From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Daniel P. Berrangé" <berrange@redhat.com>,
"Fabiano Rosas" <farosas@suse.de>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
devel@lists.libvirt.org, "Laurent Vivier" <lvivier@redhat.com>
Subject: [PULL 28/32] crypto: avoid loading the CA certs twice
Date: Mon, 3 Nov 2025 13:37:22 +0000 [thread overview]
Message-ID: <20251103133727.423041-29-berrange@redhat.com> (raw)
In-Reply-To: <20251103133727.423041-1-berrange@redhat.com>
The x509 TLS credentials code will load the CA certs once to perform
sanity chcking on the certs, then discard the certificate objects
and let gnutls load them a second time.
This introduces a new QCryptoTLSCredsX509Files struct which will
hold the CA certificates loaded for sanity checking and pass them on
to gnutls, avoiding the duplicated loading.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
crypto/tlscredsx509.c | 141 ++++++++++++++++++++++++++----------------
1 file changed, 87 insertions(+), 54 deletions(-)
diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c
index e28fcdc6ff..911942a1a1 100644
--- a/crypto/tlscredsx509.c
+++ b/crypto/tlscredsx509.c
@@ -40,6 +40,35 @@ struct QCryptoTLSCredsX509 {
#include <gnutls/x509.h>
+typedef struct QCryptoTLSCredsX509Files QCryptoTLSCredsX509Files;
+struct QCryptoTLSCredsX509Files {
+ char *cacertpath;
+ gnutls_x509_crt_t *cacerts;
+ unsigned int ncacerts;
+};
+
+static QCryptoTLSCredsX509Files *
+qcrypto_tls_creds_x509_files_new(void)
+{
+ return g_new0(QCryptoTLSCredsX509Files, 1);
+}
+
+
+static void
+qcrypto_tls_creds_x509_files_free(QCryptoTLSCredsX509Files *files)
+{
+ size_t i;
+ for (i = 0; i < files->ncacerts; i++) {
+ gnutls_x509_crt_deinit(files->cacerts[i]);
+ }
+ g_free(files->cacerts);
+ g_free(files->cacertpath);
+ g_free(files);
+}
+
+G_DEFINE_AUTOPTR_CLEANUP_FUNC(QCryptoTLSCredsX509Files,
+ qcrypto_tls_creds_x509_files_free);
+
static int
qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert,
const char *certFile,
@@ -315,11 +344,9 @@ qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509 *creds,
static int
qcrypto_tls_creds_check_authority_chain(QCryptoTLSCredsX509 *creds,
+ QCryptoTLSCredsX509Files *files,
gnutls_x509_crt_t *certs,
unsigned int ncerts,
- gnutls_x509_crt_t *cacerts,
- unsigned int ncacerts,
- const char *cacertFile,
bool isServer,
Error **errp)
{
@@ -360,13 +387,13 @@ qcrypto_tls_creds_check_authority_chain(QCryptoTLSCredsX509 *creds,
* reached the root of trust.
*/
return qcrypto_tls_creds_check_cert(
- creds, cert_to_check, cacertFile,
+ creds, cert_to_check, files->cacertpath,
isServer, true, errp);
}
- for (int i = 0; i < ncacerts; i++) {
+ for (int i = 0; i < files->ncacerts; i++) {
if (gnutls_x509_crt_check_issuer(cert_to_check,
- cacerts[i])) {
- cert_issuer = cacerts[i];
+ files->cacerts[i])) {
+ cert_issuer = files->cacerts[i];
break;
}
}
@@ -374,7 +401,7 @@ qcrypto_tls_creds_check_authority_chain(QCryptoTLSCredsX509 *creds,
break;
}
- if (qcrypto_tls_creds_check_cert(creds, cert_issuer, cacertFile,
+ if (qcrypto_tls_creds_check_cert(creds, cert_issuer, files->cacertpath,
isServer, true, errp) < 0) {
return -1;
}
@@ -394,19 +421,17 @@ qcrypto_tls_creds_check_authority_chain(QCryptoTLSCredsX509 *creds,
}
static int
-qcrypto_tls_creds_check_cert_pair(gnutls_x509_crt_t *certs,
+qcrypto_tls_creds_check_cert_pair(QCryptoTLSCredsX509Files *files,
+ gnutls_x509_crt_t *certs,
size_t ncerts,
const char *certFile,
- gnutls_x509_crt_t *cacerts,
- size_t ncacerts,
- const char *cacertFile,
bool isServer,
Error **errp)
{
unsigned int status;
if (gnutls_x509_crt_list_verify(certs, ncerts,
- cacerts, ncacerts,
+ files->cacerts, files->ncacerts,
NULL, 0,
0, &status) < 0) {
error_setg(errp, isServer ?
@@ -414,7 +439,7 @@ qcrypto_tls_creds_check_cert_pair(gnutls_x509_crt_t *certs,
"CA certificate %s" :
"Unable to verify client certificate %s against "
"CA certificate %s",
- certFile, cacertFile);
+ certFile, files->cacertpath);
return -1;
}
@@ -439,7 +464,7 @@ qcrypto_tls_creds_check_cert_pair(gnutls_x509_crt_t *certs,
error_setg(errp,
"Our own certificate %s failed validation against %s: %s",
- certFile, cacertFile, reason);
+ certFile, files->cacertpath, reason);
return -1;
}
@@ -490,15 +515,13 @@ qcrypto_tls_creds_load_cert_list(QCryptoTLSCredsX509 *creds,
static int
qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509 *creds,
+ QCryptoTLSCredsX509Files *files,
bool isServer,
- const char *cacertFile,
const char *certFile,
Error **errp)
{
gnutls_x509_crt_t *certs = NULL;
unsigned int ncerts = 0;
- gnutls_x509_crt_t *cacerts = NULL;
- unsigned int ncacerts = 0;
size_t i;
int ret = -1;
@@ -514,16 +537,6 @@ qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509 *creds,
}
}
- if (qcrypto_tls_creds_load_cert_list(creds,
- cacertFile,
- &cacerts,
- &ncacerts,
- isServer,
- true,
- errp) < 0) {
- goto cleanup;
- }
-
for (i = 0; i < ncerts; i++) {
if (qcrypto_tls_creds_check_cert(creds,
certs[i], certFile,
@@ -533,17 +546,14 @@ qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509 *creds,
}
if (ncerts &&
- qcrypto_tls_creds_check_authority_chain(creds,
+ qcrypto_tls_creds_check_authority_chain(creds, files,
certs, ncerts,
- cacerts, ncacerts,
- cacertFile, isServer,
- errp) < 0) {
+ isServer, errp) < 0) {
goto cleanup;
}
- if (ncerts && ncacerts &&
- qcrypto_tls_creds_check_cert_pair(certs, ncerts, certFile,
- cacerts, ncacerts, cacertFile,
+ if (ncerts &&
+ qcrypto_tls_creds_check_cert_pair(files, certs, ncerts, certFile,
isServer, errp) < 0) {
goto cleanup;
}
@@ -555,21 +565,53 @@ qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509 *creds,
gnutls_x509_crt_deinit(certs[i]);
}
g_free(certs);
- for (i = 0; i < ncacerts; i++) {
- gnutls_x509_crt_deinit(cacerts[i]);
- }
- g_free(cacerts);
return ret;
}
+static int
+qcrypto_tls_creds_x509_load_ca(QCryptoTLSCredsX509 *creds,
+ QCryptoTLSCredsBox *box,
+ QCryptoTLSCredsX509Files *files,
+ bool isServer,
+ Error **errp)
+{
+ int ret;
+
+ if (qcrypto_tls_creds_get_path(&creds->parent_obj,
+ QCRYPTO_TLS_CREDS_X509_CA_CERT,
+ true, &files->cacertpath, errp) < 0) {
+ return -1;
+ }
+
+ if (qcrypto_tls_creds_load_cert_list(creds,
+ files->cacertpath,
+ &files->cacerts,
+ &files->ncacerts,
+ isServer,
+ true,
+ errp) < 0) {
+ return -1;
+ }
+
+ ret = gnutls_certificate_set_x509_trust(box->data.cert,
+ files->cacerts, files->ncacerts);
+ if (ret < 0) {
+ error_setg(errp, "Cannot set CA certificate '%s': %s",
+ files->cacertpath, gnutls_strerror(ret));
+ return -1;
+ }
+
+ return 0;
+}
+
static int
qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
Error **errp)
{
g_autoptr(QCryptoTLSCredsBox) box = NULL;
- g_autofree char *cacert = NULL;
+ g_autoptr(QCryptoTLSCredsX509Files) files = NULL;
g_autofree char *cacrl = NULL;
g_autofree char *cert = NULL;
g_autofree char *key = NULL;
@@ -598,9 +640,9 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
return -1;
}
- if (qcrypto_tls_creds_get_path(&creds->parent_obj,
- QCRYPTO_TLS_CREDS_X509_CA_CERT,
- true, &cacert, errp) < 0) {
+ files = qcrypto_tls_creds_x509_files_new();
+
+ if (qcrypto_tls_creds_x509_load_ca(creds, box, files, isServer, errp) < 0) {
return -1;
}
@@ -631,17 +673,8 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
}
if (creds->sanityCheck &&
- qcrypto_tls_creds_x509_sanity_check(creds, isServer,
- cacert, cert, errp) < 0) {
- return -1;
- }
-
- ret = gnutls_certificate_set_x509_trust_file(box->data.cert,
- cacert,
- GNUTLS_X509_FMT_PEM);
- if (ret < 0) {
- error_setg(errp, "Cannot load CA certificate '%s': %s",
- cacert, gnutls_strerror(ret));
+ qcrypto_tls_creds_x509_sanity_check(creds, files, isServer,
+ cert, errp) < 0) {
return -1;
}
--
2.51.1
next prev parent reply other threads:[~2025-11-03 13:44 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-03 13:36 [PULL 00/32] Next pr patches Daniel P. Berrangé
2025-11-03 13:36 ` [PULL 01/32] Implement -run-with exit-with-parent=on Daniel P. Berrangé
2025-11-03 13:36 ` [PULL 02/32] tests/qtest: Use exit-with-parent=on in qtest invocations Daniel P. Berrangé
2025-11-03 13:36 ` [PULL 03/32] crypto/hash: Have hashing functions take void * buffer argument Daniel P. Berrangé
2025-11-03 13:36 ` [PULL 04/32] io/channel: Have read/write " Daniel P. Berrangé
2025-11-03 13:36 ` [PULL 05/32] io: add a "blocking" field to QIOChannelSocket Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 06/32] io: flush zerocopy socket error queue on sendmsg failure due to ENOBUF Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 07/32] crypto: bump min gnutls to 3.7.5 Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 08/32] crypto: unconditionally enable gnutls XTS support Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 09/32] crypto: bump min libgcrypt to 1.9.4 Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 10/32] crypto: bump min nettle to 3.7.3 Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 11/32] crypto: drop in-tree XTS cipher mode impl Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 12/32] crypto: remove redundant parameter checking CA certs Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 13/32] crypto: add missing free of certs array Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 14/32] crypto: replace stat() with access() for credential checks Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 15/32] crypto: remove redundant access() checks before loading certs Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 16/32] crypto: move check for TLS creds 'dir' property Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 17/32] crypto: use g_autofree when loading x509 credentials Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 18/32] crypto: remove needless indirection via parent_obj field Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 19/32] crypto: move release of DH parameters into TLS creds parent Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 20/32] crypto: shorten the endpoint == server check in TLS creds Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 21/32] crypto: remove duplication loading x509 CA cert Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 22/32] crypto: reduce duplication in handling TLS priority strings Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 23/32] crypto: introduce method for reloading TLS creds Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 24/32] crypto: introduce a wrapper around gnutls credentials Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 25/32] crypto: fix lifecycle handling of gnutls credentials objects Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 26/32] crypto: make TLS credentials structs private Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 27/32] crypto: deprecate use of external dh-params.pem file Daniel P. Berrangé
2025-11-03 13:37 ` Daniel P. Berrangé [this message]
2025-11-03 13:37 ` [PULL 29/32] crypto: avoid loading the identity certs twice Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 30/32] crypto: expand logic to cope with multiple certificate identities Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 31/32] crypto: support upto 5 parallel " Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 32/32] docs: creation of x509 certs compliant with post-quantum crypto Daniel P. Berrangé
2025-11-04 15:19 ` [PULL 00/32] Next pr patches Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251103133727.423041-29-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=devel@lists.libvirt.org \
--cc=farosas@suse.de \
--cc=lvivier@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).