On Wed, Jun 04, 2025 at 05:56:30PM -0400, Zhuoying Cai wrote:
> Add helper functions for x509 certificate which will be used in the next
> patch for the certificate store.
>
> Signed-off-by: Zhuoying Cai <zy...@linux.ibm.com>
> ---
> crypto/meson.build | 5 +-
> crypto/x509-utils.c | 166 ++++++++++++++++++++++++++++++++++++
> include/crypto/x509-utils.h | 54 ++++++++++++
> qapi/crypto.json | 80 +++++++++++++++++
> 4 files changed, 301 insertions(+), 4 deletions(-)
> +int qcrypto_check_x509_cert_fmt(uint8_t *cert, size_t size,
> + QCryptoCertFmt fmt, Error **errp)
> +{
> + int rc;
> + int ret = -1;
> + gnutls_x509_crt_t crt;
> + gnutls_datum_t datum = {.data = cert, .size = size};
> +
> + if (fmt >= G_N_ELEMENTS(qcrypto_to_gnutls_cert_fmt_map)) {
> + error_setg(errp, "Unknown certificate format");
> + return ret;
> + }
> +
> + if (gnutls_x509_crt_init(&crt) < 0) {
> + error_setg(errp, "Failed to initialize certificate");
> + return ret;
> + }
> +
> + rc = gnutls_x509_crt_import(crt, &datum,
> qcrypto_to_gnutls_cert_fmt_map[fmt]);
> + if (rc == GNUTLS_E_ASN1_TAG_ERROR) {
> + goto cleanup;
> + }
> +
> + ret = 0;
> +
> +cleanup:
> + gnutls_x509_crt_deinit(crt);
> + return ret;
> +}
On reflection I think this method should be removed entirely.
In terms of QEMU command line we should exclusively allow
certs in PEM format only. If we need DER format internally,
we can use gnutls to convert from PEM to DER.
> +
> +int qcrypto_get_x509_hash_len(QCryptoHashAlgo alg)
> +{
> + if (alg >= G_N_ELEMENTS(qcrypto_to_gnutls_hash_alg_map)) {
> + return 0;
> + }
> +
> + return gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[alg]);
> +}
> +
> +int qcrypto_get_x509_keyid_len(QCryptoKeyidFlags flag)
> +{
> + QCryptoHashAlgo alg;
> +
> + if (flag >= G_N_ELEMENTS(qcrypto_to_gnutls_keyid_flags_map)) {
> + return 0;
> + }
> +
> + alg = QCRYPTO_HASH_ALGO_SHA1;
> + if ((flag &
> qcrypto_to_gnutls_keyid_flags_map[QCRYPTO_KEYID_FLAGS_SHA512]) ||
> + (flag &
> qcrypto_to_gnutls_keyid_flags_map[QCRYPTO_KEYID_FLAGS_BEST_KNOWN])) {
> + alg = QCRYPTO_HASH_ALGO_SHA512;
> + } else if (flag &
> qcrypto_to_gnutls_keyid_flags_map[QCRYPTO_KEYID_FLAGS_SHA256]) {
> + alg = QCRYPTO_HASH_ALGO_SHA256;
> + }
> +
> + return qcrypto_get_x509_hash_len(alg);
> +}
> +
> +static int qcrypto_import_x509_cert(gnutls_x509_crt_t crt, gnutls_datum_t
> *datum)
> +{
> + int rc;
> +
> + rc = gnutls_x509_crt_import(crt, datum, GNUTLS_X509_FMT_PEM);
> + if (rc) {
> + rc = gnutls_x509_crt_import(crt, datum, GNUTLS_X509_FMT_DER);
> + }
> +
> + return rc;
> +}
This method can go away too if we declare the public interface
is exclusively PEM.
> +
> +##
> +# @QCryptoCertFmt:
> +#
> +# The supported certificate encoding formats
> +#
> +# @der: DER
> +#
> +# @pem: PEM
> +#
> +# Since: 10.1
> +##
> +{ 'enum': 'QCryptoCertFmt',
> + 'data': ['der', 'pem']}
This can go away too if we declare we only use PEM.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
