From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Eric Blake <eblake@redhat.com>
Cc: qemu-devel@nongnu.org, Henry Kleynhans <hkleynhans@fb.com>
Subject: Re: [PATCH v2 1/6] crypto: only verify CA certs in chain of trust
Date: Thu, 16 Oct 2025 15:38:50 +0100 [thread overview]
Message-ID: <aPEDeg5p3-7q5KRM@redhat.com> (raw)
In-Reply-To: <yzqgr2jqxrpt3xxw7gzuwsgwo6q6xehcadiuelkqsvzcfoisr3@isqvazofm6m5>
On Thu, Oct 16, 2025 at 09:37:51AM -0500, Eric Blake wrote:
> On Fri, Sep 19, 2025 at 11:10:17AM +0100, Daniel P. Berrangé wrote:
> > From: Henry Kleynhans <hkleynhans@fb.com>
> >
> > The CA file provided to qemu may contain CA certificates which do not
> > form part of the chain of trust for the specific certificate we are
> > sanity checking.
> >
> > This patch changes the sanity checking from validating every CA
> > certificate to only checking the CA certificates which are part of the
> > chain of trust (issuer chain). Other certificates are ignored.
>
> I agree that relaxing this will permit more certs than before (and
> possibly with less CPU cycles spent on the irrelevant portions of the
> cert), without weakening the security of the chain we are actually
> interested in.
>
> >
> > Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> > Signed-off-by: Henry Kleynhans <hkleynhans@fb.com>
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> > ---
> > crypto/tlscredsx509.c | 57 ++++++++++++++++++++++++---
> > tests/unit/test-crypto-tlscredsx509.c | 25 +++++++++++-
> > 2 files changed, 75 insertions(+), 7 deletions(-)
> >
> > diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c
> > index cd1f504471..797854ac89 100644
> > --- a/crypto/tlscredsx509.c
> > +++ b/crypto/tlscredsx509.c
> > @@ -315,6 +315,51 @@ qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509 *creds,
> > return 0;
> > }
> >
> > +static int
> > +qcrypto_tls_creds_check_authority_chain(QCryptoTLSCredsX509 *creds,
> > + gnutls_x509_crt_t cert,
> > + gnutls_x509_crt_t *cacerts,
> > + unsigned int ncacerts,
> > + const char *cacertFile,
> > + bool isServer,
> > + bool isCA,
> > + Error **errp)
> > +{
> > + gnutls_x509_crt_t *cert_to_check = &cert;
> > + int checking_issuer = 1;
>
> Why is this int instead of bool? It's only assigned 1 or 0, and local
> to the function.
No good reason.
>
> That's a trivial cleanup, so I'm okay if you make that change and add:
I'll change to bool.
>
> Reviewed-by: Eric Blake <eblake@redhat.com>
>
> --
> Eric Blake, Principal Software Engineer
> Red Hat, Inc.
> Virtualization: qemu.org | libguestfs.org
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2025-10-16 14:41 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-19 10:10 [PATCH v2 0/6] crypto: misc fixes and improvements to cert handling Daniel P. Berrangé
2025-09-19 10:10 ` [PATCH v2 1/6] crypto: only verify CA certs in chain of trust Daniel P. Berrangé
2025-10-16 14:37 ` Eric Blake
2025-10-16 14:38 ` Daniel P. Berrangé [this message]
2025-09-19 10:10 ` [PATCH v2 2/6] crypto: remove extraneous pointer usage in gnutls certs Daniel P. Berrangé
2025-10-16 14:52 ` Eric Blake
2025-09-19 10:10 ` [PATCH v2 3/6] crypto: allow client/server cert chains Daniel P. Berrangé
2025-10-16 15:28 ` Eric Blake
2025-10-20 11:22 ` Daniel P. Berrangé
2025-09-19 10:10 ` [PATCH v2 4/6] crypto: stop requiring "key encipherment" usage in x509 certs Daniel P. Berrangé
2025-10-16 15:41 ` Eric Blake
2025-10-20 11:27 ` Daniel P. Berrangé
2025-09-19 10:10 ` [PATCH v2 5/6] crypto: switch to newer gnutls API for distinguished name Daniel P. Berrangé
2025-10-16 15:43 ` Eric Blake
2025-09-19 10:10 ` [PATCH v2 6/6] crypto: fix error reporting in cert chain checks Daniel P. Berrangé
2025-10-16 15:50 ` Eric Blake
2025-10-20 11:47 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aPEDeg5p3-7q5KRM@redhat.com \
--to=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=hkleynhans@fb.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).