search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
backup: Wire up qemu full pull backup commands over QMP
[libvirt/ericb.git] / tests / virnettlscontexttest.c
blob07910c27497e20d3085777ee9721262d8d877289
1 /*
2 * Copyright (C) 2011-2014 Red Hat, Inc.
3 *
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
8 *
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library. If not, see
16 * <http://www.gnu.org/licenses/>.
17 */
18
19 #include <config.h>
20
21 #include <fcntl.h>
22 #include <sys/socket.h>
23
24 #include "testutils.h"
25 #include "virnettlshelpers.h"
26 #include "virutil.h"
27 #include "virerror.h"
28 #include "viralloc.h"
29 #include "virlog.h"
30 #include "virfile.h"
31 #include "vircommand.h"
32 #include "virsocketaddr.h"
33
34 #if !defined WIN32 && HAVE_LIBTASN1_H && LIBGNUTLS_VERSION_NUMBER >= 0x020600
35
36 # include "rpc/virnettlscontext.h"
37
38 # define VIR_FROM_THIS VIR_FROM_RPC
39
40 VIR_LOG_INIT("tests.nettlscontexttest");
41
42 # define KEYFILE "key-ctx.pem"
43
44 struct testTLSContextData {
45 bool isServer;
46 const char *cacrt;
47 const char *crt;
48 bool expectFail;
49 };
50
51
52 /*
53 * This tests sanity checking of our own certificates
54 *
55 * This code is done when libvirtd starts up, or before
56 * a libvirt client connects. The test is ensuring that
57 * the creation of virNetTLSContextPtr fails if we
58 * give bogus certs, or succeeds for good certs
59 */
60 static int testTLSContextInit(const void *opaque)
61 {
62 struct testTLSContextData *data = (struct testTLSContextData *)opaque;
63 virNetTLSContextPtr ctxt = NULL;
64 int ret = -1;
65
66 if (data->isServer) {
67 ctxt = virNetTLSContextNewServer(data->cacrt,
68 NULL,
69 data->crt,
70 KEYFILE,
71 NULL,
72 "NORMAL",
73 true,
74 true);
75 } else {
76 ctxt = virNetTLSContextNewClient(data->cacrt,
77 NULL,
78 data->crt,
79 KEYFILE,
80 "NORMAL",
81 true,
82 true);
83 }
84
85 if (ctxt) {
86 if (data->expectFail) {
87 VIR_WARN("Expected failure %s against %s",
88 data->cacrt, data->crt);
89 goto cleanup;
90 }
91 } else {
92 if (!data->expectFail) {
93 VIR_WARN("Unexpected failure %s against %s",
94 data->cacrt, data->crt);
95 goto cleanup;
96 }
97 VIR_DEBUG("Got error %s", virGetLastErrorMessage());
98 }
99
100 ret = 0;
101
102 cleanup:
103 virObjectUnref(ctxt);
104 return ret;
105 }
106
107
108
109 static int
110 mymain(void)
111 {
112 int ret = 0;
113
114 setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
115
116 testTLSInit(KEYFILE);
117
118 # define DO_CTX_TEST(_isServer, _caCrt, _crt, _expectFail) \
119 do { \
120 static struct testTLSContextData data; \
121 data.isServer = _isServer; \
122 data.cacrt = _caCrt; \
123 data.crt = _crt; \
124 data.expectFail = _expectFail; \
125 if (virTestRun("TLS Context " #_caCrt " + " #_crt, \
126 testTLSContextInit, &data) < 0) \
127 ret = -1; \
128 } while (0)
129
130 # define TLS_CERT_REQ(varname, cavarname, \
131 co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
132 kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
133 static struct testTLSCertReq varname = { \
134 NULL, #varname "-ctx.pem", \
135 co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
136 kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo \
137 }; \
138 testTLSGenerateCert(&varname, cavarname.crt)
139
140 # define TLS_ROOT_REQ(varname, \
141 co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
142 kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
143 static struct testTLSCertReq varname = { \
144 NULL, #varname "-ctx.pem", \
145 co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
146 kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo \
147 }; \
148 testTLSGenerateCert(&varname, NULL)
149
150
151 /* A perfect CA, perfect client & perfect server */
152
153 /* Basic:CA:critical */
154 TLS_ROOT_REQ(cacertreq,
155 "UK", "libvirt CA", NULL, NULL, NULL, NULL,
156 true, true, true,
157 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
158 false, false, NULL, NULL,
159 0, 0);
160
161 TLS_CERT_REQ(servercertreq, cacertreq,
162 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
163 true, true, false,
164 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
165 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
166 0, 0);
167 TLS_CERT_REQ(clientcertreq, cacertreq,
168 "UK", "libvirt", NULL, NULL, NULL, NULL,
169 true, true, false,
170 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
171 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
172 0, 0);
173
174 DO_CTX_TEST(true, cacertreq.filename, servercertreq.filename, false);
175 DO_CTX_TEST(false, cacertreq.filename, clientcertreq.filename, false);
176
177
178 /* Some other CAs which are good */
179
180 /* Basic:CA:critical */
181 TLS_ROOT_REQ(cacert1req,
182 "UK", "libvirt CA 1", NULL, NULL, NULL, NULL,
183 true, true, true,
184 false, false, 0,
185 false, false, NULL, NULL,
186 0, 0);
187 TLS_CERT_REQ(servercert1req, cacert1req,
188 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
189 true, true, false,
190 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
191 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
192 0, 0);
193
194 /* Basic:CA:not-critical */
195 TLS_ROOT_REQ(cacert2req,
196 "UK", "libvirt CA 2", NULL, NULL, NULL, NULL,
197 true, false, true,
198 false, false, 0,
199 false, false, NULL, NULL,
200 0, 0);
201 TLS_CERT_REQ(servercert2req, cacert2req,
202 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
203 true, true, false,
204 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
205 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
206 0, 0);
207
208 /* Key usage:cert-sign:critical */
209 TLS_ROOT_REQ(cacert3req,
210 "UK", "libvirt CA 3", NULL, NULL, NULL, NULL,
211 true, true, true,
212 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
213 false, false, NULL, NULL,
214 0, 0);
215 TLS_CERT_REQ(servercert3req, cacert3req,
216 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
217 true, true, false,
218 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
219 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
220 0, 0);
221
222 DO_CTX_TEST(true, cacert1req.filename, servercert1req.filename, false);
223 DO_CTX_TEST(true, cacert2req.filename, servercert2req.filename, false);
224 DO_CTX_TEST(true, cacert3req.filename, servercert3req.filename, false);
225
226 /* Now some bad certs */
227
228 /* Key usage:dig-sig:not-critical */
229 TLS_ROOT_REQ(cacert4req,
230 "UK", "libvirt CA 4", NULL, NULL, NULL, NULL,
231 true, true, true,
232 true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
233 false, false, NULL, NULL,
234 0, 0);
235 TLS_CERT_REQ(servercert4req, cacert4req,
236 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
237 true, true, false,
238 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
239 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
240 0, 0);
241 /* no-basic */
242 TLS_ROOT_REQ(cacert5req,
243 "UK", "libvirt CA 5", NULL, NULL, NULL, NULL,
244 false, false, false,
245 false, false, 0,
246 false, false, NULL, NULL,
247 0, 0);
248 TLS_CERT_REQ(servercert5req, cacert5req,
249 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
250 true, true, false,
251 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
252 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
253 0, 0);
254 /* Key usage:dig-sig:critical */
255 TLS_ROOT_REQ(cacert6req,
256 "UK", "libvirt CA 6", NULL, NULL, NULL, NULL,
257 true, true, true,
258 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
259 false, false, NULL, NULL,
260 0, 0);
261 TLS_CERT_REQ(servercert6req, cacert6req,
262 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
263 true, true, false,
264 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
265 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
266 0, 0);
267
268 /* Technically a CA cert with basic constraints
269 * key purpose == key signing + non-critical should
270 * be rejected. GNUTLS < 3.1 does not reject it and
271 * we don't anticipate them changing this behaviour
272 */
273 DO_CTX_TEST(true, cacert4req.filename, servercert4req.filename,
274 (GNUTLS_VERSION_MAJOR == 3 && GNUTLS_VERSION_MINOR >= 1) ||
275 GNUTLS_VERSION_MAJOR > 3);
276 DO_CTX_TEST(true, cacert5req.filename, servercert5req.filename, true);
277 DO_CTX_TEST(true, cacert6req.filename, servercert6req.filename, true);
278
279
280 /* Various good servers */
281 /* no usage or purpose */
282 TLS_CERT_REQ(servercert7req, cacertreq,
283 "UK", "libvirt", NULL, NULL, NULL, NULL,
284 true, true, false,
285 false, false, 0,
286 false, false, NULL, NULL,
287 0, 0);
288 /* usage:cert-sign+dig-sig+encipher:critical */
289 TLS_CERT_REQ(servercert8req, cacertreq,
290 "UK", "libvirt", NULL, NULL, NULL, NULL,
291 true, true, false,
292 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
293 false, false, NULL, NULL,
294 0, 0);
295 /* usage:cert-sign:not-critical */
296 TLS_CERT_REQ(servercert9req, cacertreq,
297 "UK", "libvirt", NULL, NULL, NULL, NULL,
298 true, true, false,
299 true, false, GNUTLS_KEY_KEY_CERT_SIGN,
300 false, false, NULL, NULL,
301 0, 0);
302 /* purpose:server:critical */
303 TLS_CERT_REQ(servercert10req, cacertreq,
304 "UK", "libvirt", NULL, NULL, NULL, NULL,
305 true, true, false,
306 false, false, 0,
307 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
308 0, 0);
309 /* purpose:server:not-critical */
310 TLS_CERT_REQ(servercert11req, cacertreq,
311 "UK", "libvirt", NULL, NULL, NULL, NULL,
312 true, true, false,
313 false, false, 0,
314 true, false, GNUTLS_KP_TLS_WWW_SERVER, NULL,
315 0, 0);
316 /* purpose:client+server:critical */
317 TLS_CERT_REQ(servercert12req, cacertreq,
318 "UK", "libvirt", NULL, NULL, NULL, NULL,
319 true, true, false,
320 false, false, 0,
321 true, true, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
322 0, 0);
323 /* purpose:client+server:not-critical */
324 TLS_CERT_REQ(servercert13req, cacertreq,
325 "UK", "libvirt", NULL, NULL, NULL, NULL,
326 true, true, false,
327 false, false, 0,
328 true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
329 0, 0);
330
331 DO_CTX_TEST(true, cacertreq.filename, servercert7req.filename, false);
332 DO_CTX_TEST(true, cacertreq.filename, servercert8req.filename, false);
333 DO_CTX_TEST(true, cacertreq.filename, servercert9req.filename, false);
334 DO_CTX_TEST(true, cacertreq.filename, servercert10req.filename, false);
335 DO_CTX_TEST(true, cacertreq.filename, servercert11req.filename, false);
336 DO_CTX_TEST(true, cacertreq.filename, servercert12req.filename, false);
337 DO_CTX_TEST(true, cacertreq.filename, servercert13req.filename, false);
338 /* Bad servers */
339
340 /* usage:cert-sign:critical */
341 TLS_CERT_REQ(servercert14req, cacertreq,
342 "UK", "libvirt", NULL, NULL, NULL, NULL,
343 true, true, false,
344 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
345 false, false, NULL, NULL,
346 0, 0);
347 /* purpose:client:critical */
348 TLS_CERT_REQ(servercert15req, cacertreq,
349 "UK", "libvirt", NULL, NULL, NULL, NULL,
350 true, true, false,
351 false, false, 0,
352 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
353 0, 0);
354 /* usage: none:critical */
355 TLS_CERT_REQ(servercert16req, cacertreq,
356 "UK", "libvirt", NULL, NULL, NULL, NULL,
357 true, true, false,
358 true, true, 0,
359 false, false, NULL, NULL,
360 0, 0);
361
362 DO_CTX_TEST(true, cacertreq.filename, servercert14req.filename, true);
363 DO_CTX_TEST(true, cacertreq.filename, servercert15req.filename, true);
364 DO_CTX_TEST(true, cacertreq.filename, servercert16req.filename, true);
365
366
367
368 /* Various good clients */
369 /* no usage or purpose */
370 TLS_CERT_REQ(clientcert1req, cacertreq,
371 "UK", "libvirt", NULL, NULL, NULL, NULL,
372 true, true, false,
373 false, false, 0,
374 false, false, NULL, NULL,
375 0, 0);
376 /* usage:cert-sign+dig-sig+encipher:critical */
377 TLS_CERT_REQ(clientcert2req, cacertreq,
378 "UK", "libvirt", NULL, NULL, NULL, NULL,
379 true, true, false,
380 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
381 false, false, NULL, NULL,
382 0, 0);
383 /* usage:cert-sign:not-critical */
384 TLS_CERT_REQ(clientcert3req, cacertreq,
385 "UK", "libvirt", NULL, NULL, NULL, NULL,
386 true, true, false,
387 true, false, GNUTLS_KEY_KEY_CERT_SIGN,
388 false, false, NULL, NULL,
389 0, 0);
390 /* purpose:client:critical */
391 TLS_CERT_REQ(clientcert4req, cacertreq,
392 "UK", "libvirt", NULL, NULL, NULL, NULL,
393 true, true, false,
394 false, false, 0,
395 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
396 0, 0);
397 /* purpose:client:not-critical */
398 TLS_CERT_REQ(clientcert5req, cacertreq,
399 "UK", "libvirt", NULL, NULL, NULL, NULL,
400 true, true, false,
401 false, false, 0,
402 true, false, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
403 0, 0);
404 /* purpose:client+client:critical */
405 TLS_CERT_REQ(clientcert6req, cacertreq,
406 "UK", "libvirt", NULL, NULL, NULL, NULL,
407 true, true, false,
408 false, false, 0,
409 true, true, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
410 0, 0);
411 /* purpose:client+client:not-critical */
412 TLS_CERT_REQ(clientcert7req, cacertreq,
413 "UK", "libvirt", NULL, NULL, NULL, NULL,
414 true, true, false,
415 false, false, 0,
416 true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
417 0, 0);
418
419 DO_CTX_TEST(false, cacertreq.filename, clientcert1req.filename, false);
420 DO_CTX_TEST(false, cacertreq.filename, clientcert2req.filename, false);
421 DO_CTX_TEST(false, cacertreq.filename, clientcert3req.filename, false);
422 DO_CTX_TEST(false, cacertreq.filename, clientcert4req.filename, false);
423 DO_CTX_TEST(false, cacertreq.filename, clientcert5req.filename, false);
424 DO_CTX_TEST(false, cacertreq.filename, clientcert6req.filename, false);
425 DO_CTX_TEST(false, cacertreq.filename, clientcert7req.filename, false);
426 /* Bad clients */
427
428 /* usage:cert-sign:critical */
429 TLS_CERT_REQ(clientcert8req, cacertreq,
430 "UK", "libvirt", NULL, NULL, NULL, NULL,
431 true, true, false,
432 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
433 false, false, NULL, NULL,
434 0, 0);
435 /* purpose:client:critical */
436 TLS_CERT_REQ(clientcert9req, cacertreq,
437 "UK", "libvirt", NULL, NULL, NULL, NULL,
438 true, true, false,
439 false, false, 0,
440 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
441 0, 0);
442 /* usage: none:critical */
443 TLS_CERT_REQ(clientcert10req, cacertreq,
444 "UK", "libvirt", NULL, NULL, NULL, NULL,
445 true, true, false,
446 true, true, 0,
447 false, false, NULL, NULL,
448 0, 0);
449
450 DO_CTX_TEST(false, cacertreq.filename, clientcert8req.filename, true);
451 DO_CTX_TEST(false, cacertreq.filename, clientcert9req.filename, true);
452 DO_CTX_TEST(false, cacertreq.filename, clientcert10req.filename, true);
453
454
455
456 /* Expired stuff */
457
458 TLS_ROOT_REQ(cacertexpreq,
459 "UK", "libvirt", NULL, NULL, NULL, NULL,
460 true, true, true,
461 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
462 false, false, NULL, NULL,
463 0, -1);
464 TLS_CERT_REQ(servercertexpreq, cacertexpreq,
465 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
466 true, true, false,
467 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
468 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
469 0, 0);
470 TLS_CERT_REQ(servercertexp1req, cacertreq,
471 "UK", "libvirt", NULL, NULL, NULL, NULL,
472 true, true, false,
473 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
474 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
475 0, -1);
476 TLS_CERT_REQ(clientcertexp1req, cacertreq,
477 "UK", "libvirt", NULL, NULL, NULL, NULL,
478 true, true, false,
479 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
480 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
481 0, -1);
482
483 DO_CTX_TEST(true, cacertexpreq.filename, servercertexpreq.filename, true);
484 DO_CTX_TEST(true, cacertreq.filename, servercertexp1req.filename, true);
485 DO_CTX_TEST(false, cacertreq.filename, clientcertexp1req.filename, true);
486
487
488 /* Not activated stuff */
489
490 TLS_ROOT_REQ(cacertnewreq,
491 "UK", "libvirt", NULL, NULL, NULL, NULL,
492 true, true, true,
493 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
494 false, false, NULL, NULL,
495 1, 2);
496 TLS_CERT_REQ(servercertnewreq, cacertnewreq,
497 "UK", "libvirt", NULL, NULL, NULL, NULL,
498 true, true, false,
499 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
500 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
501 0, 0);
502 TLS_CERT_REQ(servercertnew1req, cacertreq,
503 "UK", "libvirt", NULL, NULL, NULL, NULL,
504 true, true, false,
505 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
506 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
507 1, 2);
508 TLS_CERT_REQ(clientcertnew1req, cacertreq,
509 "UK", "libvirt", NULL, NULL, NULL, NULL,
510 true, true, false,
511 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
512 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
513 1, 2);
514
515 DO_CTX_TEST(true, cacertnewreq.filename, servercertnewreq.filename, true);
516 DO_CTX_TEST(true, cacertreq.filename, servercertnew1req.filename, true);
517 DO_CTX_TEST(false, cacertreq.filename, clientcertnew1req.filename, true);
518
519 TLS_ROOT_REQ(cacertrootreq,
520 "UK", "libvirt root", NULL, NULL, NULL, NULL,
521 true, true, true,
522 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
523 false, false, NULL, NULL,
524 0, 0);
525 TLS_CERT_REQ(cacertlevel1areq, cacertrootreq,
526 "UK", "libvirt level 1a", NULL, NULL, NULL, NULL,
527 true, true, true,
528 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
529 false, false, NULL, NULL,
530 0, 0);
531 TLS_CERT_REQ(cacertlevel1breq, cacertrootreq,
532 "UK", "libvirt level 1b", NULL, NULL, NULL, NULL,
533 true, true, true,
534 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
535 false, false, NULL, NULL,
536 0, 0);
537 TLS_CERT_REQ(cacertlevel2areq, cacertlevel1areq,
538 "UK", "libvirt level 2a", NULL, NULL, NULL, NULL,
539 true, true, true,
540 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
541 false, false, NULL, NULL,
542 0, 0);
543 TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
544 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
545 true, true, false,
546 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
547 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
548 0, 0);
549 TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
550 "UK", "libvirt client level 2b", NULL, NULL, NULL, NULL,
551 true, true, false,
552 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
553 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
554 0, 0);
555
556 gnutls_x509_crt_t certchain[] = {
557 cacertrootreq.crt,
558 cacertlevel1areq.crt,
559 cacertlevel1breq.crt,
560 cacertlevel2areq.crt,
561 };
562
563 testTLSWriteCertChain("cacertchain-ctx.pem",
564 certchain,
565 ARRAY_CARDINALITY(certchain));
566
567 DO_CTX_TEST(true, "cacertchain-ctx.pem", servercertlevel3areq.filename, false);
568 DO_CTX_TEST(false, "cacertchain-ctx.pem", clientcertlevel2breq.filename, false);
569
570 DO_CTX_TEST(false, "cacertdoesnotexist.pem", "servercertdoesnotexist.pem", true);
571
572 testTLSDiscardCert(&cacertreq);
573 testTLSDiscardCert(&cacert1req);
574 testTLSDiscardCert(&cacert2req);
575 testTLSDiscardCert(&cacert3req);
576 testTLSDiscardCert(&cacert4req);
577 testTLSDiscardCert(&cacert5req);
578 testTLSDiscardCert(&cacert6req);
579
580 testTLSDiscardCert(&servercertreq);
581 testTLSDiscardCert(&servercert1req);
582 testTLSDiscardCert(&servercert2req);
583 testTLSDiscardCert(&servercert3req);
584 testTLSDiscardCert(&servercert4req);
585 testTLSDiscardCert(&servercert5req);
586 testTLSDiscardCert(&servercert6req);
587 testTLSDiscardCert(&servercert7req);
588 testTLSDiscardCert(&servercert8req);
589 testTLSDiscardCert(&servercert9req);
590 testTLSDiscardCert(&servercert10req);
591 testTLSDiscardCert(&servercert11req);
592 testTLSDiscardCert(&servercert12req);
593 testTLSDiscardCert(&servercert13req);
594 testTLSDiscardCert(&servercert14req);
595 testTLSDiscardCert(&servercert15req);
596 testTLSDiscardCert(&servercert16req);
597
598 testTLSDiscardCert(&clientcertreq);
599 testTLSDiscardCert(&clientcert1req);
600 testTLSDiscardCert(&clientcert2req);
601 testTLSDiscardCert(&clientcert3req);
602 testTLSDiscardCert(&clientcert4req);
603 testTLSDiscardCert(&clientcert5req);
604 testTLSDiscardCert(&clientcert6req);
605 testTLSDiscardCert(&clientcert7req);
606 testTLSDiscardCert(&clientcert8req);
607 testTLSDiscardCert(&clientcert9req);
608 testTLSDiscardCert(&clientcert10req);
609
610 testTLSDiscardCert(&cacertexpreq);
611 testTLSDiscardCert(&servercertexpreq);
612 testTLSDiscardCert(&servercertexp1req);
613 testTLSDiscardCert(&clientcertexp1req);
614
615 testTLSDiscardCert(&cacertnewreq);
616 testTLSDiscardCert(&servercertnewreq);
617 testTLSDiscardCert(&servercertnew1req);
618 testTLSDiscardCert(&clientcertnew1req);
619
620 testTLSDiscardCert(&cacertrootreq);
621 testTLSDiscardCert(&cacertlevel1areq);
622 testTLSDiscardCert(&cacertlevel1breq);
623 testTLSDiscardCert(&cacertlevel2areq);
624 testTLSDiscardCert(&servercertlevel3areq);
625 testTLSDiscardCert(&clientcertlevel2breq);
626 unlink("cacertchain-ctx.pem");
627
628 testTLSCleanup(KEYFILE);
629
630 return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
631 }
632
633 VIR_TEST_MAIN_PRELOAD(mymain, abs_builddir "/.libs/virrandommock.so")
634
635 #else
636
637 int
638 main(void)
639 {
640 return EXIT_AM_SKIP;
641 }
642
643 #endif
A toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes).