Changeset 105124 in vbox

Timestamp:

Jul 3, 2024 5:50:46 PM (8 months ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

163754

Message:

Certificate repair function added - bugref:10310

Location:

trunk

Files:

• include/iprt/crypto/x509.h (modified) (2 diffs)
• src/VBox/Main/include/VRDEServerImpl.h (modified) (1 diff)
• src/VBox/Main/src-server/VRDEServerImpl.cpp (modified) (4 diffs)
• src/VBox/Runtime/common/crypto/x509-create-sign.cpp (modified) (3 diffs)
• src/VBox/ValidationKit/tests/api/tdCloneMedium1.py (modified) (1 diff)

trunk/include/iprt/crypto/x509.h

@@ -1224 +1224 @@
  * @param   fKeyUsage           Key usage mask: RTCRX509CERT_KEY_USAGE_F_XXX.
  * @param   fExtKeyUsage        Extended key usage mask: RTCRX509CERT_EKU_F_XXX.
- * @param   pvSubjectTodo       TODO: Subject name.
+ * @param   pvSubject           Subject name.
  * @param   pszCertFile         Where to store the certificate (PEM formatting).
  * @param   pszPrivateKeyFile   Where to store the unencrypted private key (PEM
@@ -1232 +1232 @@
  */
 RTDECL(int) RTCrX509Certificate_GenerateSelfSignedRsa(RTDIGESTTYPE enmDigestType, uint32_t cBits, uint32_t cSecsValidFor,
-                                                      uint32_t fKeyUsage, uint64_t fExtKeyUsage, void *pvSubjectTodo,
+                                                      uint32_t fKeyUsage, uint64_t fExtKeyUsage, const char *pvSubject,
                                                       const char *pszCertFile, const char *pszPrivateKeyFile, PRTERRINFO pErrInfo);
 

trunk/src/VBox/Main/include/VRDEServerImpl.h

@@ -60 +60 @@
     HRESULT i_loadSettings(const settings::VRDESettings &data);
     HRESULT i_saveSettings(settings::VRDESettings &data);
+    int certificateRepair(BOOL &certificateGenerated);
     int i_generateServerCertificate();
     void i_rollback();

trunk/src/VBox/Main/src-server/VRDEServerImpl.cpp

@@ -241 +241 @@
 int VRDEServer::i_generateServerCertificate()
 {
-    Utf8Str strServerCertificate("server_cert.pem");
+    Utf8Str strServerCertificate("VRDEAutoGeneratedCert.pem");
     int vrc = mParent->i_calculateFullPath(strServerCertificate, strServerCertificate);
     AssertRCReturn(vrc, vrc);
 
-    Utf8Str strServerPrivateKey("server_key_private.pem");
+    Utf8Str strServerPrivateKey("VRDEAutoGeneratedPrivateKey.pem");
     vrc = mParent->i_calculateFullPath(strServerPrivateKey, strServerPrivateKey);
     AssertRCReturn(vrc, vrc);
 
+    AutoReadLock mlock(mParent COMMA_LOCKVAL_SRC_POS);
+    Utf8Str strVMName = mParent->i_getName();
+    mlock.release();
+
     vrc = RTCrX509Certificate_GenerateSelfSignedRsa(RTDIGESTTYPE_SHA1, 2048 /*cBits*/, 10 * 365 * RT_SEC_1DAY,
-                                                    0 /*fKeyUsage*/, 0 /*fExtKeyUsage*/, NULL /*pvSubjectTodo*/,
+                                                    0 /*fKeyUsage*/, 0 /*fExtKeyUsage*/, strVMName.c_str() /*pvSubject*/,
                                                     strServerCertificate.c_str(), strServerPrivateKey.c_str(), NULL /*pErrInfo*/);
     if (RT_SUCCESS(vrc))
@@ -281 +285 @@
 }
 
+/**
+ * Checks validity of auto-generated certificates, sets VRDE properties, and deletes files if necessary.
+ *
+ * @note Locks this object for writing.
+ */
+int VRDEServer::certificateRepair(BOOL &certificateGenerated)
+{
+    int vrc = VINF_SUCCESS;
+    if ( (mData->mapProperties["Security/Method"] != "RDP" || mData->mapProperties["Security/Method"] != "None"))
+    {
+        Utf8Str strServerCertificate("VRDEAutoGeneratedCert.pem");
+        vrc = mParent->i_calculateFullPath(strServerCertificate, strServerCertificate);
+        AssertRCReturn(vrc, vrc);
+
+        Utf8Str strServerPrivateKey("VRDEAutoGeneratedPrivateKey.pem");
+        vrc = mParent->i_calculateFullPath(strServerPrivateKey, strServerPrivateKey);
+        AssertRCReturn(vrc, vrc);
+
+        if ( RTFileExists(strServerPrivateKey.c_str()) && RTFileExists(strServerCertificate.c_str()) )
+        {
+            /* Check validity of certificate */
+            RTCRX509CERTIFICATE pCertificate;
+            BOOL validCert = false;
+            vrc = RTCrX509Certificate_ReadFromFile(&pCertificate, strServerCertificate.c_str(), RTCRX509CERT_READ_F_PEM_ONLY,
+                                                   &g_RTAsn1DefaultAllocator, NULL);
+            if(RT_FAILURE(vrc))
+            {
+                RTCrX509Certificate_Delete(&pCertificate);
+                return setError(VBOX_E_IPRT_ERROR, tr("Failed to read server certificate: (%Rrc)\n"), vrc);
+            }
+
+            RTTIMESPEC Now;
+            if ( RTCrX509Validity_IsValidAtTimeSpec(&(&pCertificate)->TbsCertificate.Validity, RTTimeNow(&Now)) )
+                validCert = true;
+
+            RTCrX509Certificate_Delete(&pCertificate);
+
+            Utf8Str strPath = mData->mapProperties["Security/ServerCertificate"];
+            if ( strPath.isEmpty() && validCert )
+            {
+                /*
+                 * Valid auto-generated certificate and private key files exist but are not assigned to vm property
+                 */
+                AutoWriteLock alock(this COMMA_LOCKVAL_SRC_POS);
+                mData.backup();
+                mData->mapProperties["Security/Method"] = Utf8Str("TLS");
+                mData->mapProperties["Security/ServerCertificate"] = strServerCertificate;
+                mData->mapProperties["Security/ServerPrivateKey"] = strServerPrivateKey;
+                /* Done with the properties access. */
+                alock.release();
+                certificateGenerated = true;
+                RTCrX509Certificate_Delete(&pCertificate);
+            }
+            else if ( (strPath.isEmpty() || strstr(strPath.c_str(),"VRDEAutoGeneratedCert.pem")) && !validCert)
+            {
+                /* Certificate is not valid so delete the files and create new ones */
+                RTFileDelete(strServerPrivateKey.c_str());
+                RTFileDelete(strServerCertificate.c_str());
+                vrc = i_generateServerCertificate();
+                if (RT_FAILURE(vrc))
+                {
+                    RTCrX509Certificate_Delete(&pCertificate);
+                    i_rollback();
+                    return setError(VBOX_E_IPRT_ERROR, tr("Failed to auto generate server key and certificate: (%Rrc)\n"), vrc);
+                }
+                certificateGenerated = true;
+            }
+        }
+        else if (RTFileExists(strServerPrivateKey.c_str())) /* If only one of cert/key pair exists */
+        {
+            RTFileDelete(strServerPrivateKey.c_str());
+            vrc = i_generateServerCertificate();
+            if (RT_FAILURE(vrc))
+            {
+                i_rollback();
+                return setError(VBOX_E_IPRT_ERROR, tr("Failed to auto generate server key and certificate: (%Rrc)\n"), vrc);
+            }
+            certificateGenerated = true;
+        }
+        else if (RTFileExists(strServerCertificate.c_str()))
+        {
+            RTFileDelete(strServerCertificate.c_str());
+            vrc = i_generateServerCertificate();
+            if (RT_FAILURE(vrc))
+            {
+                i_rollback();
+                return setError(VBOX_E_IPRT_ERROR, tr("Failed to auto generate server key and certificate: (%Rrc)\n"), vrc);
+            }
+            certificateGenerated = true;
+        }
+        else
+        {
+            /*
+             * Auto-generated certificate and key files do not exist
+             * If the server certificate property is not set
+             * or indicates an auto-generated certificate should exist, create one
+             */
+            Utf8Str strPath = mData->mapProperties["Security/ServerCertificate"];
+            if (strPath.isEmpty() || strstr(strPath.c_str(),"VRDEAutoGeneratedCert.pem"))
+            {
+                vrc = i_generateServerCertificate();
+                if (RT_FAILURE(vrc))
+                {
+                    i_rollback();
+                    return setError(VBOX_E_IPRT_ERROR, tr("Failed to auto generate server key and certificate: (%Rrc)\n"), vrc);
+                }
+                certificateGenerated = true;
+            }
+        }
+    }
+    return vrc;
+}
+
 // IVRDEServer properties
 /////////////////////////////////////////////////////////////////////////////
@@ -312 +429 @@
 
         /*
-         * If TLS is not explicitly disabled and there is not an existing certificate
+         * If enabling VRDE and TLS is not explicitly disabled
+         * and there is not an existing certificate
          * then auto-generate a self-signed certificate for this VM.
          */
-        Utf8Str strPath = mData->mapProperties["Security/ServerCertificate"];
-        if (aEnabled && strPath.isEmpty())
-        {
-            if (mData->mapProperties["Security/Method"] != "RDP")
-            {
-                int vrc = i_generateServerCertificate();
-                if (RT_FAILURE(vrc))
-                    LogRel(("Failed to auto generate server key and certificate: (%Rrc)\n", vrc));
-            }
+        if (aEnabled)
+        {
+            BOOL certificateGenerated = false;
+            int vrc = certificateRepair(certificateGenerated);
+            if (RT_FAILURE(vrc))
+                LogRel((("Failed to auto generate server key and certificate: (%Rrc)\n"), vrc));
         }
 
@@ -514 +629 @@
 HRESULT VRDEServer::getVRDEProperty(const com::Utf8Str &aKey, com::Utf8Str &aValue)
 {
+    /* Special case for the server certificate because it might be created automatically by the code below. */
+    if (   aKey == "Security/ServerCertificate"
+        || aKey == "Security/ServerPrivateKey")
+    {
+        BOOL certificateGenerated = false;
+        int vrc = certificateRepair(certificateGenerated);
+        if ( RT_FAILURE(vrc) )
+            LogRel((("Failed to auto generate server key and certificate: (%Rrc)\n"), vrc));
+        else if (certificateGenerated)
+        {
+            AutoWriteLock mlock(mParent COMMA_LOCKVAL_SRC_POS);
+            mParent->i_setModified(Machine::IsModified_VRDEServer);
+            mlock.release();
+        }
+    }
     AutoReadLock alock(this COMMA_LOCKVAL_SRC_POS);
     settings::StringsMap::const_iterator it = mData->mapProperties.find(aKey);

trunk/src/VBox/Runtime/common/crypto/x509-create-sign.cpp

@@ -62 +62 @@
 
 RTDECL(int) RTCrX509Certificate_GenerateSelfSignedRsa(RTDIGESTTYPE enmDigestType, uint32_t cBits, uint32_t cSecsValidFor,
-                                                      uint32_t fKeyUsage, uint64_t fExtKeyUsage, void *pvSubjectTodo,
+                                                      uint32_t fKeyUsage, uint64_t fExtKeyUsage, const char *pvSubject,
                                                       const char *pszCertFile, const char *pszPrivateKeyFile, PRTERRINFO pErrInfo)
 {
@@ -68 +68 @@
     AssertReturn(!fKeyUsage, VERR_NOT_IMPLEMENTED);
     AssertReturn(!fExtKeyUsage, VERR_NOT_IMPLEMENTED);
-    AssertReturn(pvSubjectTodo == NULL, VERR_NOT_IMPLEMENTED);
 
     /*
@@ -159 +158 @@
         /* Make it self signed: */
         X509_NAME *pX509Name = X509_get_subject_name(pNewCert);
+        rcOssl = X509_NAME_add_entry_by_txt(pX509Name, "CN", MBSTRING_ASC, (unsigned char *) pvSubject, -1, -1, 0);
+        AssertStmt(rcOssl > 0, rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_NAME_add_entry_by_txt failed"));
         rcOssl = X509_set_issuer_name(pNewCert, pX509Name);
         AssertStmt(rcOssl > 0, rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "X509_set_issuer_name failed"));

trunk/src/VBox/ValidationKit/tests/api/tdCloneMedium1.py

@@ -214 +214 @@
         reporter.testStart("testResizeAndClone")
 
-        oVM = self.oTstDrv.createTestVM('test-medium-clone-only', 1, None, 4)
+        oVM = self.oTstDrv.createTestVM('test-medium-resize-and-clone', 1, None, 4)
 
         hd1 = self.createTestMedium(oVM, "hd1-resizeandclone", data=[self.iDataToWrite])