From nobody Fri Nov 21 10:05:51 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1762440974; cv=none; d=zohomail.com; s=zohoarc; b=m5Aw8py1ePjxwYPu70itYzpIIDsBzPe6sQlXVneuR58Fr9GJYcBhBjj1+vc3JOpULKI8Dcg4C0++lwmHc0e9g6WBA6Cq1yTc6LcNEACkVd/2drh7DmNjvoABavdYgYB1Fp7/Njmo1fG4S78HyeNwiIUz8EDfoAm+3oBkHmFY9rA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1762440974; h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc; bh=U6rN1M84Jv3rrVJYApPeMG1V1JqMOjq0KMYulgCd33E=; b=UMjwWBpRZxgAagu9ePIURGR7fD+1QfWd6yEgG9q2Y0gQJ8uJpSr3NqFj4UUcYyW+qrS1WYJT6hRqVby72PyeB1pYlA/mf1Gz+WsnQKZtxVIXuQPhYnm933LXs8W00MuzoADgxXAYalU/EobbmgJdyEzEIV8q83HrtRP/MlMI5lQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1762440974603945.885815928218; Thu, 6 Nov 2025 06:56:14 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id 10DB24420D; Thu, 6 Nov 2025 09:56:14 -0500 (EST) Received: from [172.19.199.29] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id A42DE4425B; Thu, 6 Nov 2025 09:52:03 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id E6383418F9; Thu, 6 Nov 2025 09:51:02 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id A1A9941988 for ; Thu, 6 Nov 2025 09:51:01 -0500 (EST) Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-370-2HmAZ2V9N7CvSljXnQljCA-1; Thu, 06 Nov 2025 09:51:00 -0500 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 3D83D19539A7 for ; Thu, 6 Nov 2025 14:50:58 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.39]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 2F2C3180049F; Thu, 6 Nov 2025 14:50:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1762440661; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=U6rN1M84Jv3rrVJYApPeMG1V1JqMOjq0KMYulgCd33E=; b=bSeW6WWZgymMHfH4fTlebMs6JPm8eXXmftjs08wH5EGeqlFGu+g23tDD2Lz+EGiZNwd4tQ m/Ckm6LvrJTwSNoxcyRi9cpbnt7L0/UBxd7T7KE0/Bdrv1cENnXd8LUnOEehtPwBisI1Gv VuYjMrdoNWtxBjGMt0QXSU73DP6E8ZU= X-MC-Unique: 2HmAZ2V9N7CvSljXnQljCA-1 X-Mimecast-MFC-AGG-ID: 2HmAZ2V9N7CvSljXnQljCA_1762440658 To: devel@lists.libvirt.org Subject: [PATCH 04/10] rpc: add support for loading multiple certs & keys Date: Thu, 6 Nov 2025 14:50:44 +0000 Message-ID: <20251106145050.1851526-5-berrange@redhat.com> In-Reply-To: <20251106145050.1851526-1-berrange@redhat.com> References: <20251106145050.1851526-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: h31e2dCFqrIRpTkKxSJkSzzWDS8yMteg2vZt8w4wop4_1762440658 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: EER4EFB3Z3X67DXNWKW3U6R7B67AIJQK X-Message-ID-Hash: EER4EFB3Z3X67DXNWKW3U6R7B67AIJQK X-MailFrom: berrange@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9_via_Devel?= Reply-To: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1762440975665154100 From: Daniel P. Berrang=C3=A9 In the transition to Post-Quantum Cryptography, it will often be desirable to load multiple sets of certificates, some with RSA/ECC and some with MLDSA. This extends the TLS context code to support the loading of many certs, passed as a NULL terminated array. Signed-off-by: Daniel P. Berrang=C3=A9 --- src/libvirt_probes.d | 3 ++- src/remote/remote_daemon.c | 6 +++-- src/rpc/virnettlscontext.c | 51 ++++++++++++++++++++---------------- src/rpc/virnettlscontext.h | 26 +++++++++--------- tests/virnettlscontexttest.c | 10 ++++--- tests/virnettlssessiontest.c | 9 ++++--- 6 files changed, 58 insertions(+), 47 deletions(-) diff --git a/src/libvirt_probes.d b/src/libvirt_probes.d index 6fac10a2bf..d9e75d9797 100644 --- a/src/libvirt_probes.d +++ b/src/libvirt_probes.d @@ -54,7 +54,8 @@ provider libvirt { # file: src/rpc/virnettlscontext.c # prefix: rpc probe rpc_tls_context_new(void *ctxt, const char *cacert, const char *cac= rl, - const char *cert, const char *key, int sanityCheckCert, int requireV= alidCert, int isServer); + const char **cert, const char **keys, + int sanityCheckCert, int requireValidCert, int isServer); probe rpc_tls_context_dispose(void *ctxt); probe rpc_tls_context_session_allow(void *ctxt, void *sess, const char *d= name); probe rpc_tls_context_session_deny(void *ctxt, void *sess, const char *dn= ame); diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c index 2973813548..e7c8f587c4 100644 --- a/src/remote/remote_daemon.c +++ b/src/remote/remote_daemon.c @@ -327,6 +327,9 @@ daemonSetupNetworking(virNetServer *srv, if (config->ca_file || config->cert_file || config->key_file) { + const char *certs[] =3D { config->cert_file, NULL }; + const char *keys[] =3D { config->key_file, NULL }; + if (!config->ca_file) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("No CA certificate path set to match serv= er key/cert")); @@ -346,8 +349,7 @@ daemonSetupNetworking(virNetServer *srv, config->ca_file, config->cert_file, config->key_file= ); if (!(ctxt =3D virNetTLSContextNewServer(config->ca_file, config->crl_file, - config->cert_file, - config->key_file, + certs, keys, (const char *const*)con= fig->tls_allowed_dn_list, config->tls_priority, config->tls_no_sanity_c= ertificate ? false : true, diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c index bb9db90dff..5e9c262b48 100644 --- a/src/rpc/virnettlscontext.c +++ b/src/rpc/virnettlscontext.c @@ -115,10 +115,11 @@ static int virNetTLSContextLoadCredentials(virNetTLSC= ontext *ctxt, bool isServer, const char *cacert, const char *cacrl, - const char *cert, - const char *key) + const char *const *certs, + const char *const *keys) { int err; + size_t i; =20 if (cacert && cacert[0] !=3D '\0') { if (virNetTLSContextCheckCertFile("CA certificate", cacert, false)= < 0) @@ -157,29 +158,29 @@ static int virNetTLSContextLoadCredentials(virNetTLSC= ontext *ctxt, } } =20 - if (cert && cert[0] !=3D '\0' && key && key[0] !=3D '\0') { + for (i =3D 0; certs[i] !=3D NULL && keys[i] !=3D NULL; i++) { int rv; - if ((rv =3D virNetTLSContextCheckCertFile("certificate", cert, !is= Server)) < 0) + if ((rv =3D virNetTLSContextCheckCertFile("certificate", certs[i],= !isServer)) < 0) return -1; if (rv =3D=3D 0 && - (rv =3D virNetTLSContextCheckCertFile("private key", key, !isS= erver)) < 0) + (rv =3D virNetTLSContextCheckCertFile("private key", keys[i], = !isServer)) < 0) return -1; =20 if (rv =3D=3D 0) { - VIR_DEBUG("loading cert and key from %s and %s", cert, key); + VIR_DEBUG("loading cert and key from %s and %s", certs[i], key= s[i]); err =3D gnutls_certificate_set_x509_key_file(ctxt->x509cred, - cert, key, + certs[i], keys[i], GNUTLS_X509_FMT_PEM); if (err < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("Unable to set x509 key and certificate: = %1$s, %2$s: %3$s"), - key, cert, gnutls_strerror(err)); + keys[i], certs[i], gnutls_strerror(err)); return -1; } } else { VIR_DEBUG("Skipping non-existent cert %s key %s on client", - cert, key); + certs[i], keys[i]); } } =20 @@ -189,8 +190,8 @@ static int virNetTLSContextLoadCredentials(virNetTLSCon= text *ctxt, =20 static virNetTLSContext *virNetTLSContextNew(const char *cacert, const char *cacrl, - const char *cert, - const char *key, + const char *const *certs, + const char *const *keys, const char *const *x509dnACL, const char *priority, bool sanityCheckCert, @@ -199,7 +200,6 @@ static virNetTLSContext *virNetTLSContextNew(const char= *cacert, { virNetTLSContext *ctxt; int err; - const char *certs[] =3D { cert, NULL }; =20 if (virNetTLSContextInitialize() < 0) return NULL; @@ -228,7 +228,8 @@ static virNetTLSContext *virNetTLSContextNew(const char= *cacert, virNetTLSCertSanityCheck(isServer, cacert, certs) < 0) goto error; =20 - if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, cer= t, key) < 0) + if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, + certs, keys) < 0) goto error; =20 ctxt->requireValidCert =3D requireValidCert; @@ -236,8 +237,8 @@ static virNetTLSContext *virNetTLSContextNew(const char= *cacert, ctxt->isServer =3D isServer; =20 PROBE(RPC_TLS_CONTEXT_NEW, - "ctxt=3D%p cacert=3D%s cacrl=3D%s cert=3D%s key=3D%s sanityCheck= Cert=3D%d requireValidCert=3D%d isServer=3D%d", - ctxt, cacert, NULLSTR(cacrl), cert, key, sanityCheckCert, requir= eValidCert, isServer); + "ctxt=3D%p cacert=3D%s cacrl=3D%s cert=3D%p key=3D%p sanityCheck= Cert=3D%d requireValidCert=3D%d isServer=3D%d", + ctxt, cacert, NULLSTR(cacrl), certs, keys, sanityCheckCert, requ= ireValidCert, isServer); =20 return ctxt; =20 @@ -313,12 +314,14 @@ static virNetTLSContext *virNetTLSContextNewPath(cons= t char *pkipath, g_autofree char *cacrl =3D NULL; g_autofree char *key =3D NULL; g_autofree char *cert =3D NULL; + const char *certs[] =3D { cert, NULL }; + const char *keys[] =3D { key, NULL }; =20 if (virNetTLSContextLocateCredentials(pkipath, tryUserPkiPath, isServe= r, &cacert, &cacrl, &cert, &key) < = 0) return NULL; =20 - return virNetTLSContextNew(cacert, cacrl, cert, key, + return virNetTLSContextNew(cacert, cacrl, certs, keys, x509dnACL, priority, sanityCheckCert, requireValidCert, isServer); } @@ -347,14 +350,14 @@ virNetTLSContext *virNetTLSContextNewClientPath(const= char *pkipath, =20 virNetTLSContext *virNetTLSContextNewServer(const char *cacert, const char *cacrl, - const char *cert, - const char *key, + const char *const *certs, + const char *const *keys, const char *const *x509dnACL, const char *priority, bool sanityCheckCert, bool requireValidCert) { - return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnACL, priori= ty, + return virNetTLSContextNew(cacert, cacrl, certs, keys, x509dnACL, prio= rity, sanityCheckCert, requireValidCert, true); } =20 @@ -369,6 +372,7 @@ int virNetTLSContextReloadForServer(virNetTLSContext *c= txt, g_autofree char *cert =3D NULL; g_autofree char *key =3D NULL; const char *certs[] =3D { cert, NULL }; + const char *keys[] =3D { key, NULL }; =20 x509credBak =3D g_steal_pointer(&ctxt->x509cred); =20 @@ -387,7 +391,8 @@ int virNetTLSContextReloadForServer(virNetTLSContext *c= txt, if (virNetTLSCertSanityCheck(true, cacert, certs)) goto error; =20 - if (virNetTLSContextLoadCredentials(ctxt, true, cacert, cacrl, cert, k= ey)) + if (virNetTLSContextLoadCredentials(ctxt, true, cacert, cacrl, + certs, keys)) goto error; =20 gnutls_certificate_free_credentials(x509credBak); @@ -404,13 +409,13 @@ int virNetTLSContextReloadForServer(virNetTLSContext = *ctxt, =20 virNetTLSContext *virNetTLSContextNewClient(const char *cacert, const char *cacrl, - const char *cert, - const char *key, + const char *const *certs, + const char *const *keys, const char *priority, bool sanityCheckCert, bool requireValidCert) { - return virNetTLSContextNew(cacert, cacrl, cert, key, NULL, priority, + return virNetTLSContextNew(cacert, cacrl, certs, keys, NULL, priority, sanityCheckCert, requireValidCert, false); } =20 diff --git a/src/rpc/virnettlscontext.h b/src/rpc/virnettlscontext.h index 11c954ce4b..1e67171e3e 100644 --- a/src/rpc/virnettlscontext.h +++ b/src/rpc/virnettlscontext.h @@ -44,21 +44,21 @@ virNetTLSContext *virNetTLSContextNewClientPath(const c= har *pkipath, bool requireValidCert); =20 virNetTLSContext *virNetTLSContextNewServer(const char *cacert, - const char *cacrl, - const char *cert, - const char *key, - const char *const *x509dnACL, - const char *priority, - bool sanityCheckCert, - bool requireValidCert); + const char *cacrl, + const char *const *certs, + const char *const *keys, + const char *const *x509dnACL, + const char *priority, + bool sanityCheckCert, + bool requireValidCert); =20 virNetTLSContext *virNetTLSContextNewClient(const char *cacert, - const char *cacrl, - const char *cert, - const char *key, - const char *priority, - bool sanityCheckCert, - bool requireValidCert); + const char *cacrl, + const char *const *certs, + const char *const *keys, + const char *priority, + bool sanityCheckCert, + bool requireValidCert); =20 int virNetTLSContextReloadForServer(virNetTLSContext *ctxt, bool tryUserPkiPath); diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c index 48bdefdd76..47675bffd0 100644 --- a/tests/virnettlscontexttest.c +++ b/tests/virnettlscontexttest.c @@ -56,12 +56,14 @@ static int testTLSContextInit(const void *opaque) struct testTLSContextData *data =3D (struct testTLSContextData *)opaqu= e; virNetTLSContext *ctxt =3D NULL; int ret =3D -1; + const char *certs[] =3D { data->crt, NULL }; + const char *keys[] =3D { KEYFILE, NULL }; =20 if (data->isServer) { ctxt =3D virNetTLSContextNewServer(data->cacrt, NULL, - data->crt, - KEYFILE, + certs, + keys, NULL, "NORMAL", true, @@ -69,8 +71,8 @@ static int testTLSContextInit(const void *opaque) } else { ctxt =3D virNetTLSContextNewClient(data->cacrt, NULL, - data->crt, - KEYFILE, + certs, + keys, "NORMAL", true, true); diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c index 459e17c52c..e8d64c7da0 100644 --- a/tests/virnettlssessiontest.c +++ b/tests/virnettlssessiontest.c @@ -81,6 +81,9 @@ static int testTLSSessionInit(const void *opaque) int channel[2]; bool clientShake =3D false; bool serverShake =3D false; + const char *keys[] =3D { KEYFILE, NULL }; + const char *clientcerts[] =3D { data->clientcrt, NULL }; + const char *servercerts[] =3D { data->servercrt, NULL }; =20 =20 /* We'll use this for our fake client-server connection */ @@ -102,8 +105,7 @@ static int testTLSSessionInit(const void *opaque) */ serverCtxt =3D virNetTLSContextNewServer(data->servercacrt, NULL, - data->servercrt, - KEYFILE, + servercerts, keys, data->wildcards, "NORMAL", false, @@ -111,8 +113,7 @@ static int testTLSSessionInit(const void *opaque) =20 clientCtxt =3D virNetTLSContextNewClient(data->clientcacrt, NULL, - data->clientcrt, - KEYFILE, + clientcerts, keys, "NORMAL", false, true); --=20 2.51.1