[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Libvir] Certificate management APIs ?



I now have the QEMU backend working with full wire encryption using the
TLS protocol, and so ready to start thinking about various authentication
related issues. 

 - The client needs to have the certificate of the CA in order to
   validate the signature on the remote server's certificate
   (aka, just like web browsers need a set of CA certificates)

   Currently I just have it loading 'cert.pem' out of the current
   working directory of the app using libvirt. Obviously this is not
   a real solution.

 - The client technically should have a certificate revocation list
   too. Again I currently load this out of current working dir

 - The server end can optionally require the client to present a 
   certificate too, as its means of authenticating the client.

   This obviously requires a way of specifying the client certificate
   and secret key in libvirt when opening the connection.

 - The first time it connects to a server, the client validates the
   server's certificate against the CA certificate, and remote hostname.

   Web browsers will also typically display the certificate to the 
   user and ask them to allow one-time, allow permanently, or reject
   it.  This would require a way to pass the certificate back to the
   client app during the virConnectOpen call.

The above is all related to x509 certificates. So we basically have 5
types of file we need to store / provide to libvirt when opening a 
connection:

  - Certificate Authority's certificate
  - Certificate Authority's certificate revocation list
  - Client secret key
  - Client certificate 
  - Trusted server certificates

And some form of callback to let the client app validate the server 
certificate.

As a rough stab at an API my thoughts are:

  typedef enum {
    VIR_CERT_CA_CERT,
    VIR_CERT_CA_CRL,
    VIR_CERT_CLIENT_KEY,
    VIR_CERT_CLIENT_CERT,
  } virConnectCertDataType;

  /**
   * dataType: one of the virConnectCertDataType constants
   * data: base64, PEM encoded  certificate/key data
   */
  int virConnectAddCertData(int dataType, const char *data);

  /**
   * dataType: one of the virConnectCertDataType constants
   * dataFile: file containing base64, PEM encoded  certificate/key data
   */
  int virConnectAddCertDataFile(int dataType, const char *dataFile);

Virt-manager would use the latter API to load in its client certificate,
CA certs, etc to libvirt prior to opening a connection to a TLS enabled
server. This means libvirt doesn't have to make the policy on where to
store its client cert data. On the otherhand, we probably want the
files to be in a common location for virsh & virt-manager so both can
use the same data. On yet another hand, virt-manager will also likely
end up using TLS to connect to VNC, so needs access to the files 
independant on libvirt / virsh for that.  So we should probably have
these flexible APIs, but recommend that all apps use a pre-defined
directory unless they have a particular need not to, eg
    
    $HOME/.libvirt/tls/
      |
      +- ca
      |  |
      |  +- cert.pem
      |  +- ca-crl.pem
      |
      +- client
      |  |
      |  +- cert.pem
      |  +- key.pem
      |
      +- server
          |
          +- trusted.pem

  /**
   * hostname: canonical name of remote host providing certiifcate
   * cert: base64, PEM encoded certificate data
   *
   * Invoked to let client application decide whether to accept a
   * server certificate. The certificate wil already have been
   * validated against the CA cert, and its expiration date, etc
   * checked. This callback is intended to allow the end user to
   * accept/reject the certificate. The trusted flag indicates
   * whether the server is present in the list of known servers.
   */
   typedef int (*virConnectCertificateValidator)(const char *hostname, const char *cert); 

   int virConnectSetCertificateValidator(virConnectCertificateValidator cb)

The applications like virt-manager would probably want to present the
certificate details to the user for validation, also optionally maintaining
a list of previously trusted server certs.

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]