tests/qemu-iotests/common.tls

#!/bin/bash
#
# Helpers for TLS related config
#
# Copyright (C) 2018 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

tls_dir="${TEST_DIR}/tls"

tls_x509_cleanup()
{
    rm -f "${tls_dir}"/*.pem
    rm -f "${tls_dir}"/*/*.pem
    rmdir "${tls_dir}"/*
    rmdir "${tls_dir}"
}


tls_x509_init()
{
    (certtool --help) >/dev/null 2>&1 || \
	_notrun "certtool utility not found, skipping test"

    mkdir -p "${tls_dir}"

    # use a fixed key so we don't waste system entropy on
    # each test run
    cat > "${tls_dir}/key.pem" <<EOF
-----BEGIN PRIVATE KEY-----
MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr
BL40Tm6yq88FBhJNw1aaoCjmtg0l4dWQZ/e9Fimx4ARxFpT+ji4FE
Cgl9s/SGqC+1nvlkm9ViSo0j7MKDbnDB+VRHDvMAzQhA2X7e8M0n9
rPolUY2lIVC83q0BBaOBkCj2RSmT2xTEbbC2xLukSrg2WP/ihVOxc
kXRuyFtzAgMBAAECgYB7slBexDwXrtItAMIH6m/U+LUpNe0Xx48OL
IOn4a4whNgO/o84uIwygUK27ZGFZT0kAGAk8CdF9hA6ArcbQ62s1H
myxrUbF9/mrLsQw1NEqpuUk9Ay2Tx5U/wPx35S3W/X2AvR/ZpTnCn
2q/7ym9fyiSoj86drD7BTvmKXlOnOwQJBAPOFMp4mMa9NGpGuEssO
m3Uwbp6lhcP0cA9MK+iOmeANpoKWfBdk5O34VbmeXnGYWEkrnX+9J
bM4wVhnnBWtgBMCQQC+qAEmvwcfhauERKYznMVUVksyeuhxhCe7EK
mPh+U2+g0WwdKvGDgO0PPt1gq0ILEjspMDeMHVdTwkaVBo/uMhAkA
Z5SsZyCP2aTOPFDypXRdI4eqRcjaEPOUBq27r3uYb/jeboVb2weLa
L1MmVuHiIHoa5clswPdWVI2y0em2IGoDAkBPSp/v9VKJEZabk9Frd
a+7u4fanrM9QrEjY3KhduslSilXZZSxrWjjAJPyPiqFb3M8XXA26W
nz1KYGnqYKhLcBAkB7dt57n9xfrhDpuyVEv+Uv1D3VVAhZlsaZ5Pp
dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci
-----END PRIVATE KEY-----
EOF
}


tls_x509_create_root_ca()
{
    name=${1:-ca-cert}

    cat > "${tls_dir}/ca.info" <<EOF
cn = Cthulhu Dark Lord Enterprises $name
ca
cert_signing_key
EOF

    certtool --generate-self-signed \
             --load-privkey "${tls_dir}/key.pem" \
             --template "${tls_dir}/ca.info" \
             --outfile "${tls_dir}/$name-cert.pem" 2>&1 | head -1

    rm -f "${tls_dir}/ca.info"
}


tls_x509_create_server()
{
    caname=$1
    name=$2

    mkdir -p "${tls_dir}/$name"
    cat > "${tls_dir}/cert.info" <<EOF
organization = Cthulhu Dark Lord Enterprises $name
cn = localhost
dns_name = localhost
dns_name = localhost.localdomain
ip_address = 127.0.0.1
ip_address = ::1
tls_www_server
encryption_key
signing_key
EOF

    certtool --generate-certificate \
             --load-ca-privkey "${tls_dir}/key.pem" \
             --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
             --load-privkey "${tls_dir}/key.pem" \
             --template "${tls_dir}/cert.info" \
             --outfile "${tls_dir}/$name/server-cert.pem" 2>&1 | head -1
    ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
    ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem"

    rm -f "${tls_dir}/cert.info"
}


tls_x509_create_client()
{
    caname=$1
    name=$2

    mkdir -p "${tls_dir}/$name"
    cat > "${tls_dir}/cert.info" <<EOF
country = South Pacific
locality =  R'lyeh
organization = Cthulhu Dark Lord Enterprises $name
cn = localhost
tls_www_client
encryption_key
signing_key
EOF

    certtool --generate-certificate \
             --load-ca-privkey "${tls_dir}/key.pem" \
             --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
             --load-privkey "${tls_dir}/key.pem" \
             --template "${tls_dir}/cert.info" \
             --outfile "${tls_dir}/$name/client-cert.pem" 2>&1 | head -1
    ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
    ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem"

    rm -f "${tls_dir}/cert.info"
}