mirror of https://gitlab.com/qemu-project/qemu
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
180 lines
8.8 KiB
C
180 lines
8.8 KiB
C
/*
|
|
* Copyright (C) 2015 Red Hat, Inc.
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library. If not, see
|
|
* <http://www.gnu.org/licenses/>.
|
|
*
|
|
* Author: Daniel P. Berrange <berrange@redhat.com>
|
|
*/
|
|
|
|
#ifndef TESTS_CRYPTO_TLS_X509_HELPERS_H
|
|
#define TESTS_CRYPTO_TLS_X509_HELPERS_H
|
|
|
|
#include <gnutls/gnutls.h>
|
|
#include <gnutls/x509.h>
|
|
|
|
|
|
#define QCRYPTO_TLS_TEST_CLIENT_NAME "ACME QEMU Client"
|
|
#define QCRYPTO_TLS_TEST_CLIENT_HOSTILE_NAME "ACME Hostile Client"
|
|
|
|
/*
|
|
* This contains parameter about how to generate
|
|
* certificates.
|
|
*/
|
|
typedef struct QCryptoTLSTestCertReq QCryptoTLSTestCertReq;
|
|
struct QCryptoTLSTestCertReq {
|
|
gnutls_x509_crt_t crt;
|
|
|
|
const char *filename;
|
|
|
|
/* Identifying information */
|
|
const char *country;
|
|
const char *cn;
|
|
const char *altname1;
|
|
const char *altname2;
|
|
const char *ipaddr1;
|
|
const char *ipaddr2;
|
|
|
|
/* Basic constraints */
|
|
bool basicConstraintsEnable;
|
|
bool basicConstraintsCritical;
|
|
bool basicConstraintsIsCA;
|
|
|
|
/* Key usage */
|
|
bool keyUsageEnable;
|
|
bool keyUsageCritical;
|
|
int keyUsageValue;
|
|
|
|
/* Key purpose (aka Extended key usage) */
|
|
bool keyPurposeEnable;
|
|
bool keyPurposeCritical;
|
|
const char *keyPurposeOID1;
|
|
const char *keyPurposeOID2;
|
|
|
|
/* zero for current time, or non-zero for hours from now */
|
|
int start_offset;
|
|
/* zero for 24 hours from now, or non-zero for hours from now */
|
|
int expire_offset;
|
|
};
|
|
|
|
void test_tls_generate_cert(QCryptoTLSTestCertReq *req,
|
|
gnutls_x509_crt_t ca);
|
|
void test_tls_write_cert_chain(const char *filename,
|
|
gnutls_x509_crt_t *certs,
|
|
size_t ncerts);
|
|
/*
|
|
* Deinitialize the QCryptoTLSTestCertReq, but don't delete the certificate
|
|
* file on disk. (The caller is then responsible for doing that themselves.
|
|
*/
|
|
void test_tls_deinit_cert(QCryptoTLSTestCertReq *req);
|
|
/* Deinit the QCryptoTLSTestCertReq, and delete the certificate file */
|
|
void test_tls_discard_cert(QCryptoTLSTestCertReq *req);
|
|
|
|
void test_tls_init(const char *keyfile);
|
|
void test_tls_cleanup(const char *keyfile);
|
|
|
|
# define TLS_CERT_REQ(varname, cavarname, \
|
|
country, commonname, \
|
|
altname1, altname2, \
|
|
ipaddr1, ipaddr2, \
|
|
basicconsenable, basicconscritical, basicconsca, \
|
|
keyusageenable, keyusagecritical, keyusagevalue, \
|
|
keypurposeenable, keypurposecritical, \
|
|
keypurposeoid1, keypurposeoid2, \
|
|
startoffset, endoffset) \
|
|
static QCryptoTLSTestCertReq varname = { \
|
|
NULL, WORKDIR #varname "-ctx.pem", \
|
|
country, commonname, altname1, altname2, \
|
|
ipaddr1, ipaddr2, \
|
|
basicconsenable, basicconscritical, basicconsca, \
|
|
keyusageenable, keyusagecritical, keyusagevalue, \
|
|
keypurposeenable, keypurposecritical, \
|
|
keypurposeoid1, keypurposeoid2, \
|
|
startoffset, endoffset \
|
|
}; \
|
|
test_tls_generate_cert(&varname, cavarname.crt)
|
|
|
|
# define TLS_ROOT_REQ(varname, \
|
|
country, commonname, \
|
|
altname1, altname2, \
|
|
ipaddr1, ipaddr2, \
|
|
basicconsenable, basicconscritical, basicconsca, \
|
|
keyusageenable, keyusagecritical, keyusagevalue, \
|
|
keypurposeenable, keypurposecritical, \
|
|
keypurposeoid1, keypurposeoid2, \
|
|
startoffset, endoffset) \
|
|
static QCryptoTLSTestCertReq varname = { \
|
|
NULL, WORKDIR #varname "-ctx.pem", \
|
|
country, commonname, altname1, altname2, \
|
|
ipaddr1, ipaddr2, \
|
|
basicconsenable, basicconscritical, basicconsca, \
|
|
keyusageenable, keyusagecritical, keyusagevalue, \
|
|
keypurposeenable, keypurposecritical, \
|
|
keypurposeoid1, keypurposeoid2, \
|
|
startoffset, endoffset \
|
|
}; \
|
|
test_tls_generate_cert(&varname, NULL)
|
|
|
|
# define TLS_ROOT_REQ_SIMPLE(varname, fname) \
|
|
QCryptoTLSTestCertReq varname = { \
|
|
.filename = fname, \
|
|
.cn = "qemu-CA", \
|
|
.basicConstraintsEnable = true, \
|
|
.basicConstraintsCritical = true, \
|
|
.basicConstraintsIsCA = true, \
|
|
.keyUsageEnable = true, \
|
|
.keyUsageCritical = true, \
|
|
.keyUsageValue = GNUTLS_KEY_KEY_CERT_SIGN, \
|
|
}; \
|
|
test_tls_generate_cert(&varname, NULL)
|
|
|
|
# define TLS_CERT_REQ_SIMPLE_CLIENT(varname, cavarname, cname, fname) \
|
|
QCryptoTLSTestCertReq varname = { \
|
|
.filename = fname, \
|
|
.cn = cname, \
|
|
.basicConstraintsEnable = true, \
|
|
.basicConstraintsCritical = true, \
|
|
.basicConstraintsIsCA = false, \
|
|
.keyUsageEnable = true, \
|
|
.keyUsageCritical = true, \
|
|
.keyUsageValue = \
|
|
GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \
|
|
.keyPurposeEnable = true, \
|
|
.keyPurposeCritical = true, \
|
|
.keyPurposeOID1 = GNUTLS_KP_TLS_WWW_CLIENT, \
|
|
}; \
|
|
test_tls_generate_cert(&varname, cavarname.crt)
|
|
|
|
# define TLS_CERT_REQ_SIMPLE_SERVER(varname, cavarname, fname, \
|
|
hostname, ipaddr) \
|
|
QCryptoTLSTestCertReq varname = { \
|
|
.filename = fname, \
|
|
.cn = hostname ? hostname : ipaddr, \
|
|
.altname1 = hostname, \
|
|
.ipaddr1 = ipaddr, \
|
|
.basicConstraintsEnable = true, \
|
|
.basicConstraintsCritical = true, \
|
|
.basicConstraintsIsCA = false, \
|
|
.keyUsageEnable = true, \
|
|
.keyUsageCritical = true, \
|
|
.keyUsageValue = \
|
|
GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \
|
|
.keyPurposeEnable = true, \
|
|
.keyPurposeCritical = true, \
|
|
.keyPurposeOID1 = GNUTLS_KP_TLS_WWW_SERVER, \
|
|
}; \
|
|
test_tls_generate_cert(&varname, cavarname.crt)
|
|
|
|
#endif
|