CA-269137: get_nbd_info: get subject from TLS cert

Use the x509 library to parse the certificate and read its
DNS subject names, if any.

(This replaces the stopgap of using Host.hostname for the
 value of the "subject" field of the vdi_nbd_server_info objects.)

Signed-off-by: Thomas Sanders <[email protected]>

Author: thomassa

ocaml/xapi/certificates.ml

@@ -289,3 +289,8 @@ let get_server_certificate () =
     warn "Exception reading server certificate: %s"
       (ExnHelper.string_of_exn e);
     raise_library_corrupt()
+
+let hostnames_of_pem_cert pem =
+  Cstruct.of_string pem |>
+  X509.Encoding.Pem.Certificate.of_pem_cstruct1 |>
+  X509.hostnames

ocaml/xapi/jbuild

@@ -66,6 +66,7 @@ let () = Printf.ksprintf Jbuild_plugin.V1.send {|
   (package xapi)
   (flags (:standard -bin-annot %s -warn-error +a-3-4-6-9-27-28-29-52))
   (libraries (
+   x509
    oPasswd
    pam
    pciutil

ocaml/xapi/xapi_vdi.ml

@@ -1072,8 +1072,13 @@ let _get_nbd_info ~__context ~self ~get_server_certificate =
     if ips = [] then [] else
     let cert = get_server_certificate ~host in
     let port = 10809L in
-    (* Stopgap measure: use hostname instead of reading a subject out of the cert. *)
-    let subject = Db.Host.get_hostname ~__context ~self:host in
+    let subject = match Certificates.hostnames_of_pem_cert cert with
+      | [] -> (
+          error "Found no subject DNS names in this hosts's certificate. Returning empty string as subject.";
+          ""
+        )
+      | name :: _ -> name
+    in
     let template = API.{
       vdi_nbd_server_info_exportname = exportname;
       vdi_nbd_server_info_address = "";

xapi.opam

@@ -10,6 +10,7 @@ build-test: [[ "jbuilder" "runtest" "-p" name "-j" jobs ]]
 
 depends: [
   "jbuilder" {build & >= "1.0+beta11"}
+  "x509"
   "cdrom"
   "fd-send-recv"
   "nbd"