xref: /openbmc/qemu/tests/qemu-iotests/common.tls (revision 10cc95c3)

#!/usr/bin/env bash
#
# Helpers for TLS related config
#
# Copyright (C) 2018 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

tls_dir="${TEST_DIR}/tls"

tls_x509_cleanup()
{
    rm -f "${tls_dir}"/*.pem
    rm -f "${tls_dir}"/*/*.pem
    rm -f "${tls_dir}"/*/*.psk
    rmdir "${tls_dir}"/*
    rmdir "${tls_dir}"
}


tls_certtool()
{
    certtool "$@" 1>"${tls_dir}"/certtool.log 2>&1
    if test "$?" = 0; then
      head -1 "${tls_dir}"/certtool.log
    else
      cat "${tls_dir}"/certtool.log
    fi
    rm -f "${tls_dir}"/certtool.log
}

tls_psktool()
{
    psktool "$@" 1>"${tls_dir}"/psktool.log 2>&1
    if test "$?" = 0; then
      head -1 "${tls_dir}"/psktool.log
    else
      cat "${tls_dir}"/psktool.log
    fi
    rm -f "${tls_dir}"/psktool.log
}


tls_x509_init()
{
    (certtool --help) >/dev/null 2>&1 || \
	_notrun "certtool utility not found, skipping test"

    mkdir -p "${tls_dir}"

    # use a fixed key so we don't waste system entropy on
    # each test run
    cat > "${tls_dir}/key.pem" <<EOF
-----BEGIN RSA PRIVATE KEY-----
MIIG5AIBAAKCAYEAyjWyLSNm5PZvYUKUcDWGqbLX10b2ood+YaFjWSnJrqx/q3qh
rVGBJglD25AJENJsmZF3zPP1oMhfIxsXu63Hdkb6Rdlc2RUoUP34x9VC1izH25mR
6c8DPDp1d6IraZ/llDMI1HsBFz0qGWtvOHgm815XG4PAr/N8rDsuqfv/cJ01KlnO
0OdO5QRXCJf9g/dYd41MPu7wOXk9FqjQlmRoP59HgtJ+zUpE4z+Keruw9cMT9VJj
0oT+pQ9ysenqeZ3gbT224T1khrEhT5kifhtFLNyDssRchUUWH0hiqoOO1vgb+850
W6/1VdxvuPam48py4diSPi1Vip8NITCOBaX9FIpVp4Ruw4rTPVMNMjq9Cpx/DwMP
9MbfXfnaVaZaMrmq67/zPhl0eVbUrecH2hQ3ZB9oIF4GkNskzlWF5+yPy6zqk304
AKaiFR6jRyh3YfHo2XFqV8x/hxdsIEXOtEUGhSIcpynsW+ckUCartzu7xbhXjd4b
kxJT89+riPFYij09AgMBAAECggGBAKyFkaZXXROeejrmHlV6JZGlp+fhgM38gkRz
+Jp7P7rLLAY3E7gXIPQ91WqAAmwazFNdvHPd9USfkCQYmnAi/VoZhrCPmlsQZRxt
A5QjjOnEvSPMa6SrXZxGWDCg6R8uMCb4P+FhrPWR1thnRDZOtRTQ+crc50p3mHgt
6ktXWIJRbqnag8zSfQqCYGtRmhe8sfsWT+Yl4El4+jjaAVU/B364u7+PLmaiphGp
BdJfTsTwEpgtGkPj+osDmhzXcZkfq3V+fz5JLkemsCiQKmn4VJRpg8c3ZmE8NPNt
gRtGWZ4W3WKDvhotT65WpQx4+6R8Duux/blNPBmH1Upmwd7kj7GYFBArbCjgd9PT
xgfCSUZpgOZHHkcgSB+022a8XncXna7WYYij28SLtwImFyu0nNtqECFQHH5u+k6C
LRYBSN+3t3At8dQuk01NVrJBndmjmXRfxpqUtTdeaNgVpdUYRY98s30G68NYGSra
aEvhhRSghkcLNetkobpY9pUgeqW/tQKBwQDZHHK9nDMt/zk1TxtILeUSitPXcv1/
8ufXqO0miHdH23XuXhIEA6Ef26RRVGDGgpjkveDJK/1w5feJ4H/ni4Vclil/cm38
OwRqjjd7ElHJX6JQbsxEx/gNTk5/QW1iAL9TXUalgepsSXYT6AJ0/CJv0jmJSJ36
YoKMOM8uqzb2KhN6i+RlJRi5iY53kUhWTJq5ArWvNhUzQNSYODI4bNxlsKSBL2Ik
LZ5QKHuaEjQet0IlPlfIb4PzMm8CHa/urOcCgcEA7m3zW/lL5bIFoKPjWig5Lbn1
aHfrG2ngqzWtgWtfZqMH8OkZc1Mdhhmvd46titjiLjeI+UP/uHXR0068PnrNngzl
tTgwlakzu+bWzqhBm1F+3/341st/FEk07r0P/3/PhezVjwfO8c8Exj7pLxH4wrH0
ROHgDbClmlJRu6OO78wk1+Vapf5DWa8YfA+q+fdvr7KvgGyytheKMT/b/dsqOq7y
qZPjmaJKWAvV3RWG8lWHFSdHx2IAHMHfGr17Y/w7AoHBALzwZeYebeekiVucGSjq
T8SgLhT7zCIx+JMUPjVfYzaUhP/Iu7Lkma6IzWm9nW6Drpy5pUpMzwUWDCLfzU9q
eseFIl337kEn9wLn+t5OpgAyCqYmlftxbqvdrrBN9uvnrJjWvqk/8wsDrw9JxAGc
fjeD4nBXUqvYWLXApoR9mZoGKedmoH9pFig4zlO9ig8YITnKYuQ0k6SD0b8agJHc
Ir0YSUDnRGgpjvFBGbeOCe+FGbohk/EpItJc3IAh5740lwKBwAdXd2DjokSmYKn7
oeqKxofz6+yVlLW5YuOiuX78sWlVp87xPolgi84vSEnkKM/Xsc8+goc6YstpRVa+
W+mImoA9YW1dF5HkLeWhTAf9AlgoAEIhbeIfTgBv6KNZSv7RDrDPBBxtXx/vAfSg
x0ldwk0scZsVYXLKd67yzfV7KdGUdaX4N/xYgfZm/9gCG3+q8NN2KxVHQ5F71BOE
JeABOaGo9WvnU+DNMIDZjHJMUWVw4MHz/a/UArDf/2CxaPVBNQKBwASg6j4ohSTk
J7aE6RQ3OBmmDDpixcoCJt9u9SjHVYMlbs5CEJGVSczk0SG3y8P1lOWNDSRnMksZ
xWnHdP/ogcuYMuvK7UACNAF0zNddtzOhzcpNmejFj+WCHYY/UmPr2/Kf6t7Cxk2K
3cZ4tqWsiTmBT8Bknmah7L5DrhS+ZBJliDeFAA8fZHdMH0Xjr4UBp9kF90EMTdW1
Xr5uz7ZrMsYpYQI7mmyqV9SSjUg4iBXwVSoag1iDJ1K8Qg/L7Semgg==
-----END RSA PRIVATE KEY-----
EOF
}


tls_x509_create_root_ca()
{
    name=${1:-ca-cert}

    cat > "${tls_dir}/ca.info" <<EOF
cn = Cthulhu Dark Lord Enterprises $name
ca
cert_signing_key
EOF

    tls_certtool \
        --generate-self-signed \
        --load-privkey "${tls_dir}/key.pem" \
        --template "${tls_dir}/ca.info" \
        --outfile "${tls_dir}/$name-cert.pem"

    rm -f "${tls_dir}/ca.info"
}


tls_x509_create_server()
{
    caname=$1
    name=$2

    # We don't include 'localhost' in the cert, as
    # we want to keep it unlisted to let tests
    # validate hostname override
    mkdir -p "${tls_dir}/$name"
    cat > "${tls_dir}/cert.info" <<EOF
organization = Cthulhu Dark Lord Enterprises $name
cn = iotests.qemu.org
ip_address = 127.0.0.1
ip_address = ::1
tls_www_server
encryption_key
signing_key
EOF

    tls_certtool \
        --generate-certificate \
        --load-ca-privkey "${tls_dir}/key.pem" \
        --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
        --load-privkey "${tls_dir}/key.pem" \
        --template "${tls_dir}/cert.info" \
        --outfile "${tls_dir}/$name/server-cert.pem"

    ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
    ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem"

    rm -f "${tls_dir}/cert.info"
}


tls_x509_create_client()
{
    caname=$1
    name=$2

    mkdir -p "${tls_dir}/$name"
    cat > "${tls_dir}/cert.info" <<EOF
country = South Pacific
locality =  R'lyeh
organization = Cthulhu Dark Lord Enterprises $name
cn = localhost
tls_www_client
encryption_key
signing_key
EOF

    tls_certtool \
        --generate-certificate \
        --load-ca-privkey "${tls_dir}/key.pem" \
        --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
        --load-privkey "${tls_dir}/key.pem" \
        --template "${tls_dir}/cert.info" \
        --outfile "${tls_dir}/$name/client-cert.pem"

    ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
    ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem"

    rm -f "${tls_dir}/cert.info"
}

tls_psk_create_creds()
{
    name=$1

    mkdir -p "${tls_dir}/$name"

    tls_psktool \
	--pskfile "${tls_dir}/$name/keys.psk" \
	--username "$name"
}