tls: support multiple certificates in runtime dir

Instead of having one "cert" and one "key" file in the runtime
directory, we support any number of files named like "n.crt" and "n.key"
where n is an integer starting from 0.  cockpit-tls reads files until it
sees ENOENT.

Meanwhile in cockpit-certificate-ensure, we change the names of the
files that we output to "0.crt" and "0.key".  We still don't support
multiple keys yet, but that will come next.

Author: allisonkarlitskaya

src/tls/cockpit-certificate-ensure.c

@@ -207,15 +207,15 @@ certificate_and_key_write (const CertificateKeyPair *self,
   if (fchown (fd, buf.st_uid, buf.st_gid) != 0)
     err (EXIT_FAILURE, "%s: fchown", directory);
 
-  if (symlinkat (self->certificate_filename, fd, "cert.source") != 0)
-    err (EXIT_FAILURE, "%s/%s: symlinkat", directory, "certificate.source");
+  if (symlinkat (self->certificate_filename, fd, "0.crt.source") != 0)
+    err (EXIT_FAILURE, "%s/%s: symlinkat", directory, "0.crt.source");
 
-  if (symlinkat (self->key_filename, fd, "key.source") != 0)
-    err (EXIT_FAILURE, "%s/%s: symlinkat", directory, "key.source");
+  if (symlinkat (self->key_filename, fd, "0.key.source") != 0)
+    err (EXIT_FAILURE, "%s/%s: symlinkat", directory, "0.key.source");
 
-  write_file (fd, directory, "cert", &self->certificate, buf.st_uid, buf.st_gid);
+  write_file (fd, directory, "0.crt", &self->certificate, buf.st_uid, buf.st_gid);
 
-  write_file (fd, directory, "key", &self->key, buf.st_uid, buf.st_gid);
+  write_file (fd, directory, "0.key", &self->key, buf.st_uid, buf.st_gid);
 
   close (dirfd);
   close (fd);

src/tls/connection.c

@@ -832,19 +832,23 @@ connection_thread_main (int fd)
  * support for connections. If this function is not called, the server
  * will only be able to handle http requests.
  *
- * The certificate file must either contain the key as well, or end with
- * "*.crt" or "*.cert" and have a corresponding "*.key" file.
+ * Loads all certificate/key pairs from the directory. Files ending in
+ * ".crt" or ".cert" are treated as certificates, with corresponding
+ * ".key" files for private keys.
  *
- * @certfile: Server TLS certificate file; cannot be %NULL
+ * @cert_dirfd: Directory fd containing certificate/key files
+ * @allow_unencrypted: Whether to allow plain HTTP connections
  * @request_mode: Whether to ask for client certificates
  */
 void
-connection_crypto_init (const char *certificate_filename,
-                        const char *key_filename,
+connection_crypto_init (int cert_dirfd,
                         bool allow_unencrypted,
                         gnutls_certificate_request_t request_mode)
 {
-  parameters.credentials = credentials_load (certificate_filename, key_filename);
+  parameters.credentials = credentials_load_directory (cert_dirfd);
+  if (parameters.credentials == NULL)
+    errx (EXIT_FAILURE, "Failed to load certificates from directory");
+
   parameters.request_mode = request_mode;
   /* If we aren't called, then require_https is false */
   parameters.require_https = !allow_unencrypted;

src/tls/connection.h

@@ -16,8 +16,7 @@ connection_set_directories (const char *wsinstance_sockdir,
                             const char *runtime_directory);
 
 void
-connection_crypto_init (const char *certificate_filename,
-                        const char *key_filename,
+connection_crypto_init (int cert_dirfd,
                         bool allow_unencrypted,
                         gnutls_certificate_request_t request_mode);
 

src/tls/credentials.c

@@ -9,8 +9,13 @@
 
 #include <assert.h>
 #include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/stat.h>
+#include <unistd.h>
 
 #include <gnutls/x509.h>
 
@@ -59,24 +64,111 @@ credentials_get (Credentials *self)
   return self->creds;
 }
 
+/* Load a file into a gnutls_datum_t.
+ *
+ * Returns true on success, false if the file doesn't exist.
+ * Exits on any other failure.
+ * On success, data->data must be freed with gnutls_free().
+ */
+static bool
+load_file (int dirfd, const char *filename, gnutls_datum_t *data)
+{
+  int fd = openat (dirfd, filename, O_RDONLY | O_CLOEXEC | O_NOCTTY);
+  if (fd < 0)
+    {
+      if (errno == ENOENT)
+        return false;
+      err (EXIT_FAILURE, "Failed to open '%s'", filename);
+    }
+
+  struct stat st;
+  if (fstat (fd, &st) < 0)
+    err (EXIT_FAILURE, "Failed to stat '%s'", filename);
+
+  if (!S_ISREG (st.st_mode))
+    errx (EXIT_FAILURE, "'%s' is not a regular file", filename);
+
+  if (st.st_size <= 0)
+    errx (EXIT_FAILURE, "'%s' is empty", filename);
+
+  if (st.st_size > 640 * 1024)  /* ought to be enough for anybody! */
+    errx (EXIT_FAILURE, "'%s' is too large", filename);
+
+  size_t file_size = (size_t) st.st_size;
+
+  unsigned char *buffer = mallocx (file_size + 1);
+  if (buffer == NULL)
+    errx (EXIT_FAILURE, "Failed to allocate memory for '%s'", filename);
+
+  ssize_t n;
+  do
+    n = read (fd, buffer, file_size);
+  while (n < 0 && errno == EINTR);
+
+  if (n < 0)
+    err (EXIT_FAILURE, "Failed to read '%s'", filename);
+
+  if (n != (ssize_t) file_size)
+    errx (EXIT_FAILURE, "Failed to read '%s': expected %zu bytes, got %zd", filename, file_size, n);
+
+  close (fd);
+
+  buffer[file_size] = '\0';
+
+  data->data = buffer;
+  data->size = (unsigned int) file_size;  /* <= 640k */
+
+  return true;
+}
+
 Credentials *
-credentials_load (const char *certificate_filename,
-                  const char *key_filename)
+credentials_load_directory (int dirfd)
 {
   gnutls_certificate_credentials_t creds;
   int ret;
 
-  debug (SERVER, "Using certificate %s", certificate_filename);
-
   ret = gnutls_certificate_allocate_credentials (&creds);
   assert (ret == GNUTLS_E_SUCCESS);
 
-  ret = gnutls_certificate_set_x509_key_file (creds,
-                                              certificate_filename, key_filename,
-                                              GNUTLS_X509_FMT_PEM);
+  Credentials *self = credentials_new(creds);
+
+  /* Load files sequentially 0.{crt,key}, 1.{crt,key}, 2.{crt,key}, etc... */
+  int i;
+  for (i = 0; ; i++)
+    {
+      char crt_name[32];
+      snprintf (crt_name, sizeof crt_name, "%d.crt", i);
+
+      gnutls_datum_t crt_data;
+      if (!load_file (dirfd, crt_name, &crt_data))
+        break;
+
+      debug (SERVER, "Adding certificate %s", cert_name);
+
+      char key_name[32];
+      snprintf (key_name, sizeof key_name, "%d.key", i);
+
+      gnutls_datum_t key_data;
+      if (!load_file (dirfd, key_name, &key_data))
+        errx (EXIT_FAILURE, "Certificate '%s' exists but key '%s' is missing",
+              crt_name, key_name);
+
+      int ret = gnutls_certificate_set_x509_key_mem2 (self->creds,
+                                                      &crt_data, &key_data,
+                                                      GNUTLS_X509_FMT_PEM,
+                                                      NULL, 0);
+      if (ret < 0)
+        errx (EXIT_FAILURE, "Failed to load keypair %s/%s: %s",
+              crt_name, key_name, gnutls_strerror (ret));
+
+      gnutls_memset (key_data.data, 0, key_data.size);
+      free (key_data.data);
+      free (crt_data.data);
+    }
 
-  if (ret != GNUTLS_E_SUCCESS)
-    errx (EXIT_FAILURE, "Failed to initialize server certificate: %s", gnutls_strerror (ret));
+  if (i == 0)
+    errx (EXIT_FAILURE, "No certificates found in directory");
 
-  return credentials_new (creds);
+  debug (SERVER, "Loaded %d certificate(s)", i);
+  return self;
 }

src/tls/credentials.h

@@ -5,6 +5,8 @@
 
 #pragma once
 
+#include <stdbool.h>
+
 #include <gnutls/gnutls.h>
 
 typedef struct _Credentials Credentials;
@@ -21,3 +23,9 @@ credentials_get (Credentials *self);
 Credentials *
 credentials_load (const char *certificate_filename,
                   const char *key_filename);
+
+Credentials *
+credentials_new_empty (void);
+
+Credentials *
+credentials_load_directory (int dirfd);

src/tls/main.c

@@ -7,7 +7,9 @@
 
 #include <argp.h>
 #include <err.h>
+#include <fcntl.h>
 #include <stddef.h>
+#include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 
@@ -96,26 +98,32 @@ main (int argc, char **argv)
 
   if (!arguments.no_tls)
     {
-      char *error = NULL;
-
-      if (error)
-        errx (EXIT_FAILURE, "Could not locate server certificate: %s", error);
+      static const char cert_dir[] = "/run/cockpit/certs.d";
 
       if (cockpit_conf_bool ("WebService", "ClientCertAuthentication", false))
         client_cert_mode = GNUTLS_CERT_REQUEST;
 
       bool allow_unencrypted = cockpit_conf_bool ("WebService", "AllowUnencrypted", false);
 
-      connection_crypto_init ("/run/cockpit/tls/server/cert",
-                              "/run/cockpit/tls/server/key",
-                              allow_unencrypted, client_cert_mode);
+      int cert_dirfd = open (cert_dir, O_RDONLY | O_DIRECTORY | O_CLOEXEC);
+      if (cert_dirfd == -1)
+        err (EXIT_FAILURE, "open: %s", cert_dir);
+
+      connection_crypto_init (cert_dirfd, allow_unencrypted, client_cert_mode);
+
+      /* Clean up certificate files after loading */
+      for (int i = 0; ; i++)
+        {
+          char cert_name[16], key_name[16];
+          snprintf (cert_name, sizeof cert_name, "%d.crt", i);
+          snprintf (key_name, sizeof key_name, "%d.key", i);
 
-      /* There's absolutely no need to keep these around */
-      if (unlink ("/run/cockpit/tls/server/cert") != 0)
-        err (EXIT_FAILURE, "unlink: /run/cockpit/tls/server/cert");
+          if (unlinkat (cert_dirfd, cert_name, 0) != 0)
+            break;
+          unlinkat (cert_dirfd, key_name, 0);
+        }
 
-      if (unlink ("/run/cockpit/tls/server/key") != 0)
-        err (EXIT_FAILURE, "unlink: /run/cockpit/tls/server/key");
+      close (cert_dirfd);
     }
 
   server_run ();

src/tls/test-cockpit-certificate-ensure.c

@@ -209,10 +209,10 @@ test_copy (Fixture *fixture,
   cockpit_assert_strmatch (stderr_str, tc->copy_stderr);
   g_assert_cmpint (g_subprocess_get_exit_status (helper), ==, tc->copy_exit);
 
-  g_autofree gchar *cert_source = areadlinkat (fixture->runtime_dir_fd, "server/cert.source");
+  g_autofree gchar *cert_source = areadlinkat (fixture->runtime_dir_fd, "server/0.crt.source");
   cockpit_assert_strmatch (cert_source, tc->cert_source);
 
-  g_autofree gchar *key_source = areadlinkat (fixture->runtime_dir_fd, "server/key.source");
+  g_autofree gchar *key_source = areadlinkat (fixture->runtime_dir_fd, "server/0.key.source");
   cockpit_assert_strmatch (key_source, tc->key_source);
 
   if (tc->copy_exit == EXIT_SUCCESS)
@@ -225,8 +225,8 @@ test_copy (Fixture *fixture,
       g_autoptr(GTlsCertificate) input = g_tls_certificate_new_from_pem (input_data->str, input_data->len, &error);
       g_assert_no_error (error);
 
-      g_autofree gchar *certfile = g_build_filename (fixture->runtime_dir, "server", "cert", NULL);
-      g_autofree gchar *keyfile = g_build_filename (fixture->runtime_dir, "server", "key", NULL);
+      g_autofree gchar *certfile = g_build_filename (fixture->runtime_dir, "server", "0.crt", NULL);
+      g_autofree gchar *keyfile = g_build_filename (fixture->runtime_dir, "server", "0.key", NULL);
       g_autoptr(GTlsCertificate) output = g_tls_certificate_new_from_files (certfile, keyfile, &error);
 #if !GLIB_CHECK_VERSION(2,58,0)
       /* Older GLib (RHEL 8) doesn't know how to find EC private keys */

src/tls/test-server.c

@@ -434,7 +434,20 @@ setup (TestCase *tc, gconstpointer data)
   server_init (tc->ws_socket_dir, tc->runtime_dir, fixture ? fixture->idle_timeout : 0, 0);
 
   if (fixture && fixture->certfile)
-    connection_crypto_init (fixture->certfile, fixture->keyfile, false, fixture->cert_request_mode);
+    {
+      /* Set up certs.d directory with 0.cert and 0.key */
+      g_autofree gchar *certs_dir = g_build_filename (tc->runtime_dir, "certs.d", NULL);
+      g_assert_cmpint (g_mkdir (certs_dir, 0700), ==, 0);
+      g_autofree gchar *cert_link = g_build_filename (certs_dir, "0.crt", NULL);
+      g_autofree gchar *key_link = g_build_filename (certs_dir, "0.key", NULL);
+      g_assert_cmpint (symlink (fixture->certfile, cert_link), ==, 0);
+      g_assert_cmpint (symlink (fixture->keyfile, key_link), ==, 0);
+
+      int cert_dirfd = open (certs_dir, O_RDONLY | O_DIRECTORY | O_CLOEXEC);
+      g_assert_cmpint (cert_dirfd, >=, 0);
+      connection_crypto_init (cert_dirfd, false, fixture->cert_request_mode);
+      close (cert_dirfd);
+    }
 
   /* Figure out the socket address we ought to connect to */
   socklen_t addrlen = sizeof tc->server_addr;
@@ -481,6 +494,17 @@ teardown (TestCase *tc, gconstpointer data)
   g_assert_cmpint (g_rmdir (tc->clients_dir), ==, 0);
   g_free (tc->clients_dir);
 
+  /* Clean up certs.d if it exists */
+  g_autofree gchar *certs_dir = g_build_filename (tc->runtime_dir, "certs.d", NULL);
+  if (g_file_test (certs_dir, G_FILE_TEST_IS_DIR))
+    {
+      g_autofree gchar *cert_file = g_build_filename (certs_dir, "0.crt", NULL);
+      g_autofree gchar *key_file = g_build_filename (certs_dir, "0.key", NULL);
+      g_unlink (cert_file);
+      g_unlink (key_file);
+      g_assert_cmpint (g_rmdir (certs_dir), ==, 0);
+    }
+
   g_assert_cmpint (g_rmdir (tc->runtime_dir), ==, 0);
   g_free (tc->runtime_dir);
 

test/verify/check-connection

@@ -1451,7 +1451,7 @@ Command={self.libexecdir}/cockpit-session
         b.wait_text("#server-name", "ExDeeGee")
 
         # uses the expected certs
-        self.assertEqual(m.execute("readlink /run/cockpit/tls/server/key.source").strip(),
+        self.assertEqual(m.execute("readlink /run/cockpit/tls/server/0.key.source").strip(),
                          "/etc/test-xdg/cockpit/ws-certs.d/0-self-signed.key")
         # and did not generate new ones
         self.assertNotIn("ws-certs.d", m.execute("ls /etc/cockpit"))