Re: [PATCH 00/21] crypto: support multiple parallel certificate identities

["Daniel P. Berrangé" <berrange@redhat.com>]

Sorry, this series aborted during mail sending so is incomplete.

See the immediately following re-post for the full set of 21 patches

On Thu, Oct 30, 2025 at 02:47:44PM +0000, Daniel P. Berrangé wrote:
> This series aims to improve the support for post-quantum cryptography
> in TLS connections by allowing  multiple sets of certificates to be
> loaded. The idea is that during a transition period servers will have
> a traditional RSA based certificate in parallel with an MLDSA based
> certificate for PQC, and the right one will be dynamically determined
> during the TLS handshake.
> 
> The first 12 patches are trivial cleanups.
> 
> The next 3 patches fix a potential use-after-free problem
> 
> The last patches introduce support for multiple certificates.
> 
> NB, in terms of testing this will require either CentOS Stream 10,
> or Fedora 43. Most other distros will not support PQC out of the
> box at this time even if they have new enough gnutls, since they
> don't make use of the crypto-policies package which is needed to
> enable PQC by default.
> 
> Daniel P. Berrangé (21):
>   crypto: remove redundant parameter checking CA certs
>   crypto: add missing free of certs array
>   crypto: replace stat() with access() for credential checks
>   crypto: remove redundant access() checks before loading certs
>   crypto: move check for TLS creds 'dir' property
>   crypto: use g_autofree when loading x509 credentials
>   crypto: remove needless indirection via parent_obj field
>   crypto: move release of DH parameters into TLS creds parent
>   crypto: shorten the endpoint == server check in TLS creds
>   crypto: remove duplication loading x509 CA cert
>   crypto: reduce duplication in handling TLS priority strings
>   crypto: introduce method for reloading TLS creds
>   crypto: introduce a wrapper around gnutls credentials
>   crypto: fix lifecycle handling of gnutls credentials objects
>   crypto: make TLS credentials structs private
>   crypto: deprecate use of external dh-params.pem file
>   crypto: avoid loading the CA certs twice
>   crypto: avoid loading the identity certs twice
>   crypto: expand logic to cope with multiple certificate identities
>   crypto: support upto 5 parallel certificate identities
>   docs: creation of x509 certs compliant with post-quantum crypto
> 
>  crypto/meson.build                    |   5 +-
>  crypto/tlscreds.c                     |  77 ++--
>  crypto/tlscredsanon.c                 |  62 +--
>  crypto/tlscredsbox.c                  | 101 +++++
>  crypto/tlscredsbox.h                  |  46 ++
>  crypto/tlscredspriv.h                 |  36 +-
>  crypto/tlscredspsk.c                  |  64 ++-
>  crypto/tlscredsx509.c                 | 592 +++++++++++++++++---------
>  crypto/tlssession.c                   | 139 ++----
>  crypto/trace-events                   |   1 +
>  docs/about/deprecated.rst             |   9 +
>  docs/system/tls.rst                   | 134 +++++-
>  include/crypto/tlscreds.h             |  26 ++
>  include/crypto/tlscredsx509.h         |   6 +
>  tests/unit/test-crypto-tlscredsx509.c |   8 +-
>  ui/vnc.c                              |   9 +-
>  16 files changed, 849 insertions(+), 466 deletions(-)
>  create mode 100644 crypto/tlscredsbox.c
>  create mode 100644 crypto/tlscredsbox.h
> 
> -- 
> 2.51.1
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|