tests/qemu-iotests/common.tls

   1 #!/bin/bash
   2 #
   3 # Helpers for TLS related config
   4 #
   5 # Copyright (C) 2018 Red Hat, Inc.
   6 #
   7 # This program is free software; you can redistribute it and/or modify
   8 # it under the terms of the GNU General Public License as published by
   9 # the Free Software Foundation; either version 2 of the License, or
  10 # (at your option) any later version.
  11 #
  12 # This program is distributed in the hope that it will be useful,
  13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 # GNU General Public License for more details.
  16 #
  17 # You should have received a copy of the GNU General Public License
  18 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 #
  20
  21 tls_dir="${TEST_DIR}/tls"
  22
  23 tls_x509_cleanup()
  24 {
  25     rm -f "${tls_dir}"/*.pem
  26     rm -f "${tls_dir}"/*/*.pem
  27     rmdir "${tls_dir}"/*
  28     rmdir "${tls_dir}"
  29 }
  30
  31
  32 tls_certtool()
  33 {
  34     certtool "$@" 1>"${tls_dir}"/certtool.log 2>&1
  35     if test "$?" = 0; then
  36       head -1 "${tls_dir}"/certtool.log
  37     else
  38       cat "${tls_dir}"/certtool.log
  39     fi
  40     rm -f "${tls_dir}"/certtool.log
  41 }
  42
  43 tls_x509_init()
  44 {
  45     (certtool --help) >/dev/null 2>&1 || \
  46         _notrun "certtool utility not found, skipping test"
  47
  48     mkdir -p "${tls_dir}"
  49
  50     # use a fixed key so we don't waste system entropy on
  51     # each test run
  52     cat > "${tls_dir}/key.pem" <<EOF
  53 -----BEGIN PRIVATE KEY-----
  54 MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr
  55 BL40Tm6yq88FBhJNw1aaoCjmtg0l4dWQZ/e9Fimx4ARxFpT+ji4FE
  56 Cgl9s/SGqC+1nvlkm9ViSo0j7MKDbnDB+VRHDvMAzQhA2X7e8M0n9
  57 rPolUY2lIVC83q0BBaOBkCj2RSmT2xTEbbC2xLukSrg2WP/ihVOxc
  58 kXRuyFtzAgMBAAECgYB7slBexDwXrtItAMIH6m/U+LUpNe0Xx48OL
  59 IOn4a4whNgO/o84uIwygUK27ZGFZT0kAGAk8CdF9hA6ArcbQ62s1H
  60 myxrUbF9/mrLsQw1NEqpuUk9Ay2Tx5U/wPx35S3W/X2AvR/ZpTnCn
  61 2q/7ym9fyiSoj86drD7BTvmKXlOnOwQJBAPOFMp4mMa9NGpGuEssO
  62 m3Uwbp6lhcP0cA9MK+iOmeANpoKWfBdk5O34VbmeXnGYWEkrnX+9J
  63 bM4wVhnnBWtgBMCQQC+qAEmvwcfhauERKYznMVUVksyeuhxhCe7EK
  64 mPh+U2+g0WwdKvGDgO0PPt1gq0ILEjspMDeMHVdTwkaVBo/uMhAkA
  65 Z5SsZyCP2aTOPFDypXRdI4eqRcjaEPOUBq27r3uYb/jeboVb2weLa
  66 L1MmVuHiIHoa5clswPdWVI2y0em2IGoDAkBPSp/v9VKJEZabk9Frd
  67 a+7u4fanrM9QrEjY3KhduslSilXZZSxrWjjAJPyPiqFb3M8XXA26W
  68 nz1KYGnqYKhLcBAkB7dt57n9xfrhDpuyVEv+Uv1D3VVAhZlsaZ5Pp
  69 dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci
  70 -----END PRIVATE KEY-----
  71 EOF
  72 }
  73
  74
  75 tls_x509_create_root_ca()
  76 {
  77     name=${1:-ca-cert}
  78
  79     cat > "${tls_dir}/ca.info" <<EOF
  80 cn = Cthulhu Dark Lord Enterprises $name
  81 ca
  82 cert_signing_key
  83 EOF
  84
  85     tls_certtool \
  86         --generate-self-signed \
  87         --load-privkey "${tls_dir}/key.pem" \
  88         --template "${tls_dir}/ca.info" \
  89         --outfile "${tls_dir}/$name-cert.pem"
  90
  91     rm -f "${tls_dir}/ca.info"
  92 }
  93
  94
  95 tls_x509_create_server()
  96 {
  97     caname=$1
  98     name=$2
  99
 100     mkdir -p "${tls_dir}/$name"
 101     cat > "${tls_dir}/cert.info" <<EOF
 102 organization = Cthulhu Dark Lord Enterprises $name
 103 cn = localhost
 104 dns_name = localhost
 105 dns_name = localhost.localdomain
 106 ip_address = 127.0.0.1
 107 ip_address = ::1
 108 tls_www_server
 109 encryption_key
 110 signing_key
 111 EOF
 112
 113     tls_certtool \
 114         --generate-certificate \
 115         --load-ca-privkey "${tls_dir}/key.pem" \
 116         --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
 117         --load-privkey "${tls_dir}/key.pem" \
 118         --template "${tls_dir}/cert.info" \
 119         --outfile "${tls_dir}/$name/server-cert.pem"
 120
 121     ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
 122     ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem"
 123
 124     rm -f "${tls_dir}/cert.info"
 125 }
 126
 127
 128 tls_x509_create_client()
 129 {
 130     caname=$1
 131     name=$2
 132
 133     mkdir -p "${tls_dir}/$name"
 134     cat > "${tls_dir}/cert.info" <<EOF
 135 country = South Pacific
 136 locality =  R'lyeh
 137 organization = Cthulhu Dark Lord Enterprises $name
 138 cn = localhost
 139 tls_www_client
 140 encryption_key
 141 signing_key
 142 EOF
 143
 144     tls_certtool \
 145         --generate-certificate \
 146         --load-ca-privkey "${tls_dir}/key.pem" \
 147         --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
 148         --load-privkey "${tls_dir}/key.pem" \
 149         --template "${tls_dir}/cert.info" \
 150         --outfile "${tls_dir}/$name/client-cert.pem"
 151
 152     ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
 153     ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem"
 154
 155     rm -f "${tls_dir}/cert.info"
 156 }