2 * Copyright (C) 2015 Red Hat, Inc.
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library. If not, see
16 * <http://www.gnu.org/licenses/>.
18 * Author: Daniel P. Berrange <berrange@redhat.com>
21 #include "qemu/osdep.h"
23 #include "crypto-tls-x509-helpers.h"
24 #include "crypto/tlscredsx509.h"
25 #include "qapi/error.h"
26 #include "qemu/module.h"
28 #ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
30 #define WORKDIR "tests/test-crypto-tlscredsx509-work/"
31 #define KEYFILE WORKDIR "key-ctx.pem"
33 struct QCryptoTLSCredsTestData
{
41 static QCryptoTLSCreds
*test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint
,
45 Object
*parent
= object_get_objects_root();
46 Object
*creds
= object_new_with_props(
47 TYPE_QCRYPTO_TLS_CREDS_X509
,
51 "endpoint", (endpoint
== QCRYPTO_TLS_CREDS_ENDPOINT_SERVER
?
55 "sanity-check", "yes",
61 return QCRYPTO_TLS_CREDS(creds
);
65 * This tests sanity checking of our own certificates
67 * The code being tested is used when TLS creds are created,
68 * and aim to ensure QMEU has been configured with sane
69 * certificates. This allows us to give much much much
70 * clearer error messages to the admin when they misconfigure
73 static void test_tls_creds(const void *opaque
)
75 struct QCryptoTLSCredsTestData
*data
=
76 (struct QCryptoTLSCredsTestData
*)opaque
;
77 QCryptoTLSCreds
*creds
;
79 #define CERT_DIR "tests/test-crypto-tlscredsx509-certs/"
80 mkdir(CERT_DIR
, 0700);
82 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT
);
84 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT
);
85 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY
);
87 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT
);
88 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY
);
91 if (access(data
->cacrt
, R_OK
) == 0) {
92 g_assert(link(data
->cacrt
,
93 CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT
) == 0);
96 if (access(data
->crt
, R_OK
) == 0) {
97 g_assert(link(data
->crt
,
98 CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT
) == 0);
100 g_assert(link(KEYFILE
,
101 CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY
) == 0);
103 if (access(data
->crt
, R_OK
) == 0) {
104 g_assert(link(data
->crt
,
105 CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT
) == 0);
107 g_assert(link(KEYFILE
,
108 CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY
) == 0);
111 creds
= test_tls_creds_create(
113 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER
:
114 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT
),
116 data
->expectFail
? NULL
: &error_abort
);
118 if (data
->expectFail
) {
119 g_assert(creds
== NULL
);
121 g_assert(creds
!= NULL
);
124 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT
);
125 if (data
->isServer
) {
126 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT
);
127 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY
);
129 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT
);
130 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY
);
134 object_unparent(OBJECT(creds
));
138 int main(int argc
, char **argv
)
142 module_call_init(MODULE_INIT_QOM
);
143 g_test_init(&argc
, &argv
, NULL
);
144 setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
146 mkdir(WORKDIR
, 0700);
148 test_tls_init(KEYFILE
);
150 # define TLS_TEST_REG(name, isServer, caCrt, crt, expectFail) \
151 struct QCryptoTLSCredsTestData name = { \
152 isServer, caCrt, crt, expectFail \
154 g_test_add_data_func("/qcrypto/tlscredsx509/" # name, \
155 &name, test_tls_creds); \
157 /* A perfect CA, perfect client & perfect server */
159 /* Basic:CA:critical */
160 TLS_ROOT_REQ(cacertreq
,
161 "UK", "qemu CA", NULL
, NULL
, NULL
, NULL
,
163 true, true, GNUTLS_KEY_KEY_CERT_SIGN
,
164 false, false, NULL
, NULL
,
167 TLS_CERT_REQ(servercertreq
, cacertreq
,
168 "UK", "qemu.org", NULL
, NULL
, NULL
, NULL
,
171 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
172 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
174 TLS_CERT_REQ(clientcertreq
, cacertreq
,
175 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
178 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
179 true, true, GNUTLS_KP_TLS_WWW_CLIENT
, NULL
,
182 TLS_TEST_REG(perfectserver
, true,
183 cacertreq
.filename
, servercertreq
.filename
, false);
184 TLS_TEST_REG(perfectclient
, false,
185 cacertreq
.filename
, clientcertreq
.filename
, false);
188 /* Some other CAs which are good */
190 /* Basic:CA:critical */
191 TLS_ROOT_REQ(cacert1req
,
192 "UK", "qemu CA 1", NULL
, NULL
, NULL
, NULL
,
195 false, false, NULL
, NULL
,
197 TLS_CERT_REQ(servercert1req
, cacert1req
,
198 "UK", "qemu.org", NULL
, NULL
, NULL
, NULL
,
201 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
202 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
205 /* Basic:CA:not-critical */
206 TLS_ROOT_REQ(cacert2req
,
207 "UK", "qemu CA 2", NULL
, NULL
, NULL
, NULL
,
210 false, false, NULL
, NULL
,
212 TLS_CERT_REQ(servercert2req
, cacert2req
,
213 "UK", "qemu.org", NULL
, NULL
, NULL
, NULL
,
216 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
217 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
220 /* Key usage:cert-sign:critical */
221 TLS_ROOT_REQ(cacert3req
,
222 "UK", "qemu CA 3", NULL
, NULL
, NULL
, NULL
,
224 true, true, GNUTLS_KEY_KEY_CERT_SIGN
,
225 false, false, NULL
, NULL
,
227 TLS_CERT_REQ(servercert3req
, cacert3req
,
228 "UK", "qemu.org", NULL
, NULL
, NULL
, NULL
,
231 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
232 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
235 TLS_TEST_REG(goodca1
, true,
236 cacert1req
.filename
, servercert1req
.filename
, false);
237 TLS_TEST_REG(goodca2
, true,
238 cacert2req
.filename
, servercert2req
.filename
, false);
239 TLS_TEST_REG(goodca3
, true,
240 cacert3req
.filename
, servercert3req
.filename
, false);
242 /* Now some bad certs */
244 /* Key usage:dig-sig:not-critical */
245 TLS_ROOT_REQ(cacert4req
,
246 "UK", "qemu CA 4", NULL
, NULL
, NULL
, NULL
,
248 true, false, GNUTLS_KEY_DIGITAL_SIGNATURE
,
249 false, false, NULL
, NULL
,
251 TLS_CERT_REQ(servercert4req
, cacert4req
,
252 "UK", "qemu.org", NULL
, NULL
, NULL
, NULL
,
255 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
256 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
259 TLS_ROOT_REQ(cacert5req
,
260 "UK", "qemu CA 5", NULL
, NULL
, NULL
, NULL
,
263 false, false, NULL
, NULL
,
265 TLS_CERT_REQ(servercert5req
, cacert5req
,
266 "UK", "qemu.org", NULL
, NULL
, NULL
, NULL
,
269 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
270 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
272 /* Key usage:dig-sig:critical */
273 TLS_ROOT_REQ(cacert6req
,
274 "UK", "qemu CA 6", NULL
, NULL
, NULL
, NULL
,
276 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE
,
277 false, false, NULL
, NULL
,
279 TLS_CERT_REQ(servercert6req
, cacert6req
,
280 "UK", "qemu.org", NULL
, NULL
, NULL
, NULL
,
283 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
284 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
287 TLS_TEST_REG(badca1
, true, cacert4req
.filename
, servercert4req
.filename
,
289 TLS_TEST_REG(badca2
, true,
290 cacert5req
.filename
, servercert5req
.filename
, true);
291 TLS_TEST_REG(badca3
, true,
292 cacert6req
.filename
, servercert6req
.filename
, true);
295 /* Various good servers */
296 /* no usage or purpose */
297 TLS_CERT_REQ(servercert7req
, cacertreq
,
298 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
301 false, false, NULL
, NULL
,
303 /* usage:cert-sign+dig-sig+encipher:critical */
304 TLS_CERT_REQ(servercert8req
, cacertreq
,
305 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
308 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
|
309 GNUTLS_KEY_KEY_CERT_SIGN
,
310 false, false, NULL
, NULL
,
312 /* usage:cert-sign:not-critical */
313 TLS_CERT_REQ(servercert9req
, cacertreq
,
314 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
316 true, false, GNUTLS_KEY_KEY_CERT_SIGN
,
317 false, false, NULL
, NULL
,
319 /* purpose:server:critical */
320 TLS_CERT_REQ(servercert10req
, cacertreq
,
321 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
324 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
326 /* purpose:server:not-critical */
327 TLS_CERT_REQ(servercert11req
, cacertreq
,
328 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
331 true, false, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
333 /* purpose:client+server:critical */
334 TLS_CERT_REQ(servercert12req
, cacertreq
,
335 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
339 GNUTLS_KP_TLS_WWW_CLIENT
, GNUTLS_KP_TLS_WWW_SERVER
,
341 /* purpose:client+server:not-critical */
342 TLS_CERT_REQ(servercert13req
, cacertreq
,
343 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
347 GNUTLS_KP_TLS_WWW_CLIENT
, GNUTLS_KP_TLS_WWW_SERVER
,
350 TLS_TEST_REG(goodserver1
, true,
351 cacertreq
.filename
, servercert7req
.filename
, false);
352 TLS_TEST_REG(goodserver2
, true,
353 cacertreq
.filename
, servercert8req
.filename
, false);
354 TLS_TEST_REG(goodserver3
, true,
355 cacertreq
.filename
, servercert9req
.filename
, false);
356 TLS_TEST_REG(goodserver4
, true,
357 cacertreq
.filename
, servercert10req
.filename
, false);
358 TLS_TEST_REG(goodserver5
, true,
359 cacertreq
.filename
, servercert11req
.filename
, false);
360 TLS_TEST_REG(goodserver6
, true,
361 cacertreq
.filename
, servercert12req
.filename
, false);
362 TLS_TEST_REG(goodserver7
, true,
363 cacertreq
.filename
, servercert13req
.filename
, false);
367 /* usage:cert-sign:critical */
368 TLS_CERT_REQ(servercert14req
, cacertreq
,
369 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
371 true, true, GNUTLS_KEY_KEY_CERT_SIGN
,
372 false, false, NULL
, NULL
,
374 /* purpose:client:critical */
375 TLS_CERT_REQ(servercert15req
, cacertreq
,
376 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
379 true, true, GNUTLS_KP_TLS_WWW_CLIENT
, NULL
,
381 /* usage: none:critical */
382 TLS_CERT_REQ(servercert16req
, cacertreq
,
383 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
386 false, false, NULL
, NULL
,
389 TLS_TEST_REG(badserver1
, true,
390 cacertreq
.filename
, servercert14req
.filename
, true);
391 TLS_TEST_REG(badserver2
, true,
392 cacertreq
.filename
, servercert15req
.filename
, true);
393 TLS_TEST_REG(badserver3
, true,
394 cacertreq
.filename
, servercert16req
.filename
, true);
398 /* Various good clients */
399 /* no usage or purpose */
400 TLS_CERT_REQ(clientcert1req
, cacertreq
,
401 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
404 false, false, NULL
, NULL
,
406 /* usage:cert-sign+dig-sig+encipher:critical */
407 TLS_CERT_REQ(clientcert2req
, cacertreq
,
408 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
411 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
|
412 GNUTLS_KEY_KEY_CERT_SIGN
,
413 false, false, NULL
, NULL
,
415 /* usage:cert-sign:not-critical */
416 TLS_CERT_REQ(clientcert3req
, cacertreq
,
417 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
419 true, false, GNUTLS_KEY_KEY_CERT_SIGN
,
420 false, false, NULL
, NULL
,
422 /* purpose:client:critical */
423 TLS_CERT_REQ(clientcert4req
, cacertreq
,
424 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
427 true, true, GNUTLS_KP_TLS_WWW_CLIENT
, NULL
,
429 /* purpose:client:not-critical */
430 TLS_CERT_REQ(clientcert5req
, cacertreq
,
431 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
434 true, false, GNUTLS_KP_TLS_WWW_CLIENT
, NULL
,
436 /* purpose:client+client:critical */
437 TLS_CERT_REQ(clientcert6req
, cacertreq
,
438 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
442 GNUTLS_KP_TLS_WWW_CLIENT
, GNUTLS_KP_TLS_WWW_SERVER
,
444 /* purpose:client+client:not-critical */
445 TLS_CERT_REQ(clientcert7req
, cacertreq
,
446 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
450 GNUTLS_KP_TLS_WWW_CLIENT
, GNUTLS_KP_TLS_WWW_SERVER
,
453 TLS_TEST_REG(goodclient1
, false,
454 cacertreq
.filename
, clientcert1req
.filename
, false);
455 TLS_TEST_REG(goodclient2
, false,
456 cacertreq
.filename
, clientcert2req
.filename
, false);
457 TLS_TEST_REG(goodclient3
, false,
458 cacertreq
.filename
, clientcert3req
.filename
, false);
459 TLS_TEST_REG(goodclient4
, false,
460 cacertreq
.filename
, clientcert4req
.filename
, false);
461 TLS_TEST_REG(goodclient5
, false,
462 cacertreq
.filename
, clientcert5req
.filename
, false);
463 TLS_TEST_REG(goodclient6
, false,
464 cacertreq
.filename
, clientcert6req
.filename
, false);
465 TLS_TEST_REG(goodclient7
, false,
466 cacertreq
.filename
, clientcert7req
.filename
, false);
470 /* usage:cert-sign:critical */
471 TLS_CERT_REQ(clientcert8req
, cacertreq
,
472 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
474 true, true, GNUTLS_KEY_KEY_CERT_SIGN
,
475 false, false, NULL
, NULL
,
477 /* purpose:client:critical */
478 TLS_CERT_REQ(clientcert9req
, cacertreq
,
479 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
482 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
484 /* usage: none:critical */
485 TLS_CERT_REQ(clientcert10req
, cacertreq
,
486 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
489 false, false, NULL
, NULL
,
492 TLS_TEST_REG(badclient1
, false,
493 cacertreq
.filename
, clientcert8req
.filename
, true);
494 TLS_TEST_REG(badclient2
, false,
495 cacertreq
.filename
, clientcert9req
.filename
, true);
496 TLS_TEST_REG(badclient3
, false,
497 cacertreq
.filename
, clientcert10req
.filename
, true);
503 TLS_ROOT_REQ(cacertexpreq
,
504 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
506 true, true, GNUTLS_KEY_KEY_CERT_SIGN
,
507 false, false, NULL
, NULL
,
509 TLS_CERT_REQ(servercertexpreq
, cacertexpreq
,
510 "UK", "qemu.org", NULL
, NULL
, NULL
, NULL
,
513 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
514 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
516 TLS_CERT_REQ(servercertexp1req
, cacertreq
,
517 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
520 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
521 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
523 TLS_CERT_REQ(clientcertexp1req
, cacertreq
,
524 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
527 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
528 true, true, GNUTLS_KP_TLS_WWW_CLIENT
, NULL
,
531 TLS_TEST_REG(expired1
, true,
532 cacertexpreq
.filename
, servercertexpreq
.filename
, true);
533 TLS_TEST_REG(expired2
, true,
534 cacertreq
.filename
, servercertexp1req
.filename
, true);
535 TLS_TEST_REG(expired3
, false,
536 cacertreq
.filename
, clientcertexp1req
.filename
, true);
539 /* Not activated stuff */
541 TLS_ROOT_REQ(cacertnewreq
,
542 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
544 true, true, GNUTLS_KEY_KEY_CERT_SIGN
,
545 false, false, NULL
, NULL
,
547 TLS_CERT_REQ(servercertnewreq
, cacertnewreq
,
548 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
551 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
552 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
554 TLS_CERT_REQ(servercertnew1req
, cacertreq
,
555 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
558 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
559 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
561 TLS_CERT_REQ(clientcertnew1req
, cacertreq
,
562 "UK", "qemu", NULL
, NULL
, NULL
, NULL
,
565 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
566 true, true, GNUTLS_KP_TLS_WWW_CLIENT
, NULL
,
569 TLS_TEST_REG(inactive1
, true,
570 cacertnewreq
.filename
, servercertnewreq
.filename
, true);
571 TLS_TEST_REG(inactive2
, true,
572 cacertreq
.filename
, servercertnew1req
.filename
, true);
573 TLS_TEST_REG(inactive3
, false,
574 cacertreq
.filename
, clientcertnew1req
.filename
, true);
576 TLS_ROOT_REQ(cacertrootreq
,
577 "UK", "qemu root", NULL
, NULL
, NULL
, NULL
,
579 true, true, GNUTLS_KEY_KEY_CERT_SIGN
,
580 false, false, NULL
, NULL
,
582 TLS_CERT_REQ(cacertlevel1areq
, cacertrootreq
,
583 "UK", "qemu level 1a", NULL
, NULL
, NULL
, NULL
,
585 true, true, GNUTLS_KEY_KEY_CERT_SIGN
,
586 false, false, NULL
, NULL
,
588 TLS_CERT_REQ(cacertlevel1breq
, cacertrootreq
,
589 "UK", "qemu level 1b", NULL
, NULL
, NULL
, NULL
,
591 true, true, GNUTLS_KEY_KEY_CERT_SIGN
,
592 false, false, NULL
, NULL
,
594 TLS_CERT_REQ(cacertlevel2areq
, cacertlevel1areq
,
595 "UK", "qemu level 2a", NULL
, NULL
, NULL
, NULL
,
597 true, true, GNUTLS_KEY_KEY_CERT_SIGN
,
598 false, false, NULL
, NULL
,
600 TLS_CERT_REQ(servercertlevel3areq
, cacertlevel2areq
,
601 "UK", "qemu.org", NULL
, NULL
, NULL
, NULL
,
604 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
605 true, true, GNUTLS_KP_TLS_WWW_SERVER
, NULL
,
607 TLS_CERT_REQ(clientcertlevel2breq
, cacertlevel1breq
,
608 "UK", "qemu client level 2b", NULL
, NULL
, NULL
, NULL
,
611 GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_KEY_ENCIPHERMENT
,
612 true, true, GNUTLS_KP_TLS_WWW_CLIENT
, NULL
,
615 gnutls_x509_crt_t certchain
[] = {
617 cacertlevel1areq
.crt
,
618 cacertlevel1breq
.crt
,
619 cacertlevel2areq
.crt
,
622 test_tls_write_cert_chain(WORKDIR
"cacertchain-ctx.pem",
624 G_N_ELEMENTS(certchain
));
626 TLS_TEST_REG(chain1
, true,
627 WORKDIR
"cacertchain-ctx.pem",
628 servercertlevel3areq
.filename
, false);
629 TLS_TEST_REG(chain2
, false,
630 WORKDIR
"cacertchain-ctx.pem",
631 clientcertlevel2breq
.filename
, false);
633 /* Some missing certs - first two are fatal, the last
636 TLS_TEST_REG(missingca
, true,
637 "cacertdoesnotexist.pem",
638 servercert1req
.filename
, true);
639 TLS_TEST_REG(missingserver
, true,
641 "servercertdoesnotexist.pem", true);
642 TLS_TEST_REG(missingclient
, false,
644 "clientcertdoesnotexist.pem", false);
648 test_tls_discard_cert(&cacertreq
);
649 test_tls_discard_cert(&cacert1req
);
650 test_tls_discard_cert(&cacert2req
);
651 test_tls_discard_cert(&cacert3req
);
652 test_tls_discard_cert(&cacert4req
);
653 test_tls_discard_cert(&cacert5req
);
654 test_tls_discard_cert(&cacert6req
);
656 test_tls_discard_cert(&servercertreq
);
657 test_tls_discard_cert(&servercert1req
);
658 test_tls_discard_cert(&servercert2req
);
659 test_tls_discard_cert(&servercert3req
);
660 test_tls_discard_cert(&servercert4req
);
661 test_tls_discard_cert(&servercert5req
);
662 test_tls_discard_cert(&servercert6req
);
663 test_tls_discard_cert(&servercert7req
);
664 test_tls_discard_cert(&servercert8req
);
665 test_tls_discard_cert(&servercert9req
);
666 test_tls_discard_cert(&servercert10req
);
667 test_tls_discard_cert(&servercert11req
);
668 test_tls_discard_cert(&servercert12req
);
669 test_tls_discard_cert(&servercert13req
);
670 test_tls_discard_cert(&servercert14req
);
671 test_tls_discard_cert(&servercert15req
);
672 test_tls_discard_cert(&servercert16req
);
674 test_tls_discard_cert(&clientcertreq
);
675 test_tls_discard_cert(&clientcert1req
);
676 test_tls_discard_cert(&clientcert2req
);
677 test_tls_discard_cert(&clientcert3req
);
678 test_tls_discard_cert(&clientcert4req
);
679 test_tls_discard_cert(&clientcert5req
);
680 test_tls_discard_cert(&clientcert6req
);
681 test_tls_discard_cert(&clientcert7req
);
682 test_tls_discard_cert(&clientcert8req
);
683 test_tls_discard_cert(&clientcert9req
);
684 test_tls_discard_cert(&clientcert10req
);
686 test_tls_discard_cert(&cacertexpreq
);
687 test_tls_discard_cert(&servercertexpreq
);
688 test_tls_discard_cert(&servercertexp1req
);
689 test_tls_discard_cert(&clientcertexp1req
);
691 test_tls_discard_cert(&cacertnewreq
);
692 test_tls_discard_cert(&servercertnewreq
);
693 test_tls_discard_cert(&servercertnew1req
);
694 test_tls_discard_cert(&clientcertnew1req
);
696 test_tls_discard_cert(&cacertrootreq
);
697 test_tls_discard_cert(&cacertlevel1areq
);
698 test_tls_discard_cert(&cacertlevel1breq
);
699 test_tls_discard_cert(&cacertlevel2areq
);
700 test_tls_discard_cert(&servercertlevel3areq
);
701 test_tls_discard_cert(&clientcertlevel2breq
);
702 unlink(WORKDIR
"cacertchain-ctx.pem");
704 test_tls_cleanup(KEYFILE
);
707 return ret
== 0 ? EXIT_SUCCESS
: EXIT_FAILURE
;
710 #else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
718 #endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */