From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 0A7EE8222 for ; Thu, 2 Mar 2023 14:14:33 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id DFABA3ED2 for ; Thu, 2 Mar 2023 14:14:32 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 2 Mar 2023 14:14:31 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id E07EC48D9D for ; Thu, 2 Mar 2023 14:14:30 +0100 (CET) Message-ID: <4b6744ae-8a54-d596-11da-e8aa3aa09a86@proxmox.com> Date: Thu, 2 Mar 2023 14:14:29 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Content-Language: en-US To: Proxmox VE development discussion , =?UTF-8?Q?Fabian_Gr=c3=bcnbichler?= References: <20230228163634.299137-1-m.carrara@proxmox.com> <20230228163634.299137-2-m.carrara@proxmox.com> <1677663701.adsuda5fsu.astroid@yuna.none> From: Max Carrara In-Reply-To: <1677663701.adsuda5fsu.astroid@yuna.none> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.351 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_ASCII_DIVIDERS 0.8 Email that uses ascii formatting dividers and possible spam tricks KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.09 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [certificate.pm, proxmox.com] Subject: Re: [pve-devel] [PATCH common 1/2] certificate: add subroutine that checks if cert and key match X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Mar 2023 13:14:33 -0000 On 3/1/23 11:17, Fabian Grünbichler wrote: > On February 28, 2023 5:36 pm, Max Carrara wrote: >> This is done here in order to allow other packages to make use of >> this subroutine. >> >> Signed-off-by: Max Carrara >> --- >> src/PVE/Certificate.pm | 26 ++++++++++++++++++++++++++ >> 1 file changed, 26 insertions(+) >> >> diff --git a/src/PVE/Certificate.pm b/src/PVE/Certificate.pm >> index 31a7722..5ec1c6b 100644 >> --- a/src/PVE/Certificate.pm >> +++ b/src/PVE/Certificate.pm >> @@ -228,6 +228,32 @@ sub get_certificate_fingerprint { >> return $fp; >> } >> >> +sub certificate_matches_key { >> + my ($cert_path, $key_path) = @_; >> + >> + die "No certificate path given!\n" if !$cert_path; >> + die "No certificate key path given!\n" if !$key_path; >> + >> + die "Certificate at '$cert_path' does not exist!\n" if ! -e $cert_path; >> + die "Certificate key '$key_path' does not exist!\n" if ! -e $key_path; >> + >> + my $ctx = Net::SSLeay::CTX_new() >> + or $ssl_die->( >> + "failed to create SSL context in order to verify private key\n" >> + ); > > probably everything after this point [continued at [0]] > >> + >> + Net::SSLeay::set_cert_and_key($ctx, $cert_path, $key_path); > > this can also fail, so should get "or $ssl_die->(..)" > >> + >> + my $result = Net::SSLeay::CTX_check_private_key($ctx); >> + >> + $ssl_warn->("Failed to validate private key and certificate\n") >> + if !$result; > > this could simply be CTX_check_private_key($ctx) or $ssl_die->(..); > >> + > > [0]: until this should go into an eval block, so that we can capture $@ > >> + Net::SSLeay::CTX_free($ctx); > > then always run this, and then re-die if we had an error > >> + >> + return $result; > > this could then return 1;, since all errors above would already be handled.. or > return nothing at all since it would just die in case of an error anyway.. > > so basically > > ... > ..setup ctx or ssl_die.. > eval { > all the stuff that could fail with or ssl_die > } > my $err = $@; > ..destroy ctx.. > die "... $err" if $err; > >> +} >> + >> sub get_certificate_info { >> my ($cert_path) = @_; >> >> -- >> 2.30.2 >> >> >> >> _______________________________________________ >> pve-devel mailing list >> pve-devel@lists.proxmox.com >> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >> >> >> > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > > As we had discussed in person, I'll add the eval block and necessary error handling in v2. Also, I just had an idea: What do you think about collecting error messages in an array (where applicable) before letting the sub die? For example: > my ($cert_path, $key_path) = @_; > > my @errs; > > push(@errs, 'No certificate path given!') > if !$cert_path; > push(@errs, 'No certificate key path given!') > if !$key_path; > > die join("\n", @errs) . "\n" if @errs; Would maybe make it a little more "ergonomic" when debugging, but I'm not entirely sure if that's actually necessary.