From: Peter Krempa <pkre...@redhat.com>
Since gnutls and thus by extension libvirt allows passing multiple
certificates in one file by concatenating them, virt-pki-validate ought
to validate the hostname of all of them, instead of only the first one
to prevent issues when wrong certs are concatenated.
Signed-off-by: Peter Krempa <pkre...@redhat.com>
---
tools/virt-pki-validate.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/tools/virt-pki-validate.c b/tools/virt-pki-validate.c
index e693ffaed6..a8ea396550 100644
--- a/tools/virt-pki-validate.c
+++ b/tools/virt-pki-validate.c
@@ -283,19 +283,29 @@ virPKIValidateIdentity(bool isServer, bool system, const
char *path)
}
if (isServer) {
- gnutls_x509_crt_t crt;
+ gnutls_x509_crt_t crts[16] = { 0 };
+ size_t ncrts = 0;
virValidateCheck(scope, "%s", _("Checking cert hostname match"));
- if (!(crt = virNetTLSCertLoadFromFile(cert, true))) {
+ if (virNetTLSCertLoadListFromFile(cert, crts, 16, &ncrts) < 0) {
virValidateFail(VIR_VALIDATE_FAIL,
_("Unable to load %1$s: %2$s"),
cert, virGetLastErrorMessage());
+ ok = false;
} else {
g_autofree char *hostname = virGetHostname();
- int ret = gnutls_x509_crt_check_hostname(crt, hostname);
- gnutls_x509_crt_deinit(crt);
- if (!ret) {
+ bool mismatch = false;
+ size_t i;
+
+ for (i = 0; i < ncrts; i++) {
+ if (gnutls_x509_crt_check_hostname(crts[i], hostname) == 0)
+ mismatch = true;
+
+ gnutls_x509_crt_deinit(crts[i]);
+ }
+
+ if (mismatch) {
/* Only warning, since there can be valid reasons for
mis-match */
virValidateFail(VIR_VALIDATE_WARN,
_("Certificate %1$s owner does not match the
hostname %2$s"),
--
2.50.0
