2 * Copyright (C) 2015 Red Hat, Inc.
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library. If not, see
16 * <http://www.gnu.org/licenses/>.
18 * Author: Daniel P. Berrange <berrange@redhat.com>
21 #include "qemu/osdep.h"
23 #include "crypto-tls-x509-helpers.h"
24 #include "qemu/sockets.h"
26 #ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
29 * This stores some static data that is needed when
30 * encoding extensions in the x509 certs
35 * To avoid consuming random entropy to generate keys,
36 * here's one we prepared earlier :-)
38 gnutls_x509_privkey_t privkey
;
39 # define PRIVATE_KEY \
40 "-----BEGIN PRIVATE KEY-----\n" \
41 "MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr\n" \
42 "BL40Tm6yq88FBhJNw1aaoCjmtg0l4dWQZ/e9Fimx4ARxFpT+ji4FE\n" \
43 "Cgl9s/SGqC+1nvlkm9ViSo0j7MKDbnDB+VRHDvMAzQhA2X7e8M0n9\n" \
44 "rPolUY2lIVC83q0BBaOBkCj2RSmT2xTEbbC2xLukSrg2WP/ihVOxc\n" \
45 "kXRuyFtzAgMBAAECgYB7slBexDwXrtItAMIH6m/U+LUpNe0Xx48OL\n" \
46 "IOn4a4whNgO/o84uIwygUK27ZGFZT0kAGAk8CdF9hA6ArcbQ62s1H\n" \
47 "myxrUbF9/mrLsQw1NEqpuUk9Ay2Tx5U/wPx35S3W/X2AvR/ZpTnCn\n" \
48 "2q/7ym9fyiSoj86drD7BTvmKXlOnOwQJBAPOFMp4mMa9NGpGuEssO\n" \
49 "m3Uwbp6lhcP0cA9MK+iOmeANpoKWfBdk5O34VbmeXnGYWEkrnX+9J\n" \
50 "bM4wVhnnBWtgBMCQQC+qAEmvwcfhauERKYznMVUVksyeuhxhCe7EK\n" \
51 "mPh+U2+g0WwdKvGDgO0PPt1gq0ILEjspMDeMHVdTwkaVBo/uMhAkA\n" \
52 "Z5SsZyCP2aTOPFDypXRdI4eqRcjaEPOUBq27r3uYb/jeboVb2weLa\n" \
53 "L1MmVuHiIHoa5clswPdWVI2y0em2IGoDAkBPSp/v9VKJEZabk9Frd\n" \
54 "a+7u4fanrM9QrEjY3KhduslSilXZZSxrWjjAJPyPiqFb3M8XXA26W\n" \
55 "nz1KYGnqYKhLcBAkB7dt57n9xfrhDpuyVEv+Uv1D3VVAhZlsaZ5Pp\n" \
56 "dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci\n" \
57 "-----END PRIVATE KEY-----\n"
60 * This loads the private key we defined earlier
62 static gnutls_x509_privkey_t
test_tls_load_key(void)
64 gnutls_x509_privkey_t key
;
65 const gnutls_datum_t data
= { (unsigned char *)PRIVATE_KEY
,
66 strlen(PRIVATE_KEY
) };
69 err
= gnutls_x509_privkey_init(&key
);
71 g_critical("Failed to init key %s", gnutls_strerror(err
));
75 err
= gnutls_x509_privkey_import(key
, &data
,
78 if (err
!= GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR
&&
79 err
!= GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
) {
80 g_critical("Failed to import key %s", gnutls_strerror(err
));
84 err
= gnutls_x509_privkey_import_pkcs8(
85 key
, &data
, GNUTLS_X509_FMT_PEM
, NULL
, 0);
87 g_critical("Failed to import PKCS8 key %s", gnutls_strerror(err
));
96 void test_tls_init(const char *keyfile
)
100 if (asn1_array2tree(pkix_asn1_tab
, &pkix_asn1
, NULL
) != ASN1_SUCCESS
) {
104 privkey
= test_tls_load_key();
105 if (!g_file_set_contents(keyfile
, PRIVATE_KEY
, -1, NULL
)) {
111 void test_tls_cleanup(const char *keyfile
)
113 asn1_delete_structure(&pkix_asn1
);
118 * Turns an ASN1 object into a DER encoded byte array
120 static void test_tls_der_encode(ASN1_TYPE src
,
121 const char *src_name
,
128 asn1_der_coding(src
, src_name
, NULL
, &size
, NULL
);
130 data
= g_new0(char, size
);
132 asn1_der_coding(src
, src_name
, data
, &size
, NULL
);
134 res
->data
= (unsigned char *)data
;
140 test_tls_get_ipaddr(const char *addrstr
,
144 struct addrinfo
*res
;
145 struct addrinfo hints
;
147 memset(&hints
, 0, sizeof(hints
));
148 hints
.ai_flags
= AI_NUMERICHOST
;
149 g_assert(getaddrinfo(addrstr
, NULL
, &hints
, &res
) == 0);
151 *datalen
= res
->ai_addrlen
;
152 *data
= g_new(char, *datalen
);
153 memcpy(*data
, res
->ai_addr
, *datalen
);
158 * This is a fairly lame x509 certificate generator.
160 * Do not copy/use this code for generating real certificates
161 * since it leaves out many things that you would want in
162 * certificates for real world usage.
164 * This is good enough only for doing tests of the QEMU
165 * TLS certificate code
168 test_tls_generate_cert(QCryptoTLSTestCertReq
*req
,
169 gnutls_x509_crt_t ca
)
171 gnutls_x509_crt_t crt
;
173 static char buffer
[1024 * 1024];
174 size_t size
= sizeof(buffer
);
175 char serial
[5] = { 1, 2, 3, 4, 0 };
177 time_t start
= time(NULL
) + (60 * 60 * req
->start_offset
);
178 time_t expire
= time(NULL
) + (60 * 60 * (req
->expire_offset
179 ? req
->expire_offset
: 24));
182 * Prepare our new certificate object
184 err
= gnutls_x509_crt_init(&crt
);
186 g_critical("Failed to initialize certificate %s", gnutls_strerror(err
));
189 err
= gnutls_x509_crt_set_key(crt
, privkey
);
191 g_critical("Failed to set certificate key %s", gnutls_strerror(err
));
196 * A v3 certificate is required in order to be able
197 * set any of the basic constraints, key purpose and
200 gnutls_x509_crt_set_version(crt
, 3);
203 err
= gnutls_x509_crt_set_dn_by_oid(
204 crt
, GNUTLS_OID_X520_COUNTRY_NAME
, 0,
205 req
->country
, strlen(req
->country
));
207 g_critical("Failed to set certificate country name %s",
208 gnutls_strerror(err
));
213 err
= gnutls_x509_crt_set_dn_by_oid(
214 crt
, GNUTLS_OID_X520_COMMON_NAME
, 0,
215 req
->cn
, strlen(req
->cn
));
217 g_critical("Failed to set certificate common name %s",
218 gnutls_strerror(err
));
224 * Setup the subject altnames, which are used
225 * for hostname checks in live sessions
228 err
= gnutls_x509_crt_set_subject_alt_name(
229 crt
, GNUTLS_SAN_DNSNAME
,
231 strlen(req
->altname1
),
234 g_critical("Failed to set certificate alt name %s",
235 gnutls_strerror(err
));
240 err
= gnutls_x509_crt_set_subject_alt_name(
241 crt
, GNUTLS_SAN_DNSNAME
,
243 strlen(req
->altname2
),
246 g_critical("Failed to set certificate %s alt name",
247 gnutls_strerror(err
));
253 * IP address need to be put into the cert in their
254 * raw byte form, not strings, hence this is a little
261 test_tls_get_ipaddr(req
->ipaddr1
, &data
, &len
);
263 err
= gnutls_x509_crt_set_subject_alt_name(
264 crt
, GNUTLS_SAN_IPADDRESS
,
265 data
, len
, GNUTLS_FSAN_APPEND
);
267 g_critical("Failed to set certificate alt name %s",
268 gnutls_strerror(err
));
277 test_tls_get_ipaddr(req
->ipaddr2
, &data
, &len
);
279 err
= gnutls_x509_crt_set_subject_alt_name(
280 crt
, GNUTLS_SAN_IPADDRESS
,
281 data
, len
, GNUTLS_FSAN_APPEND
);
283 g_critical("Failed to set certificate alt name %s",
284 gnutls_strerror(err
));
292 * Basic constraints are used to decide if the cert
293 * is for a CA or not. We can't use the convenient
294 * gnutls API for setting this, since it hardcodes
295 * the 'critical' field which we want control over
297 if (req
->basicConstraintsEnable
) {
298 ASN1_TYPE ext
= ASN1_TYPE_EMPTY
;
300 asn1_create_element(pkix_asn1
, "PKIX1.BasicConstraints", &ext
);
301 asn1_write_value(ext
, "cA",
302 req
->basicConstraintsIsCA
? "TRUE" : "FALSE", 1);
303 asn1_write_value(ext
, "pathLenConstraint", NULL
, 0);
304 test_tls_der_encode(ext
, "", &der
);
305 err
= gnutls_x509_crt_set_extension_by_oid(
308 req
->basicConstraintsCritical
);
310 g_critical("Failed to set certificate basic constraints %s",
311 gnutls_strerror(err
));
315 asn1_delete_structure(&ext
);
320 * Next up the key usage extension. Again we can't
321 * use the gnutls API since it hardcodes the extension
324 if (req
->keyUsageEnable
) {
325 ASN1_TYPE ext
= ASN1_TYPE_EMPTY
;
328 str
[0] = req
->keyUsageValue
& 0xff;
329 str
[1] = (req
->keyUsageValue
>> 8) & 0xff;
331 asn1_create_element(pkix_asn1
, "PKIX1.KeyUsage", &ext
);
332 asn1_write_value(ext
, "", str
, 9);
333 test_tls_der_encode(ext
, "", &der
);
334 err
= gnutls_x509_crt_set_extension_by_oid(
337 req
->keyUsageCritical
);
339 g_critical("Failed to set certificate key usage %s",
340 gnutls_strerror(err
));
344 asn1_delete_structure(&ext
);
349 * Finally the key purpose extension. This time
350 * gnutls has the opposite problem, always hardcoding
351 * it to be non-critical. So once again we have to
352 * set this the hard way building up ASN1 data ourselves
354 if (req
->keyPurposeEnable
) {
355 ASN1_TYPE ext
= ASN1_TYPE_EMPTY
;
357 asn1_create_element(pkix_asn1
, "PKIX1.ExtKeyUsageSyntax", &ext
);
358 if (req
->keyPurposeOID1
) {
359 asn1_write_value(ext
, "", "NEW", 1);
360 asn1_write_value(ext
, "?LAST", req
->keyPurposeOID1
, 1);
362 if (req
->keyPurposeOID2
) {
363 asn1_write_value(ext
, "", "NEW", 1);
364 asn1_write_value(ext
, "?LAST", req
->keyPurposeOID2
, 1);
366 test_tls_der_encode(ext
, "", &der
);
367 err
= gnutls_x509_crt_set_extension_by_oid(
370 req
->keyPurposeCritical
);
372 g_critical("Failed to set certificate key purpose %s",
373 gnutls_strerror(err
));
377 asn1_delete_structure(&ext
);
382 * Any old serial number will do, so lets pick 5
384 err
= gnutls_x509_crt_set_serial(crt
, serial
, 5);
386 g_critical("Failed to set certificate serial %s",
387 gnutls_strerror(err
));
391 err
= gnutls_x509_crt_set_activation_time(crt
, start
);
393 g_critical("Failed to set certificate activation %s",
394 gnutls_strerror(err
));
397 err
= gnutls_x509_crt_set_expiration_time(crt
, expire
);
399 g_critical("Failed to set certificate expiration %s",
400 gnutls_strerror(err
));
406 * If no 'ca' is set then we are self signing
407 * the cert. This is done for the root CA certs
409 err
= gnutls_x509_crt_sign(crt
, ca
? ca
: crt
, privkey
);
411 g_critical("Failed to sign certificate %s",
412 gnutls_strerror(err
));
417 * Finally write the new cert out to disk
419 err
= gnutls_x509_crt_export(
420 crt
, GNUTLS_X509_FMT_PEM
, buffer
, &size
);
422 g_critical("Failed to export certificate %s: %d",
423 gnutls_strerror(err
), err
);
427 if (!g_file_set_contents(req
->filename
, buffer
, -1, NULL
)) {
428 g_critical("Failed to write certificate %s",
437 void test_tls_write_cert_chain(const char *filename
,
438 gnutls_x509_crt_t
*certs
,
442 size_t capacity
= 1024, offset
= 0;
443 char *buffer
= g_new0(char, capacity
);
446 for (i
= 0; i
< ncerts
; i
++) {
447 size_t len
= capacity
- offset
;
449 err
= gnutls_x509_crt_export(certs
[i
], GNUTLS_X509_FMT_PEM
,
450 buffer
+ offset
, &len
);
452 if (err
== GNUTLS_E_SHORT_MEMORY_BUFFER
) {
453 buffer
= g_renew(char, buffer
, offset
+ len
);
454 capacity
= offset
+ len
;
457 g_critical("Failed to export certificate chain %s: %d",
458 gnutls_strerror(err
), err
);
464 if (!g_file_set_contents(filename
, buffer
, offset
, NULL
)) {
471 void test_tls_discard_cert(QCryptoTLSTestCertReq
*req
)
477 gnutls_x509_crt_deinit(req
->crt
);
480 if (getenv("QEMU_TEST_DEBUG_CERTS") == NULL
) {
481 unlink(req
->filename
);
485 #endif /* QCRYPTO_HAVE_TLS_TEST_SUPPORT */