echo the $CA directory is missing, it is usually - echo installed as part of the or openssl package - exit 1 -fi - -if [ ! -r "$CA" ] -then - echo the $CA directory is not readable by $USER - echo "as root do: chmod a+rx $CA" - exit 1 -fi -if [ ! -x "$CA" ] -then - echo the $CA directory is not listable by $USER - echo "as root do: chmod a+rx $CA" - exit 1 -fi - -LIBVIRT=3D"$PKI/libvirt" -if [ ! -d "$LIBVIRT" ] -then - echo the $LIBVIRT directory is missing, it is usually - echo installed by the libvirt package - echo "as root do: mkdir -m 755 $LIBVIRT ; chown root:root $LIBVIRT" - exit 1 -fi - -if [ ! -r "$LIBVIRT" ] -then - echo the $LIBVIRT directory is not readable by $USER - echo "as root do: chown root:root $LIBVIRT ; chmod 755 $LIBVIRT" - exit 1 -fi -if [ ! -x "$LIBVIRT" ] -then - echo the $LIBVIRT directory is not listable by $USER - echo "as root do: chown root:root $LIBVIRT ; chmod 755 $LIBVIRT" - exit 1 -fi - -LIBVIRTP=3D"$LIBVIRT/private" -if [ ! -d "$LIBVIRTP" ] -then - echo the $LIBVIRTP directory is missing, it is usually - echo installed by the libvirt package - echo "as root do: mkdir -m 755 $LIBVIRTP ; chown root:root $LIBVIRTP" - exit 1 -fi - -if [ ! -r "$LIBVIRTP" ] -then - echo the $LIBVIRTP directory is not readable by $USER - echo "as root do: chown root:root $LIBVIRTP ; chmod 755 $LIBVIRTP" - exit 1 -fi -if [ ! -x "$LIBVIRTP" ] -then - echo the $LIBVIRTP directory is not listable by $USER - echo "as root do: chown root:root $LIBVIRTP ; chmod 755 $LIBVIRTP" - exit 1 -fi - -# -# Now check the certificates -# First the CA certificate -# -if [ ! -f "$CA/cacert.pem" ] -then - echo the CA certificate $CA/cacert.pem is missing while it - echo should be installed on both client and servers - echo "see https://libvirt.org/kbase/tlscerts.html#setting-up-a-certifi= cate-authority-ca" - echo on how to install it - exit 1 -fi -if [ ! -r "$CA/cacert.pem" ] -then - echo the CA certificate $CA/cacert.pem is not readable by $USER - echo "as root do: chmod 644 $CA/cacert.pem" - exit 1 -fi -sed_get_org=3D'/Issuer:/ { - s/.*Issuer:.*CN=3D// - s/,.*// - p -}' -ORG=3D`"$CERTOOL" -i --infile "$CA/cacert.pem" | sed -n "$sed_get_org"` -if [ "$ORG" =3D "" ] -then - echo the CA certificate $CA/cacert.pem does not define the organization - echo it should probably regenerated - echo "see https://libvirt.org/kbase/tlscerts.html#setting-up-a-certifi= cate-authority-ca" - echo on how to regenerate it - exit 1 -fi -echo Found CA certificate $CA/cacert.pem for $ORG - -# Second the client certificates - -if [ -f "$LIBVIRT/clientcert.pem" ] -then - if [ ! -r "$LIBVIRT/clientcert.pem" ] - then - echo Client certificate $LIBVIRT/clientcert.pem should be world re= adable - echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod = 644 $LIBVIRT/clientcert.pem" - else - C_ORG=3D`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep S= ubject: | sed 's+.*O=3D\([^,]*\).*+\1+'` - if [ "$ORG" !=3D "$C_ORG" ] - then - echo The CA certificate and the client certificate do not match - echo CA organization: $ORG - echo Client organization: $C_ORG - fi - CLIENT=3D`"$CERTOOL" -i --infile "$LIBVIRT/clientcert.pem" | grep = Subject: | sed 's+.*CN=3D\(.[^,]*\).*+\1+'` - echo Found client certificate $LIBVIRT/clientcert.pem for $CLIENT - if [ ! -e "$LIBVIRTP/clientkey.pem" ] - then - echo Missing client private key $LIBVIRTP/clientkey.pem - else - echo Found client private key $LIBVIRTP/clientkey.pem - OWN=3D`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print $3 }'` - # The substr($1, 1, 10) gets rid of acl and xattr markers - MOD=3D`ls -l "$LIBVIRTP/clientkey.pem" | awk '{ print substr($= 1, 1, 10) }'` - if [ "$OWN" !=3D "root" ] - then - echo The client private key should be owned by root - echo "as root do: chown root $LIBVIRTP/clientkey.pem" - fi - if [ "$MOD" !=3D "-rw-r--r--" ] - then - echo The client private key need to be read by client tools - echo "as root do: chmod 644 $LIBVIRTP/clientkey.pem" - fi - fi - - fi -else - echo Did not find "$LIBVIRT/clientcert.pem" client certificate - echo The machine cannot act as a client - echo "see https://libvirt.org/kbase/tlscerts.html#issuing-client-certi= ficates" - echo on how to regenerate it - CLIENT=3D0 -fi - -# Third the server certificates - -if [ -f "$LIBVIRT/servercert.pem" ] -then - if [ ! -r "$LIBVIRT/servercert.pem" ] - then - echo Server certificate $LIBVIRT/servercert.pem should be world re= adable - echo "as root do: chown root:root $LIBVIRT/servercert.pem ; chmod = 644 $LIBVIRT/servercert.pem" - else - S_ORG=3D`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep S= ubject: | sed 's+.*O=3D\([^,]*\).*+\1+'` - if [ "$ORG" !=3D "$S_ORG" ] - then - echo The CA certificate and the server certificate do not match - echo CA organization: $ORG - echo Server organization: $S_ORG - fi - S_HOST=3D`"$CERTOOL" -i --infile "$LIBVIRT/servercert.pem" | grep = Subject: | sed 's+.*CN=3D\([^,]*\).*+\1+'` - if test "$S_HOST" !=3D "`hostname -s`" && test "$S_HOST" !=3D "`ho= stname`" - then - echo The server certificate does not seem to match the host na= me - echo hostname: '"'`hostname`'"' - echo Server certificate CN: '"'$S_HOST'"' - fi - echo Found server certificate $LIBVIRT/servercert.pem for $S_HOST - if [ ! -e "$LIBVIRTP/serverkey.pem" ] - then - echo Missing server private key $LIBVIRTP/serverkey.pem - else - echo Found server private key $LIBVIRTP/serverkey.pem - OWN=3D`ls -l "$LIBVIRTP/serverkey.pem" | awk '{ print $3 }'` - # The substr($1, 1, 10) gets rid of acl and xattr markers - MOD=3D`ls -l "$LIBVIRTP/serverkey.pem" | awk '{ print substr($= 1, 1, 10) }'` - if [ "$OWN" !=3D "root" ] - then - echo The server private key should be owned by root - echo "as root do: chown root $LIBVIRTP/serverkey.pem" - fi - if [ "$MOD" !=3D "-rw-------" ] - then - echo The server private key need to be read only by root - echo "as root do: chmod 600 $LIBVIRTP/serverkey.pem" - fi - fi - - fi -else - echo Did not find $LIBVIRT/servercert.pem server certificate - echo The machine cannot act as a server - echo "see https://libvirt.org/kbase/tlscerts.html#issuing-server-certi= ficates" - echo on how to regenerate it - SERVER=3D0 -fi - -exit 0 --=20 2.43.0