1#!/usr/bin/env bash 2# 3# Helpers for TLS related config 4# 5# Copyright (C) 2018 Red Hat, Inc. 6# 7# This program is free software; you can redistribute it and/or modify 8# it under the terms of the GNU General Public License as published by 9# the Free Software Foundation; either version 2 of the License, or 10# (at your option) any later version. 11# 12# This program is distributed in the hope that it will be useful, 13# but WITHOUT ANY WARRANTY; without even the implied warranty of 14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15# GNU General Public License for more details. 16# 17# You should have received a copy of the GNU General Public License 18# along with this program. If not, see <http://www.gnu.org/licenses/>. 19# 20 21tls_dir="${TEST_DIR}/tls" 22 23tls_x509_cleanup() 24{ 25 rm -f "${tls_dir}"/*.pem 26 rm -f "${tls_dir}"/*/*.pem 27 rmdir "${tls_dir}"/* 28 rmdir "${tls_dir}" 29} 30 31 32tls_certtool() 33{ 34 certtool "$@" 1>"${tls_dir}"/certtool.log 2>&1 35 if test "$?" = 0; then 36 head -1 "${tls_dir}"/certtool.log 37 else 38 cat "${tls_dir}"/certtool.log 39 fi 40 rm -f "${tls_dir}"/certtool.log 41} 42 43tls_x509_init() 44{ 45 (certtool --help) >/dev/null 2>&1 || \ 46 _notrun "certtool utility not found, skipping test" 47 48 mkdir -p "${tls_dir}" 49 50 # use a fixed key so we don't waste system entropy on 51 # each test run 52 cat > "${tls_dir}/key.pem" <<EOF 53-----BEGIN RSA PRIVATE KEY----- 54MIIG5AIBAAKCAYEAyjWyLSNm5PZvYUKUcDWGqbLX10b2ood+YaFjWSnJrqx/q3qh 55rVGBJglD25AJENJsmZF3zPP1oMhfIxsXu63Hdkb6Rdlc2RUoUP34x9VC1izH25mR 566c8DPDp1d6IraZ/llDMI1HsBFz0qGWtvOHgm815XG4PAr/N8rDsuqfv/cJ01KlnO 570OdO5QRXCJf9g/dYd41MPu7wOXk9FqjQlmRoP59HgtJ+zUpE4z+Keruw9cMT9VJj 580oT+pQ9ysenqeZ3gbT224T1khrEhT5kifhtFLNyDssRchUUWH0hiqoOO1vgb+850 59W6/1VdxvuPam48py4diSPi1Vip8NITCOBaX9FIpVp4Ruw4rTPVMNMjq9Cpx/DwMP 609MbfXfnaVaZaMrmq67/zPhl0eVbUrecH2hQ3ZB9oIF4GkNskzlWF5+yPy6zqk304 61AKaiFR6jRyh3YfHo2XFqV8x/hxdsIEXOtEUGhSIcpynsW+ckUCartzu7xbhXjd4b 62kxJT89+riPFYij09AgMBAAECggGBAKyFkaZXXROeejrmHlV6JZGlp+fhgM38gkRz 63+Jp7P7rLLAY3E7gXIPQ91WqAAmwazFNdvHPd9USfkCQYmnAi/VoZhrCPmlsQZRxt 64A5QjjOnEvSPMa6SrXZxGWDCg6R8uMCb4P+FhrPWR1thnRDZOtRTQ+crc50p3mHgt 656ktXWIJRbqnag8zSfQqCYGtRmhe8sfsWT+Yl4El4+jjaAVU/B364u7+PLmaiphGp 66BdJfTsTwEpgtGkPj+osDmhzXcZkfq3V+fz5JLkemsCiQKmn4VJRpg8c3ZmE8NPNt 67gRtGWZ4W3WKDvhotT65WpQx4+6R8Duux/blNPBmH1Upmwd7kj7GYFBArbCjgd9PT 68xgfCSUZpgOZHHkcgSB+022a8XncXna7WYYij28SLtwImFyu0nNtqECFQHH5u+k6C 69LRYBSN+3t3At8dQuk01NVrJBndmjmXRfxpqUtTdeaNgVpdUYRY98s30G68NYGSra 70aEvhhRSghkcLNetkobpY9pUgeqW/tQKBwQDZHHK9nDMt/zk1TxtILeUSitPXcv1/ 718ufXqO0miHdH23XuXhIEA6Ef26RRVGDGgpjkveDJK/1w5feJ4H/ni4Vclil/cm38 72OwRqjjd7ElHJX6JQbsxEx/gNTk5/QW1iAL9TXUalgepsSXYT6AJ0/CJv0jmJSJ36 73YoKMOM8uqzb2KhN6i+RlJRi5iY53kUhWTJq5ArWvNhUzQNSYODI4bNxlsKSBL2Ik 74LZ5QKHuaEjQet0IlPlfIb4PzMm8CHa/urOcCgcEA7m3zW/lL5bIFoKPjWig5Lbn1 75aHfrG2ngqzWtgWtfZqMH8OkZc1Mdhhmvd46titjiLjeI+UP/uHXR0068PnrNngzl 76tTgwlakzu+bWzqhBm1F+3/341st/FEk07r0P/3/PhezVjwfO8c8Exj7pLxH4wrH0 77ROHgDbClmlJRu6OO78wk1+Vapf5DWa8YfA+q+fdvr7KvgGyytheKMT/b/dsqOq7y 78qZPjmaJKWAvV3RWG8lWHFSdHx2IAHMHfGr17Y/w7AoHBALzwZeYebeekiVucGSjq 79T8SgLhT7zCIx+JMUPjVfYzaUhP/Iu7Lkma6IzWm9nW6Drpy5pUpMzwUWDCLfzU9q 80eseFIl337kEn9wLn+t5OpgAyCqYmlftxbqvdrrBN9uvnrJjWvqk/8wsDrw9JxAGc 81fjeD4nBXUqvYWLXApoR9mZoGKedmoH9pFig4zlO9ig8YITnKYuQ0k6SD0b8agJHc 82Ir0YSUDnRGgpjvFBGbeOCe+FGbohk/EpItJc3IAh5740lwKBwAdXd2DjokSmYKn7 83oeqKxofz6+yVlLW5YuOiuX78sWlVp87xPolgi84vSEnkKM/Xsc8+goc6YstpRVa+ 84W+mImoA9YW1dF5HkLeWhTAf9AlgoAEIhbeIfTgBv6KNZSv7RDrDPBBxtXx/vAfSg 85x0ldwk0scZsVYXLKd67yzfV7KdGUdaX4N/xYgfZm/9gCG3+q8NN2KxVHQ5F71BOE 86JeABOaGo9WvnU+DNMIDZjHJMUWVw4MHz/a/UArDf/2CxaPVBNQKBwASg6j4ohSTk 87J7aE6RQ3OBmmDDpixcoCJt9u9SjHVYMlbs5CEJGVSczk0SG3y8P1lOWNDSRnMksZ 88xWnHdP/ogcuYMuvK7UACNAF0zNddtzOhzcpNmejFj+WCHYY/UmPr2/Kf6t7Cxk2K 893cZ4tqWsiTmBT8Bknmah7L5DrhS+ZBJliDeFAA8fZHdMH0Xjr4UBp9kF90EMTdW1 90Xr5uz7ZrMsYpYQI7mmyqV9SSjUg4iBXwVSoag1iDJ1K8Qg/L7Semgg== 91-----END RSA PRIVATE KEY----- 92EOF 93} 94 95 96tls_x509_create_root_ca() 97{ 98 name=${1:-ca-cert} 99 100 cat > "${tls_dir}/ca.info" <<EOF 101cn = Cthulhu Dark Lord Enterprises $name 102ca 103cert_signing_key 104EOF 105 106 tls_certtool \ 107 --generate-self-signed \ 108 --load-privkey "${tls_dir}/key.pem" \ 109 --template "${tls_dir}/ca.info" \ 110 --outfile "${tls_dir}/$name-cert.pem" 111 112 rm -f "${tls_dir}/ca.info" 113} 114 115 116tls_x509_create_server() 117{ 118 caname=$1 119 name=$2 120 121 mkdir -p "${tls_dir}/$name" 122 cat > "${tls_dir}/cert.info" <<EOF 123organization = Cthulhu Dark Lord Enterprises $name 124cn = localhost 125dns_name = localhost 126dns_name = localhost.localdomain 127ip_address = 127.0.0.1 128ip_address = ::1 129tls_www_server 130encryption_key 131signing_key 132EOF 133 134 tls_certtool \ 135 --generate-certificate \ 136 --load-ca-privkey "${tls_dir}/key.pem" \ 137 --load-ca-certificate "${tls_dir}/$caname-cert.pem" \ 138 --load-privkey "${tls_dir}/key.pem" \ 139 --template "${tls_dir}/cert.info" \ 140 --outfile "${tls_dir}/$name/server-cert.pem" 141 142 ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem" 143 ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem" 144 145 rm -f "${tls_dir}/cert.info" 146} 147 148 149tls_x509_create_client() 150{ 151 caname=$1 152 name=$2 153 154 mkdir -p "${tls_dir}/$name" 155 cat > "${tls_dir}/cert.info" <<EOF 156country = South Pacific 157locality = R'lyeh 158organization = Cthulhu Dark Lord Enterprises $name 159cn = localhost 160tls_www_client 161encryption_key 162signing_key 163EOF 164 165 tls_certtool \ 166 --generate-certificate \ 167 --load-ca-privkey "${tls_dir}/key.pem" \ 168 --load-ca-certificate "${tls_dir}/$caname-cert.pem" \ 169 --load-privkey "${tls_dir}/key.pem" \ 170 --template "${tls_dir}/cert.info" \ 171 --outfile "${tls_dir}/$name/client-cert.pem" 172 173 ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem" 174 ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem" 175 176 rm -f "${tls_dir}/cert.info" 177} 178