From 1d7b5b4afdcd76e24ec3678d5418b29d4ff06ad9 Mon Sep 17 00:00:00 2001
From: Daniel P. Berrange
Date: Thu, 15 Oct 2015 16:14:42 +0100
Subject: crypto: add support for loading encrypted x509 keys

Make use of the QCryptoSecret object to support loading of
encrypted x509 keys. The optional 'passwordid' parameter
to the tls-creds-x509 object type, provides the ID of a
secret object instance that holds the decryption password
for the PEM file.

 # printf "123456" > mypasswd.txt
 # $QEMU \
    -object secret,id=sec0,filename=mypasswd.txt \
    -object tls-creds-x509,passwordid=sec0,id=creds0,\
            dir=/home/berrange/.pki/qemu,endpoint=server \
    -vnc :1,tls-creds=creds0

This requires QEMU to be linked to GNUTLS >= 3.1.11. If
GNUTLS is too old an error will be reported if an attempt
is made to pass a decryption password.

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
 include/crypto/tlscredsx509.h | 1 +
 1 file changed, 1 insertion(+)

(limited to 'include')

diff --git a/include/crypto/tlscredsx509.h b/include/crypto/tlscredsx509.h
index b9785fddcf..25796d7de4 100644
--- a/include/crypto/tlscredsx509.h
+++ b/include/crypto/tlscredsx509.h
@@ -101,6 +101,7 @@ struct QCryptoTLSCredsX509 {
     gnutls_certificate_credentials_t data;
 #endif
     bool sanityCheck;
+    char *passwordid;
 };
 
 
-- 
cgit v1.2.3-55-g7522