From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id B72D99549A
 for <pve-devel@lists.proxmox.com>; Wed,  1 Mar 2023 11:17:38 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 94EFE1855A
 for <pve-devel@lists.proxmox.com>; Wed,  1 Mar 2023 11:17:08 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Wed,  1 Mar 2023 11:17:07 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 54D8248C48
 for <pve-devel@lists.proxmox.com>; Wed,  1 Mar 2023 11:17:07 +0100 (CET)
Date: Wed, 01 Mar 2023 11:17:00 +0100
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
References: <20230228163634.299137-1-m.carrara@proxmox.com>
 <20230228163634.299137-2-m.carrara@proxmox.com>
In-Reply-To: <20230228163634.299137-2-m.carrara@proxmox.com>
MIME-Version: 1.0
User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid)
Message-Id: <1677663701.adsuda5fsu.astroid@yuna.none>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.125 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [proxmox.com, certificate.pm]
Subject: Re: [pve-devel] [PATCH common 1/2] certificate: add subroutine that
 checks if cert and key match
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2023 10:17:38 -0000

On February 28, 2023 5:36 pm, Max Carrara wrote:
> This is done here in order to allow other packages to make use of
> this subroutine.
>=20
> Signed-off-by: Max Carrara <m.carrara@proxmox.com>
> ---
>  src/PVE/Certificate.pm | 26 ++++++++++++++++++++++++++
>  1 file changed, 26 insertions(+)
>=20
> diff --git a/src/PVE/Certificate.pm b/src/PVE/Certificate.pm
> index 31a7722..5ec1c6b 100644
> --- a/src/PVE/Certificate.pm
> +++ b/src/PVE/Certificate.pm
> @@ -228,6 +228,32 @@ sub get_certificate_fingerprint {
>      return $fp;
>  }
> =20
> +sub certificate_matches_key {
> +    my ($cert_path, $key_path) =3D @_;
> +
> +    die "No certificate path given!\n" if !$cert_path;
> +    die "No certificate key path given!\n" if !$key_path;
> +
> +    die "Certificate at '$cert_path' does not exist!\n" if ! -e $cert_pa=
th;
> +    die "Certificate key '$key_path' does not exist!\n" if ! -e $key_pat=
h;
> +
> +    my $ctx =3D Net::SSLeay::CTX_new()
> +	or $ssl_die->(
> +	    "failed to create SSL context in order to verify private key\n"
> +	);

probably everything after this point [continued at [0]]

> +
> +    Net::SSLeay::set_cert_and_key($ctx, $cert_path, $key_path);

this can also fail, so should get "or $ssl_die->(..)"

> +
> +    my $result =3D Net::SSLeay::CTX_check_private_key($ctx);
> +
> +    $ssl_warn->("Failed to validate private key and certificate\n")
> +	if !$result;

this could simply be CTX_check_private_key($ctx) or $ssl_die->(..);

> +

[0]: until this should go into an eval block, so that we can capture $@

> +    Net::SSLeay::CTX_free($ctx);

then always run this, and then re-die if we had an error

> +
> +    return $result;

this could then return 1;, since all errors above would already be handled.=
. or
return nothing at all since it would just die in case of an error anyway..

so basically

...
..setup ctx or ssl_die..
eval {
    all the stuff that could fail with or ssl_die
}
my $err =3D $@;
..destroy ctx..
die "... $err" if $err;

> +}
> +
>  sub get_certificate_info {
>      my ($cert_path) =3D @_;
> =20
> --=20
> 2.30.2
>=20
>=20
>=20
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>=20
>=20
>=20