cockpit-tls: enable loading multiple TLS certificates (for post-quantum)

src/tls/Makefile-tls.am

@@ -12,8 +12,8 @@ libcockpit_tls_a_LIBS = \
 	$(NULL)
 
 libcockpit_tls_a_SOURCES = \
-	src/tls/certificate.c \
-	src/tls/certificate.h \
+	src/tls/credentials.c \
+	src/tls/credentials.h \
 	src/tls/client-certificate.c \
 	src/tls/client-certificate.h \
 	src/tls/connection.c \

src/tls/cockpit-certificate-ensure.c

@@ -22,7 +22,6 @@
 #include <common/cockpitwebcertificate.h>
 #include <common/cockpitmemory.h>
 
-#include "certificate.h"
 #include "utils.h"
 
 #define COCKPIT_CERTIFICATE_HELPER   LIBEXECDIR "/cockpit-certificate-helper"

src/tls/connection.c

@@ -36,7 +36,7 @@
 #include <common/cockpitmemory.h>
 #include <common/cockpitwebcertificate.h>
 
-#include "certificate.h"
+#include "credentials.h"
 #include "client-certificate.h"
 #include "httpredirect.h"
 #include "socket-io.h"
@@ -45,7 +45,7 @@
 /* cockpit-tls TCP server state (singleton) */
 static struct {
   gnutls_certificate_request_t request_mode;
-  Certificate *certificate;
+  Credentials *credentials;
   bool require_https;
   int wsinstance_sockdir;
   int cert_session_dir;
@@ -579,7 +579,7 @@ connection_handshake (Connection *self)
     {
       debug (CONNECTION, "first byte is %i, initializing TLS", (int) b);
 
-      if (parameters.certificate == NULL)
+      if (parameters.credentials == NULL)
         {
           warnx ("got TLS connection, but our server does not have a certificate/key; refusing");
           return false;
@@ -600,7 +600,7 @@ connection_handshake (Connection *self)
         }
 
       ret = gnutls_credentials_set (self->tls, GNUTLS_CRD_CERTIFICATE,
-                                    certificate_get_credentials (parameters.certificate));
+                                    credentials_get (parameters.credentials));
       if (ret != GNUTLS_E_SUCCESS)
         {
           warnx ("gnutls_credentials_set failed: %s", gnutls_strerror (ret));
@@ -844,7 +844,7 @@ connection_crypto_init (const char *certificate_filename,
                         bool allow_unencrypted,
                         gnutls_certificate_request_t request_mode)
 {
-  parameters.certificate = certificate_load (certificate_filename, key_filename);
+  parameters.credentials = credentials_load (certificate_filename, key_filename);
   parameters.request_mode = request_mode;
   /* If we aren't called, then require_https is false */
   parameters.require_https = !allow_unencrypted;
@@ -884,10 +884,10 @@ connection_cleanup (void)
   assert (parameters.wsinstance_sockdir != -1);
   assert (parameters.cert_session_dir != -1);
 
-  if (parameters.certificate)
+  if (parameters.credentials)
     {
-      certificate_unref (parameters.certificate);
-      parameters.certificate = NULL;
+      credentials_unref (parameters.credentials);
+      parameters.credentials = NULL;
     }
 
   parameters.require_https = false;

src/tls/certificate.c → src/tls/credentials.c

@@ -5,7 +5,7 @@
 
 #include "config.h"
 
-#include "certificate.h"
+#include "credentials.h"
 
 #include <assert.h>
 #include <err.h>
@@ -19,32 +19,32 @@
 
 #include "utils.h"
 
-struct _Certificate
+struct _Credentials
 {
   gnutls_certificate_credentials_t creds;
   int ref_count;
 };
 
-static Certificate *
-certificate_new (gnutls_certificate_credentials_t creds)
+static Credentials *
+credentials_new (gnutls_certificate_credentials_t creds)
 {
-  Certificate *self = mallocx (sizeof (Certificate));
+  Credentials *self = mallocx (sizeof (Credentials));
   self->creds = creds;
   self->ref_count = 1;
 
   return self;
 }
 
-Certificate *
-certificate_ref (Certificate *self)
+Credentials *
+credentials_ref (Credentials *self)
 {
   self->ref_count++;
 
   return self;
 }
 
 void
-certificate_unref (Certificate *self)
+credentials_unref (Credentials *self)
 {
   if (--self->ref_count == 0)
     {
@@ -54,13 +54,13 @@ certificate_unref (Certificate *self)
 }
 
 gnutls_certificate_credentials_t
-certificate_get_credentials (Certificate *self)
+credentials_get (Credentials *self)
 {
   return self->creds;
 }
 
-Certificate *
-certificate_load (const char *certificate_filename,
+Credentials *
+credentials_load (const char *certificate_filename,
                   const char *key_filename)
 {
   gnutls_certificate_credentials_t creds;
@@ -78,5 +78,5 @@ certificate_load (const char *certificate_filename,
   if (ret != GNUTLS_E_SUCCESS)
     errx (EXIT_FAILURE, "Failed to initialize server certificate: %s", gnutls_strerror (ret));
 
-  return certificate_new (creds);
+  return credentials_new (creds);
 }

src/tls/credentials.h

@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) 2021 Red Hat, Inc.
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ */
+
+#pragma once
+
+#include <gnutls/gnutls.h>
+
+typedef struct _Credentials Credentials;
+
+Credentials *
+credentials_ref (Credentials *self);
+
+void
+credentials_unref (Credentials *self);
+
+gnutls_certificate_credentials_t
+credentials_get (Credentials *self);
+
+Credentials *
+credentials_load (const char *certificate_filename,
+                  const char *key_filename);