1#!/bin/bash 2# 3# Helpers for TLS related config 4# 5# Copyright (C) 2018 Red Hat, Inc. 6# 7# This program is free software; you can redistribute it and/or modify 8# it under the terms of the GNU General Public License as published by 9# the Free Software Foundation; either version 2 of the License, or 10# (at your option) any later version. 11# 12# This program is distributed in the hope that it will be useful, 13# but WITHOUT ANY WARRANTY; without even the implied warranty of 14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15# GNU General Public License for more details. 16# 17# You should have received a copy of the GNU General Public License 18# along with this program. If not, see <http://www.gnu.org/licenses/>. 19# 20 21tls_dir="${TEST_DIR}/tls" 22 23tls_x509_cleanup() 24{ 25 rm -f "${tls_dir}"/*.pem 26 rm -f "${tls_dir}"/*/*.pem 27 rmdir "${tls_dir}"/* 28 rmdir "${tls_dir}" 29} 30 31 32tls_certtool() 33{ 34 certtool "$@" 1>"${tls_dir}"/certtool.log 2>&1 35 if test "$?" = 0; then 36 head -1 "${tls_dir}"/certtool.log 37 else 38 cat "${tls_dir}"/certtool.log 39 fi 40 rm -f "${tls_dir}"/certtool.log 41} 42 43tls_x509_init() 44{ 45 (certtool --help) >/dev/null 2>&1 || \ 46 _notrun "certtool utility not found, skipping test" 47 48 mkdir -p "${tls_dir}" 49 50 # use a fixed key so we don't waste system entropy on 51 # each test run 52 cat > "${tls_dir}/key.pem" <<EOF 53-----BEGIN PRIVATE KEY----- 54MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr 55BL40Tm6yq88FBhJNw1aaoCjmtg0l4dWQZ/e9Fimx4ARxFpT+ji4FE 56Cgl9s/SGqC+1nvlkm9ViSo0j7MKDbnDB+VRHDvMAzQhA2X7e8M0n9 57rPolUY2lIVC83q0BBaOBkCj2RSmT2xTEbbC2xLukSrg2WP/ihVOxc 58kXRuyFtzAgMBAAECgYB7slBexDwXrtItAMIH6m/U+LUpNe0Xx48OL 59IOn4a4whNgO/o84uIwygUK27ZGFZT0kAGAk8CdF9hA6ArcbQ62s1H 60myxrUbF9/mrLsQw1NEqpuUk9Ay2Tx5U/wPx35S3W/X2AvR/ZpTnCn 612q/7ym9fyiSoj86drD7BTvmKXlOnOwQJBAPOFMp4mMa9NGpGuEssO 62m3Uwbp6lhcP0cA9MK+iOmeANpoKWfBdk5O34VbmeXnGYWEkrnX+9J 63bM4wVhnnBWtgBMCQQC+qAEmvwcfhauERKYznMVUVksyeuhxhCe7EK 64mPh+U2+g0WwdKvGDgO0PPt1gq0ILEjspMDeMHVdTwkaVBo/uMhAkA 65Z5SsZyCP2aTOPFDypXRdI4eqRcjaEPOUBq27r3uYb/jeboVb2weLa 66L1MmVuHiIHoa5clswPdWVI2y0em2IGoDAkBPSp/v9VKJEZabk9Frd 67a+7u4fanrM9QrEjY3KhduslSilXZZSxrWjjAJPyPiqFb3M8XXA26W 68nz1KYGnqYKhLcBAkB7dt57n9xfrhDpuyVEv+Uv1D3VVAhZlsaZ5Pp 69dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci 70-----END PRIVATE KEY----- 71EOF 72} 73 74 75tls_x509_create_root_ca() 76{ 77 name=${1:-ca-cert} 78 79 cat > "${tls_dir}/ca.info" <<EOF 80cn = Cthulhu Dark Lord Enterprises $name 81ca 82cert_signing_key 83EOF 84 85 tls_certtool \ 86 --generate-self-signed \ 87 --load-privkey "${tls_dir}/key.pem" \ 88 --template "${tls_dir}/ca.info" \ 89 --outfile "${tls_dir}/$name-cert.pem" 90 91 rm -f "${tls_dir}/ca.info" 92} 93 94 95tls_x509_create_server() 96{ 97 caname=$1 98 name=$2 99 100 mkdir -p "${tls_dir}/$name" 101 cat > "${tls_dir}/cert.info" <<EOF 102organization = Cthulhu Dark Lord Enterprises $name 103cn = localhost 104dns_name = localhost 105dns_name = localhost.localdomain 106ip_address = 127.0.0.1 107ip_address = ::1 108tls_www_server 109encryption_key 110signing_key 111EOF 112 113 tls_certtool \ 114 --generate-certificate \ 115 --load-ca-privkey "${tls_dir}/key.pem" \ 116 --load-ca-certificate "${tls_dir}/$caname-cert.pem" \ 117 --load-privkey "${tls_dir}/key.pem" \ 118 --template "${tls_dir}/cert.info" \ 119 --outfile "${tls_dir}/$name/server-cert.pem" 120 121 ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem" 122 ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem" 123 124 rm -f "${tls_dir}/cert.info" 125} 126 127 128tls_x509_create_client() 129{ 130 caname=$1 131 name=$2 132 133 mkdir -p "${tls_dir}/$name" 134 cat > "${tls_dir}/cert.info" <<EOF 135country = South Pacific 136locality = R'lyeh 137organization = Cthulhu Dark Lord Enterprises $name 138cn = localhost 139tls_www_client 140encryption_key 141signing_key 142EOF 143 144 tls_certtool \ 145 --generate-certificate \ 146 --load-ca-privkey "${tls_dir}/key.pem" \ 147 --load-ca-certificate "${tls_dir}/$caname-cert.pem" \ 148 --load-privkey "${tls_dir}/key.pem" \ 149 --template "${tls_dir}/cert.info" \ 150 --outfile "${tls_dir}/$name/client-cert.pem" 151 152 ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem" 153 ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem" 154 155 rm -f "${tls_dir}/cert.info" 156} 157