aboutsummaryrefslogtreecommitdiff
path: root/tests/qemu-iotests/common.tls
blob: b9c546298610faf19a3034fe9dabb51a4b3029ba (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
#!/usr/bin/env bash
#
# Helpers for TLS related config
#
# Copyright (C) 2018 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

tls_dir="${TEST_DIR}/tls"

tls_x509_cleanup()
{
    rm -f "${tls_dir}"/*.pem
    rm -f "${tls_dir}"/*/*.pem
    rm -f "${tls_dir}"/*/*.psk
    rmdir "${tls_dir}"/*
    rmdir "${tls_dir}"
}


tls_certtool()
{
    certtool "$@" 1>"${tls_dir}"/certtool.log 2>&1
    if test "$?" = 0; then
      head -1 "${tls_dir}"/certtool.log
    else
      cat "${tls_dir}"/certtool.log
    fi
    rm -f "${tls_dir}"/certtool.log
}

tls_psktool()
{
    psktool "$@" 1>"${tls_dir}"/psktool.log 2>&1
    if test "$?" = 0; then
      head -1 "${tls_dir}"/psktool.log
    else
      cat "${tls_dir}"/psktool.log
    fi
    rm -f "${tls_dir}"/psktool.log
}


tls_x509_init()
{
    (certtool --help) >/dev/null 2>&1 || \
	_notrun "certtool utility not found, skipping test"

    mkdir -p "${tls_dir}"

    # use a fixed key so we don't waste system entropy on
    # each test run
    cat > "${tls_dir}/key.pem" <<EOF
-----BEGIN RSA PRIVATE KEY-----
MIIG5AIBAAKCAYEAyjWyLSNm5PZvYUKUcDWGqbLX10b2ood+YaFjWSnJrqx/q3qh
rVGBJglD25AJENJsmZF3zPP1oMhfIxsXu63Hdkb6Rdlc2RUoUP34x9VC1izH25mR
6c8DPDp1d6IraZ/llDMI1HsBFz0qGWtvOHgm815XG4PAr/N8rDsuqfv/cJ01KlnO
0OdO5QRXCJf9g/dYd41MPu7wOXk9FqjQlmRoP59HgtJ+zUpE4z+Keruw9cMT9VJj
0oT+pQ9ysenqeZ3gbT224T1khrEhT5kifhtFLNyDssRchUUWH0hiqoOO1vgb+850
W6/1VdxvuPam48py4diSPi1Vip8NITCOBaX9FIpVp4Ruw4rTPVMNMjq9Cpx/DwMP
9MbfXfnaVaZaMrmq67/zPhl0eVbUrecH2hQ3ZB9oIF4GkNskzlWF5+yPy6zqk304
AKaiFR6jRyh3YfHo2XFqV8x/hxdsIEXOtEUGhSIcpynsW+ckUCartzu7xbhXjd4b
kxJT89+riPFYij09AgMBAAECggGBAKyFkaZXXROeejrmHlV6JZGlp+fhgM38gkRz
+Jp7P7rLLAY3E7gXIPQ91WqAAmwazFNdvHPd9USfkCQYmnAi/VoZhrCPmlsQZRxt
A5QjjOnEvSPMa6SrXZxGWDCg6R8uMCb4P+FhrPWR1thnRDZOtRTQ+crc50p3mHgt
6ktXWIJRbqnag8zSfQqCYGtRmhe8sfsWT+Yl4El4+jjaAVU/B364u7+PLmaiphGp
BdJfTsTwEpgtGkPj+osDmhzXcZkfq3V+fz5JLkemsCiQKmn4VJRpg8c3ZmE8NPNt
gRtGWZ4W3WKDvhotT65WpQx4+6R8Duux/blNPBmH1Upmwd7kj7GYFBArbCjgd9PT
xgfCSUZpgOZHHkcgSB+022a8XncXna7WYYij28SLtwImFyu0nNtqECFQHH5u+k6C
LRYBSN+3t3At8dQuk01NVrJBndmjmXRfxpqUtTdeaNgVpdUYRY98s30G68NYGSra
aEvhhRSghkcLNetkobpY9pUgeqW/tQKBwQDZHHK9nDMt/zk1TxtILeUSitPXcv1/
8ufXqO0miHdH23XuXhIEA6Ef26RRVGDGgpjkveDJK/1w5feJ4H/ni4Vclil/cm38
OwRqjjd7ElHJX6JQbsxEx/gNTk5/QW1iAL9TXUalgepsSXYT6AJ0/CJv0jmJSJ36
YoKMOM8uqzb2KhN6i+RlJRi5iY53kUhWTJq5ArWvNhUzQNSYODI4bNxlsKSBL2Ik
LZ5QKHuaEjQet0IlPlfIb4PzMm8CHa/urOcCgcEA7m3zW/lL5bIFoKPjWig5Lbn1
aHfrG2ngqzWtgWtfZqMH8OkZc1Mdhhmvd46titjiLjeI+UP/uHXR0068PnrNngzl
tTgwlakzu+bWzqhBm1F+3/341st/FEk07r0P/3/PhezVjwfO8c8Exj7pLxH4wrH0
ROHgDbClmlJRu6OO78wk1+Vapf5DWa8YfA+q+fdvr7KvgGyytheKMT/b/dsqOq7y
qZPjmaJKWAvV3RWG8lWHFSdHx2IAHMHfGr17Y/w7AoHBALzwZeYebeekiVucGSjq
T8SgLhT7zCIx+JMUPjVfYzaUhP/Iu7Lkma6IzWm9nW6Drpy5pUpMzwUWDCLfzU9q
eseFIl337kEn9wLn+t5OpgAyCqYmlftxbqvdrrBN9uvnrJjWvqk/8wsDrw9JxAGc
fjeD4nBXUqvYWLXApoR9mZoGKedmoH9pFig4zlO9ig8YITnKYuQ0k6SD0b8agJHc
Ir0YSUDnRGgpjvFBGbeOCe+FGbohk/EpItJc3IAh5740lwKBwAdXd2DjokSmYKn7
oeqKxofz6+yVlLW5YuOiuX78sWlVp87xPolgi84vSEnkKM/Xsc8+goc6YstpRVa+
W+mImoA9YW1dF5HkLeWhTAf9AlgoAEIhbeIfTgBv6KNZSv7RDrDPBBxtXx/vAfSg
x0ldwk0scZsVYXLKd67yzfV7KdGUdaX4N/xYgfZm/9gCG3+q8NN2KxVHQ5F71BOE
JeABOaGo9WvnU+DNMIDZjHJMUWVw4MHz/a/UArDf/2CxaPVBNQKBwASg6j4ohSTk
J7aE6RQ3OBmmDDpixcoCJt9u9SjHVYMlbs5CEJGVSczk0SG3y8P1lOWNDSRnMksZ
xWnHdP/ogcuYMuvK7UACNAF0zNddtzOhzcpNmejFj+WCHYY/UmPr2/Kf6t7Cxk2K
3cZ4tqWsiTmBT8Bknmah7L5DrhS+ZBJliDeFAA8fZHdMH0Xjr4UBp9kF90EMTdW1
Xr5uz7ZrMsYpYQI7mmyqV9SSjUg4iBXwVSoag1iDJ1K8Qg/L7Semgg==
-----END RSA PRIVATE KEY-----
EOF
}


tls_x509_create_root_ca()
{
    name=${1:-ca-cert}

    cat > "${tls_dir}/ca.info" <<EOF
cn = Cthulhu Dark Lord Enterprises $name
ca
cert_signing_key
EOF

    tls_certtool \
        --generate-self-signed \
        --load-privkey "${tls_dir}/key.pem" \
        --template "${tls_dir}/ca.info" \
        --outfile "${tls_dir}/$name-cert.pem"

    rm -f "${tls_dir}/ca.info"
}


tls_x509_create_server()
{
    caname=$1
    name=$2

    # We don't include 'localhost' in the cert, as
    # we want to keep it unlisted to let tests
    # validate hostname override
    mkdir -p "${tls_dir}/$name"
    cat > "${tls_dir}/cert.info" <<EOF
organization = Cthulhu Dark Lord Enterprises $name
cn = iotests.qemu.org
ip_address = 127.0.0.1
ip_address = ::1
tls_www_server
encryption_key
signing_key
EOF

    tls_certtool \
        --generate-certificate \
        --load-ca-privkey "${tls_dir}/key.pem" \
        --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
        --load-privkey "${tls_dir}/key.pem" \
        --template "${tls_dir}/cert.info" \
        --outfile "${tls_dir}/$name/server-cert.pem"

    ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
    ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem"

    rm -f "${tls_dir}/cert.info"
}


tls_x509_create_client()
{
    caname=$1
    name=$2

    mkdir -p "${tls_dir}/$name"
    cat > "${tls_dir}/cert.info" <<EOF
country = South Pacific
locality =  R'lyeh
organization = Cthulhu Dark Lord Enterprises $name
cn = localhost
tls_www_client
encryption_key
signing_key
EOF

    tls_certtool \
        --generate-certificate \
        --load-ca-privkey "${tls_dir}/key.pem" \
        --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
        --load-privkey "${tls_dir}/key.pem" \
        --template "${tls_dir}/cert.info" \
        --outfile "${tls_dir}/$name/client-cert.pem"

    ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
    ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem"

    rm -f "${tls_dir}/cert.info"
}

tls_psk_create_creds()
{
    name=$1

    mkdir -p "${tls_dir}/$name"

    tls_psktool \
	--pskfile "${tls_dir}/$name/keys.psk" \
	--username "$name"
}