From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: qemu-block@nongnu.org
Subject: [Qemu-devel] [PATCH WIP 02/30] crypto: add support for loading encrypted x509 keys
Date: Fri, 20 Nov 2015 18:04:02 +0000 [thread overview]
Message-ID: <1448042670-17433-3-git-send-email-berrange@redhat.com> (raw)
In-Reply-To: <1448042670-17433-1-git-send-email-berrange@redhat.com>
Make use of the QCryptoSecret object to support loading of
encrypted x509 keys. The optional 'passwordid' parameter
to the tls-creds-x509 object type, provides the ID of a
secret object instance that holds the decryption password
for the PEM file.
# echo "123456" > mypasswd.txt
# $QEMU \
-object secret,id=sec0,filename=mypasswd.txt \
-object tls-creds-x509,passwordid=sec0,id=creds0,\
dir=/home/berrange/.pki/qemu,endpoint=server \
-vnc :1,tls-creds=creds0
This requires QEMU to be linked to GNUTLS >= 3.1.11. If
GNUTLS is too old an error will be reported if an attempt
is made to pass a decryption password.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
crypto/tlscredsx509.c | 47 +++++++++++++++++++++++++++++++++++++++++++
include/crypto/tlscredsx509.h | 1 +
qemu-options.hx | 8 +++++++-
3 files changed, 55 insertions(+), 1 deletion(-)
diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c
index d080deb..00bb299 100644
--- a/crypto/tlscredsx509.c
+++ b/crypto/tlscredsx509.c
@@ -20,6 +20,7 @@
#include "crypto/tlscredsx509.h"
#include "crypto/tlscredspriv.h"
+#include "crypto/secret.h"
#include "qom/object_interfaces.h"
#include "trace.h"
@@ -606,9 +607,29 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
}
if (cert != NULL && key != NULL) {
+#if GNUTLS_VERSION_NUMBER >= 0x030111
+ char *password = NULL;
+ if (creds->passwordid) {
+ password = qcrypto_secret_lookup_as_utf8(creds->passwordid,
+ errp);
+ if (!password) {
+ goto cleanup;
+ }
+ }
+ ret = gnutls_certificate_set_x509_key_file2(creds->data,
+ cert, key,
+ GNUTLS_X509_FMT_PEM,
+ password,
+ 0);
+#else /* GNUTLS_VERSION_NUMBER < 0x030111 */
+ if (creds->passwordid) {
+ error_setg(errp, "PKCS8 decryption requires GNUTLS >= 3.1.11");
+ goto cleanup;
+ }
ret = gnutls_certificate_set_x509_key_file(creds->data,
cert, key,
GNUTLS_X509_FMT_PEM);
+#endif /* GNUTLS_VERSION_NUMBER < 0x030111 */
if (ret < 0) {
error_setg(errp, "Cannot load certificate '%s' & key '%s': %s",
cert, key, gnutls_strerror(ret));
@@ -736,6 +757,27 @@ qcrypto_tls_creds_x509_prop_set_sanity(Object *obj,
}
+static void
+qcrypto_tls_creds_x509_prop_set_passwordid(Object *obj,
+ const char *value,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
+
+ creds->passwordid = g_strdup(value);
+}
+
+
+static char *
+qcrypto_tls_creds_x509_prop_get_passwordid(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
+
+ return g_strdup(creds->passwordid);
+}
+
+
static bool
qcrypto_tls_creds_x509_prop_get_sanity(Object *obj,
Error **errp G_GNUC_UNUSED)
@@ -768,6 +810,10 @@ qcrypto_tls_creds_x509_init(Object *obj)
qcrypto_tls_creds_x509_prop_get_sanity,
qcrypto_tls_creds_x509_prop_set_sanity,
NULL);
+ object_property_add_str(obj, "passwordid",
+ qcrypto_tls_creds_x509_prop_get_passwordid,
+ qcrypto_tls_creds_x509_prop_set_passwordid,
+ NULL);
}
@@ -776,6 +822,7 @@ qcrypto_tls_creds_x509_finalize(Object *obj)
{
QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
+ g_free(creds->passwordid);
qcrypto_tls_creds_x509_unload(creds);
}
diff --git a/include/crypto/tlscredsx509.h b/include/crypto/tlscredsx509.h
index b9785fd..25796d7 100644
--- a/include/crypto/tlscredsx509.h
+++ b/include/crypto/tlscredsx509.h
@@ -101,6 +101,7 @@ struct QCryptoTLSCredsX509 {
gnutls_certificate_credentials_t data;
#endif
bool sanityCheck;
+ char *passwordid;
};
diff --git a/qemu-options.hx b/qemu-options.hx
index dd3f7f8..bbf0c13 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -3626,7 +3626,7 @@ expensive operation that consumes random pool entropy, so it is
recommended that a persistent set of parameters be generated
upfront and saved.
-@item -object tls-creds-x509,id=@var{id},endpoint=@var{endpoint},dir=@var{/path/to/cred/dir},verify-peer=@var{on|off}
+@item -object tls-creds-x509,id=@var{id},endpoint=@var{endpoint},dir=@var{/path/to/cred/dir},verify-peer=@var{on|off},passwordid=@var{id}
Creates a TLS anonymous credentials object, which can be used to provide
TLS support on network backends. The @option{id} parameter is a unique
@@ -3653,6 +3653,12 @@ in PEM format, in filenames @var{ca-cert.pem}, @var{ca-crl.pem} (optional),
@var{server-cert.pem} (only servers), @var{server-key.pem} (only servers),
@var{client-cert.pem} (only clients), and @var{client-key.pem} (only clients).
+For the @var{server-key.pem} and @var{client-key.pem} files which
+contain sensitive private keys, it is possible to use an encrypted
+version by providing the @var{passwordid} parameter. This provides
+the ID of a previously created @code{secret} object containing the
+password for decryption.
+
@item -object filter-buffer,id=@var{id},netdev=@var{netdevid},interval=@var{t}[,queue=@var{all|rx|tx}]
Interval @var{t} can't be 0, this filter batches the packet delivery: all
--
2.5.0
next prev parent reply other threads:[~2015-11-20 18:04 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-20 18:04 [Qemu-devel] [PATCH WIP 00/30] Support for full disk encryption Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 01/30] crypto: add QCryptoSecret object class for password/key handling Daniel P. Berrange
2015-11-20 22:09 ` Eric Blake
2015-11-23 12:33 ` Daniel P. Berrange
2015-11-23 13:39 ` Markus Armbruster
2015-11-23 14:43 ` Daniel P. Berrange
2015-11-20 18:04 ` Daniel P. Berrange [this message]
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 03/30] qcow: add a 'keyid' parameter to qcow options Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 04/30] qcow2: add a 'keyid' parameter to qcow2 options Daniel P. Berrange
2015-11-20 22:15 ` Eric Blake
2015-11-23 12:40 ` Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 05/30] qom: add user_creatable_add & user_creatable_del methods Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 06/30] qemu-img: add support for --object command line arg Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 07/30] qemu-nbd: " Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 08/30] qemu-io: " Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 09/30] qemu-io: allow specifying image as a set of options args Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 10/30] qemu-nbd: " Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 11/30] qemu-img: " Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 12/30] block: rip out all traces of password prompting Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 13/30] block: remove all encryption handling APIs Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 14/30] block: remove support for writing to qcow/qcow2 encrypted images Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 15/30] qcow2: make qcow2_encrypt_sectors encrypt in place Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 16/30] crypto: add ability to query the cipher key, block & IV lens Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 17/30] crypto: add method for querying hash digest size Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 18/30] crypto: move QCryptoHashAlgorithm enum definition into QAPI Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 19/30] crypto: move QCryptoCipherAlgorithm/Mode enum definitions " Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 20/30] crypto: ensure qapi/crypto.json is listed in qapi-modules Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 21/30] crypto: add cryptographic random byte source Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 22/30] crypto: add support for PBKDF2 algorithm Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 23/30] crypto: add support for generating initialization vectors Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 24/30] crypto: add support for anti-forensic split algorithm Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 25/30] crypto: fix transposed arguments in cipher error message Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 26/30] crypto: add block encryption framework Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 27/30] crypto: implement the LUKS block encryption format Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 28/30] block: add generic full disk encryption driver Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 29/30] qcow2: convert QCow2 to use QCryptoBlock for encryption Daniel P. Berrange
2015-11-20 18:04 ` [Qemu-devel] [PATCH WIP 30/30] qcow2: add LUKS full disk encryption support Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1448042670-17433-3-git-send-email-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.