[PATCH 00/21] crypto: support multiple parallel certificate identities

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Daniel P. Berrangé" <berrange@redhat.com>,
	"Marc-André Lureau" <marcandre.lureau@redhat.com>,
	devel@lists.libvirt.org
Subject: [PATCH 00/21] crypto: support multiple parallel certificate identities
Date: Thu, 30 Oct 2025 14:47:44 +0000	[thread overview]
Message-ID: <20251030144805.2239954-1-berrange@redhat.com> (raw)

This series aims to improve the support for post-quantum cryptography
in TLS connections by allowing  multiple sets of certificates to be
loaded. The idea is that during a transition period servers will have
a traditional RSA based certificate in parallel with an MLDSA based
certificate for PQC, and the right one will be dynamically determined
during the TLS handshake.

The first 12 patches are trivial cleanups.

The next 3 patches fix a potential use-after-free problem

The last patches introduce support for multiple certificates.

NB, in terms of testing this will require either CentOS Stream 10,
or Fedora 43. Most other distros will not support PQC out of the
box at this time even if they have new enough gnutls, since they
don't make use of the crypto-policies package which is needed to
enable PQC by default.

Daniel P. Berrangé (21):
  crypto: remove redundant parameter checking CA certs
  crypto: add missing free of certs array
  crypto: replace stat() with access() for credential checks
  crypto: remove redundant access() checks before loading certs
  crypto: move check for TLS creds 'dir' property
  crypto: use g_autofree when loading x509 credentials
  crypto: remove needless indirection via parent_obj field
  crypto: move release of DH parameters into TLS creds parent
  crypto: shorten the endpoint == server check in TLS creds
  crypto: remove duplication loading x509 CA cert
  crypto: reduce duplication in handling TLS priority strings
  crypto: introduce method for reloading TLS creds
  crypto: introduce a wrapper around gnutls credentials
  crypto: fix lifecycle handling of gnutls credentials objects
  crypto: make TLS credentials structs private
  crypto: deprecate use of external dh-params.pem file
  crypto: avoid loading the CA certs twice
  crypto: avoid loading the identity certs twice
  crypto: expand logic to cope with multiple certificate identities
  crypto: support upto 5 parallel certificate identities
  docs: creation of x509 certs compliant with post-quantum crypto

 crypto/meson.build                    |   5 +-
 crypto/tlscreds.c                     |  77 ++--
 crypto/tlscredsanon.c                 |  62 +--
 crypto/tlscredsbox.c                  | 101 +++++
 crypto/tlscredsbox.h                  |  46 ++
 crypto/tlscredspriv.h                 |  36 +-
 crypto/tlscredspsk.c                  |  64 ++-
 crypto/tlscredsx509.c                 | 592 +++++++++++++++++---------
 crypto/tlssession.c                   | 139 ++----
 crypto/trace-events                   |   1 +
 docs/about/deprecated.rst             |   9 +
 docs/system/tls.rst                   | 134 +++++-
 include/crypto/tlscreds.h             |  26 ++
 include/crypto/tlscredsx509.h         |   6 +
 tests/unit/test-crypto-tlscredsx509.c |   8 +-
 ui/vnc.c                              |   9 +-
 16 files changed, 849 insertions(+), 466 deletions(-)
 create mode 100644 crypto/tlscredsbox.c
 create mode 100644 crypto/tlscredsbox.h

-- 
2.51.1

next             reply	other threads:[~2025-10-30 14:50 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-30 14:47 Daniel P. Berrangé [this message]
2025-10-30 14:47 ` [PATCH 01/21] crypto: remove redundant parameter checking CA certs Daniel P. Berrangé
2025-10-30 19:30   ` Marc-André Lureau
2025-10-30 14:47 ` [PATCH 02/21] crypto: add missing free of certs array Daniel P. Berrangé
2025-10-30 19:31   ` Marc-André Lureau
2025-10-30 14:47 ` [PATCH 03/21] crypto: replace stat() with access() for credential checks Daniel P. Berrangé
2025-10-30 19:31   ` Marc-André Lureau
2025-10-30 14:47 ` [PATCH 04/21] crypto: remove redundant access() checks before loading certs Daniel P. Berrangé
2025-10-30 19:31   ` Marc-André Lureau
2025-10-30 14:47 ` [PATCH 05/21] crypto: move check for TLS creds 'dir' property Daniel P. Berrangé
2025-10-30 19:31   ` Marc-André Lureau
2025-10-30 14:47 ` [PATCH 06/21] crypto: use g_autofree when loading x509 credentials Daniel P. Berrangé
2025-10-30 19:23   ` Marc-André Lureau
2025-10-31 15:06     ` Daniel P. Berrangé
2025-10-30 15:30 ` [PATCH 00/21] crypto: support multiple parallel certificate identities Daniel P. Berrangé
  -- strict thread matches above, loose matches on Subject: below --
2025-10-30 14:49 Daniel P. Berrangé

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251030144805.2239954-1-berrange@redhat.com \
    --to=berrange@redhat.com \
    --cc=devel@lists.libvirt.org \
    --cc=marcandre.lureau@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).