diff options
author | Daniel P. Berrangé <berrange@redhat.com> | 2018-11-16 15:53:24 +0000 |
---|---|---|
committer | Eric Blake <eblake@redhat.com> | 2018-11-19 11:16:46 -0600 |
commit | a46b68410669fa14c4a85d9284953fc0d42392d0 (patch) | |
tree | 68234d9e85651d5890c8fdb489e04268999d5c9a /tests/qemu-iotests/common.tls | |
parent | b39b58d5d0da3e7057d7d636641018b0fc25139b (diff) |
tests: add iotests helpers for dealing with TLS certificates
Add helpers to common.tls for creating TLS certificates for a CA,
server and client.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20181116155325.22428-6-berrange@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
[eblake: spelling and quoting touchups]
Signed-off-by: Eric Blake <eblake@redhat.com>
Diffstat (limited to 'tests/qemu-iotests/common.tls')
-rw-r--r-- | tests/qemu-iotests/common.tls | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/tests/qemu-iotests/common.tls b/tests/qemu-iotests/common.tls new file mode 100644 index 0000000000..cecab269ec --- /dev/null +++ b/tests/qemu-iotests/common.tls @@ -0,0 +1,137 @@ +#!/bin/bash +# +# Helpers for TLS related config +# +# Copyright (C) 2018 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +tls_dir="${TEST_DIR}/tls" + +function tls_x509_cleanup() +{ + rm -f "${tls_dir}"/*.pem + rm -f "${tls_dir}"/*/*.pem + rmdir "${tls_dir}"/* + rmdir "${tls_dir}" +} + + +function tls_x509_init() +{ + mkdir -p "${tls_dir}" + + # use a fixed key so we don't waste system entropy on + # each test run + cat > "${tls_dir}/key.pem" <<EOF +-----BEGIN PRIVATE KEY----- +MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr +BL40Tm6yq88FBhJNw1aaoCjmtg0l4dWQZ/e9Fimx4ARxFpT+ji4FE +Cgl9s/SGqC+1nvlkm9ViSo0j7MKDbnDB+VRHDvMAzQhA2X7e8M0n9 +rPolUY2lIVC83q0BBaOBkCj2RSmT2xTEbbC2xLukSrg2WP/ihVOxc +kXRuyFtzAgMBAAECgYB7slBexDwXrtItAMIH6m/U+LUpNe0Xx48OL +IOn4a4whNgO/o84uIwygUK27ZGFZT0kAGAk8CdF9hA6ArcbQ62s1H +myxrUbF9/mrLsQw1NEqpuUk9Ay2Tx5U/wPx35S3W/X2AvR/ZpTnCn +2q/7ym9fyiSoj86drD7BTvmKXlOnOwQJBAPOFMp4mMa9NGpGuEssO +m3Uwbp6lhcP0cA9MK+iOmeANpoKWfBdk5O34VbmeXnGYWEkrnX+9J +bM4wVhnnBWtgBMCQQC+qAEmvwcfhauERKYznMVUVksyeuhxhCe7EK +mPh+U2+g0WwdKvGDgO0PPt1gq0ILEjspMDeMHVdTwkaVBo/uMhAkA +Z5SsZyCP2aTOPFDypXRdI4eqRcjaEPOUBq27r3uYb/jeboVb2weLa +L1MmVuHiIHoa5clswPdWVI2y0em2IGoDAkBPSp/v9VKJEZabk9Frd +a+7u4fanrM9QrEjY3KhduslSilXZZSxrWjjAJPyPiqFb3M8XXA26W +nz1KYGnqYKhLcBAkB7dt57n9xfrhDpuyVEv+Uv1D3VVAhZlsaZ5Pp +dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci +-----END PRIVATE KEY----- +EOF +} + + +function tls_x509_create_root_ca() +{ + name=${1:-ca-cert} + + cat > "${tls_dir}/ca.info" <<EOF +cn = Cthulhu Dark Lord Enterprises $name +ca +cert_signing_key +EOF + + certtool --generate-self-signed \ + --load-privkey "${tls_dir}/key.pem" \ + --template "${tls_dir}/ca.info" \ + --outfile "${tls_dir}/$name-cert.pem" 2>&1 | head -1 + + rm -f "${tls_dir}/ca.info" +} + + +function tls_x509_create_server() +{ + caname=$1 + name=$2 + + mkdir -p "${tls_dir}/$name" + cat > "${tls_dir}/cert.info" <<EOF +organization = Cthulhu Dark Lord Enterprises $name +cn = localhost +dns_name = localhost +dns_name = localhost.localdomain +ip_address = 127.0.0.1 +ip_address = ::1 +tls_www_server +encryption_key +signing_key +EOF + + certtool --generate-certificate \ + --load-ca-privkey "${tls_dir}/key.pem" \ + --load-ca-certificate "${tls_dir}/$caname-cert.pem" \ + --load-privkey "${tls_dir}/key.pem" \ + --template "${tls_dir}/cert.info" \ + --outfile "${tls_dir}/$name/server-cert.pem" 2>&1 | head -1 + ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem" + ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem" + + rm -f "${tls_dir}/cert.info" +} + + +function tls_x509_create_client() +{ + caname=$1 + name=$2 + + mkdir -p "${tls_dir}/$name" + cat > "${tls_dir}/cert.info" <<EOF +country = South Pacific +locality = R'lyeh +organization = Cthulhu Dark Lord Enterprises $name +cn = localhost +tls_www_client +encryption_key +signing_key +EOF + + certtool --generate-certificate \ + --load-ca-privkey "${tls_dir}/key.pem" \ + --load-ca-certificate "${tls_dir}/$caname-cert.pem" \ + --load-privkey "${tls_dir}/key.pem" \ + --template "${tls_dir}/cert.info" \ + --outfile "${tls_dir}/$name/client-cert.pem" 2>&1 | head -1 + ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem" + ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem" + + rm -f "${tls_dir}/cert.info" +} |