1da668aa1SThomas Huth /*
2da668aa1SThomas Huth * Copyright (C) 2015 Red Hat, Inc.
3da668aa1SThomas Huth *
4da668aa1SThomas Huth * This library is free software; you can redistribute it and/or
5da668aa1SThomas Huth * modify it under the terms of the GNU Lesser General Public
6da668aa1SThomas Huth * License as published by the Free Software Foundation; either
7da668aa1SThomas Huth * version 2.1 of the License, or (at your option) any later version.
8da668aa1SThomas Huth *
9da668aa1SThomas Huth * This library is distributed in the hope that it will be useful,
10da668aa1SThomas Huth * but WITHOUT ANY WARRANTY; without even the implied warranty of
11da668aa1SThomas Huth * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12da668aa1SThomas Huth * Lesser General Public License for more details.
13da668aa1SThomas Huth *
14da668aa1SThomas Huth * You should have received a copy of the GNU Lesser General Public
15da668aa1SThomas Huth * License along with this library. If not, see
16da668aa1SThomas Huth * <http://www.gnu.org/licenses/>.
17da668aa1SThomas Huth *
18da668aa1SThomas Huth * Author: Daniel P. Berrange <berrange@redhat.com>
19da668aa1SThomas Huth */
20da668aa1SThomas Huth
21da668aa1SThomas Huth #include "qemu/osdep.h"
22da668aa1SThomas Huth
23*0e9bb8adSPhilippe Mathieu-Daudé #include <libtasn1.h>
24*0e9bb8adSPhilippe Mathieu-Daudé
25da668aa1SThomas Huth #include "crypto-tls-x509-helpers.h"
26da668aa1SThomas Huth #include "crypto/init.h"
27da668aa1SThomas Huth #include "qemu/sockets.h"
28da668aa1SThomas Huth
29*0e9bb8adSPhilippe Mathieu-Daudé #include "pkix_asn1_tab.c.inc"
30*0e9bb8adSPhilippe Mathieu-Daudé
31da668aa1SThomas Huth /*
32da668aa1SThomas Huth * This stores some static data that is needed when
33da668aa1SThomas Huth * encoding extensions in the x509 certs
34da668aa1SThomas Huth */
35*0e9bb8adSPhilippe Mathieu-Daudé static asn1_node pkix_asn1;
36da668aa1SThomas Huth
37da668aa1SThomas Huth /*
38da668aa1SThomas Huth * To avoid consuming random entropy to generate keys,
39da668aa1SThomas Huth * here's one we prepared earlier :-)
40da668aa1SThomas Huth */
41da668aa1SThomas Huth gnutls_x509_privkey_t privkey;
42da668aa1SThomas Huth # define PRIVATE_KEY \
43da668aa1SThomas Huth "-----BEGIN RSA PRIVATE KEY-----\n" \
44da668aa1SThomas Huth "MIIG5AIBAAKCAYEAyjWyLSNm5PZvYUKUcDWGqbLX10b2ood+YaFjWSnJrqx/q3qh\n" \
45da668aa1SThomas Huth "rVGBJglD25AJENJsmZF3zPP1oMhfIxsXu63Hdkb6Rdlc2RUoUP34x9VC1izH25mR\n" \
46da668aa1SThomas Huth "6c8DPDp1d6IraZ/llDMI1HsBFz0qGWtvOHgm815XG4PAr/N8rDsuqfv/cJ01KlnO\n" \
47da668aa1SThomas Huth "0OdO5QRXCJf9g/dYd41MPu7wOXk9FqjQlmRoP59HgtJ+zUpE4z+Keruw9cMT9VJj\n" \
48da668aa1SThomas Huth "0oT+pQ9ysenqeZ3gbT224T1khrEhT5kifhtFLNyDssRchUUWH0hiqoOO1vgb+850\n" \
49da668aa1SThomas Huth "W6/1VdxvuPam48py4diSPi1Vip8NITCOBaX9FIpVp4Ruw4rTPVMNMjq9Cpx/DwMP\n" \
50da668aa1SThomas Huth "9MbfXfnaVaZaMrmq67/zPhl0eVbUrecH2hQ3ZB9oIF4GkNskzlWF5+yPy6zqk304\n" \
51da668aa1SThomas Huth "AKaiFR6jRyh3YfHo2XFqV8x/hxdsIEXOtEUGhSIcpynsW+ckUCartzu7xbhXjd4b\n" \
52da668aa1SThomas Huth "kxJT89+riPFYij09AgMBAAECggGBAKyFkaZXXROeejrmHlV6JZGlp+fhgM38gkRz\n" \
53da668aa1SThomas Huth "+Jp7P7rLLAY3E7gXIPQ91WqAAmwazFNdvHPd9USfkCQYmnAi/VoZhrCPmlsQZRxt\n" \
54da668aa1SThomas Huth "A5QjjOnEvSPMa6SrXZxGWDCg6R8uMCb4P+FhrPWR1thnRDZOtRTQ+crc50p3mHgt\n" \
55da668aa1SThomas Huth "6ktXWIJRbqnag8zSfQqCYGtRmhe8sfsWT+Yl4El4+jjaAVU/B364u7+PLmaiphGp\n" \
56da668aa1SThomas Huth "BdJfTsTwEpgtGkPj+osDmhzXcZkfq3V+fz5JLkemsCiQKmn4VJRpg8c3ZmE8NPNt\n" \
57da668aa1SThomas Huth "gRtGWZ4W3WKDvhotT65WpQx4+6R8Duux/blNPBmH1Upmwd7kj7GYFBArbCjgd9PT\n" \
58da668aa1SThomas Huth "xgfCSUZpgOZHHkcgSB+022a8XncXna7WYYij28SLtwImFyu0nNtqECFQHH5u+k6C\n" \
59da668aa1SThomas Huth "LRYBSN+3t3At8dQuk01NVrJBndmjmXRfxpqUtTdeaNgVpdUYRY98s30G68NYGSra\n" \
60da668aa1SThomas Huth "aEvhhRSghkcLNetkobpY9pUgeqW/tQKBwQDZHHK9nDMt/zk1TxtILeUSitPXcv1/\n" \
61da668aa1SThomas Huth "8ufXqO0miHdH23XuXhIEA6Ef26RRVGDGgpjkveDJK/1w5feJ4H/ni4Vclil/cm38\n" \
62da668aa1SThomas Huth "OwRqjjd7ElHJX6JQbsxEx/gNTk5/QW1iAL9TXUalgepsSXYT6AJ0/CJv0jmJSJ36\n" \
63da668aa1SThomas Huth "YoKMOM8uqzb2KhN6i+RlJRi5iY53kUhWTJq5ArWvNhUzQNSYODI4bNxlsKSBL2Ik\n" \
64da668aa1SThomas Huth "LZ5QKHuaEjQet0IlPlfIb4PzMm8CHa/urOcCgcEA7m3zW/lL5bIFoKPjWig5Lbn1\n" \
65da668aa1SThomas Huth "aHfrG2ngqzWtgWtfZqMH8OkZc1Mdhhmvd46titjiLjeI+UP/uHXR0068PnrNngzl\n" \
66da668aa1SThomas Huth "tTgwlakzu+bWzqhBm1F+3/341st/FEk07r0P/3/PhezVjwfO8c8Exj7pLxH4wrH0\n" \
67da668aa1SThomas Huth "ROHgDbClmlJRu6OO78wk1+Vapf5DWa8YfA+q+fdvr7KvgGyytheKMT/b/dsqOq7y\n" \
68da668aa1SThomas Huth "qZPjmaJKWAvV3RWG8lWHFSdHx2IAHMHfGr17Y/w7AoHBALzwZeYebeekiVucGSjq\n" \
69da668aa1SThomas Huth "T8SgLhT7zCIx+JMUPjVfYzaUhP/Iu7Lkma6IzWm9nW6Drpy5pUpMzwUWDCLfzU9q\n" \
70da668aa1SThomas Huth "eseFIl337kEn9wLn+t5OpgAyCqYmlftxbqvdrrBN9uvnrJjWvqk/8wsDrw9JxAGc\n" \
71da668aa1SThomas Huth "fjeD4nBXUqvYWLXApoR9mZoGKedmoH9pFig4zlO9ig8YITnKYuQ0k6SD0b8agJHc\n" \
72da668aa1SThomas Huth "Ir0YSUDnRGgpjvFBGbeOCe+FGbohk/EpItJc3IAh5740lwKBwAdXd2DjokSmYKn7\n" \
73da668aa1SThomas Huth "oeqKxofz6+yVlLW5YuOiuX78sWlVp87xPolgi84vSEnkKM/Xsc8+goc6YstpRVa+\n" \
74da668aa1SThomas Huth "W+mImoA9YW1dF5HkLeWhTAf9AlgoAEIhbeIfTgBv6KNZSv7RDrDPBBxtXx/vAfSg\n" \
75da668aa1SThomas Huth "x0ldwk0scZsVYXLKd67yzfV7KdGUdaX4N/xYgfZm/9gCG3+q8NN2KxVHQ5F71BOE\n" \
76da668aa1SThomas Huth "JeABOaGo9WvnU+DNMIDZjHJMUWVw4MHz/a/UArDf/2CxaPVBNQKBwASg6j4ohSTk\n" \
77da668aa1SThomas Huth "J7aE6RQ3OBmmDDpixcoCJt9u9SjHVYMlbs5CEJGVSczk0SG3y8P1lOWNDSRnMksZ\n" \
78da668aa1SThomas Huth "xWnHdP/ogcuYMuvK7UACNAF0zNddtzOhzcpNmejFj+WCHYY/UmPr2/Kf6t7Cxk2K\n" \
79da668aa1SThomas Huth "3cZ4tqWsiTmBT8Bknmah7L5DrhS+ZBJliDeFAA8fZHdMH0Xjr4UBp9kF90EMTdW1\n" \
80da668aa1SThomas Huth "Xr5uz7ZrMsYpYQI7mmyqV9SSjUg4iBXwVSoag1iDJ1K8Qg/L7Semgg==\n" \
81da668aa1SThomas Huth "-----END RSA PRIVATE KEY-----\n"
82da668aa1SThomas Huth
83da668aa1SThomas Huth /*
84da668aa1SThomas Huth * This loads the private key we defined earlier
85da668aa1SThomas Huth */
test_tls_load_key(void)86da668aa1SThomas Huth static gnutls_x509_privkey_t test_tls_load_key(void)
87da668aa1SThomas Huth {
88da668aa1SThomas Huth gnutls_x509_privkey_t key;
89da668aa1SThomas Huth const gnutls_datum_t data = { (unsigned char *)PRIVATE_KEY,
90da668aa1SThomas Huth strlen(PRIVATE_KEY) };
91da668aa1SThomas Huth int err;
92da668aa1SThomas Huth
93da668aa1SThomas Huth err = gnutls_x509_privkey_init(&key);
94da668aa1SThomas Huth if (err < 0) {
95da668aa1SThomas Huth g_critical("Failed to init key %s", gnutls_strerror(err));
96da668aa1SThomas Huth abort();
97da668aa1SThomas Huth }
98da668aa1SThomas Huth
99da668aa1SThomas Huth err = gnutls_x509_privkey_import(key, &data,
100da668aa1SThomas Huth GNUTLS_X509_FMT_PEM);
101da668aa1SThomas Huth if (err < 0) {
102da668aa1SThomas Huth if (err != GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR &&
103da668aa1SThomas Huth err != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
104da668aa1SThomas Huth g_critical("Failed to import key %s", gnutls_strerror(err));
105da668aa1SThomas Huth abort();
106da668aa1SThomas Huth }
107da668aa1SThomas Huth
108da668aa1SThomas Huth err = gnutls_x509_privkey_import_pkcs8(
109da668aa1SThomas Huth key, &data, GNUTLS_X509_FMT_PEM, NULL, 0);
110da668aa1SThomas Huth if (err < 0) {
111da668aa1SThomas Huth g_critical("Failed to import PKCS8 key %s", gnutls_strerror(err));
112da668aa1SThomas Huth abort();
113da668aa1SThomas Huth }
114da668aa1SThomas Huth }
115da668aa1SThomas Huth
116da668aa1SThomas Huth return key;
117da668aa1SThomas Huth }
118da668aa1SThomas Huth
119da668aa1SThomas Huth
test_tls_init(const char * keyfile)120da668aa1SThomas Huth void test_tls_init(const char *keyfile)
121da668aa1SThomas Huth {
122da668aa1SThomas Huth qcrypto_init(&error_abort);
123da668aa1SThomas Huth
124da668aa1SThomas Huth if (asn1_array2tree(pkix_asn1_tab, &pkix_asn1, NULL) != ASN1_SUCCESS) {
125da668aa1SThomas Huth abort();
126da668aa1SThomas Huth }
127da668aa1SThomas Huth
128da668aa1SThomas Huth privkey = test_tls_load_key();
129da668aa1SThomas Huth if (!g_file_set_contents(keyfile, PRIVATE_KEY, -1, NULL)) {
130da668aa1SThomas Huth abort();
131da668aa1SThomas Huth }
132da668aa1SThomas Huth }
133da668aa1SThomas Huth
134da668aa1SThomas Huth
test_tls_cleanup(const char * keyfile)135da668aa1SThomas Huth void test_tls_cleanup(const char *keyfile)
136da668aa1SThomas Huth {
137da668aa1SThomas Huth asn1_delete_structure(&pkix_asn1);
138da668aa1SThomas Huth unlink(keyfile);
139da668aa1SThomas Huth }
140da668aa1SThomas Huth
141da668aa1SThomas Huth /*
142da668aa1SThomas Huth * Turns an ASN1 object into a DER encoded byte array
143da668aa1SThomas Huth */
test_tls_der_encode(asn1_node src,const char * src_name,gnutls_datum_t * res)144da668aa1SThomas Huth static void test_tls_der_encode(asn1_node src,
145da668aa1SThomas Huth const char *src_name,
146da668aa1SThomas Huth gnutls_datum_t *res)
147da668aa1SThomas Huth {
148da668aa1SThomas Huth int size;
149da668aa1SThomas Huth char *data = NULL;
150da668aa1SThomas Huth
151da668aa1SThomas Huth size = 0;
152da668aa1SThomas Huth asn1_der_coding(src, src_name, NULL, &size, NULL);
153da668aa1SThomas Huth
154da668aa1SThomas Huth data = g_new0(char, size);
155da668aa1SThomas Huth
156da668aa1SThomas Huth asn1_der_coding(src, src_name, data, &size, NULL);
157da668aa1SThomas Huth
158da668aa1SThomas Huth res->data = (unsigned char *)data;
159da668aa1SThomas Huth res->size = size;
160da668aa1SThomas Huth }
161da668aa1SThomas Huth
162da668aa1SThomas Huth
163da668aa1SThomas Huth static void
test_tls_get_ipaddr(const char * addrstr,char ** data,int * datalen)164da668aa1SThomas Huth test_tls_get_ipaddr(const char *addrstr,
165da668aa1SThomas Huth char **data,
166da668aa1SThomas Huth int *datalen)
167da668aa1SThomas Huth {
168da668aa1SThomas Huth struct addrinfo *res;
169da668aa1SThomas Huth struct addrinfo hints;
170da668aa1SThomas Huth
171da668aa1SThomas Huth memset(&hints, 0, sizeof(hints));
172da668aa1SThomas Huth hints.ai_flags = AI_NUMERICHOST;
173da668aa1SThomas Huth g_assert(getaddrinfo(addrstr, NULL, &hints, &res) == 0);
174da668aa1SThomas Huth
175c98ce274SDaniel P. Berrangé if (res->ai_family == AF_INET) {
176c98ce274SDaniel P. Berrangé struct sockaddr_in *in = (struct sockaddr_in *)res->ai_addr;
177c98ce274SDaniel P. Berrangé *datalen = sizeof(in->sin_addr);
178da668aa1SThomas Huth *data = g_new(char, *datalen);
179c98ce274SDaniel P. Berrangé memcpy(*data, &in->sin_addr, *datalen);
180c98ce274SDaniel P. Berrangé } else if (res->ai_family == AF_INET6) {
181c98ce274SDaniel P. Berrangé struct sockaddr_in6 *in = (struct sockaddr_in6 *)res->ai_addr;
182c98ce274SDaniel P. Berrangé *datalen = sizeof(in->sin6_addr);
183c98ce274SDaniel P. Berrangé *data = g_new(char, *datalen);
184c98ce274SDaniel P. Berrangé memcpy(*data, &in->sin6_addr, *datalen);
185c98ce274SDaniel P. Berrangé } else {
186c98ce274SDaniel P. Berrangé g_assert_not_reached();
187c98ce274SDaniel P. Berrangé }
188da668aa1SThomas Huth freeaddrinfo(res);
189da668aa1SThomas Huth }
190da668aa1SThomas Huth
191da668aa1SThomas Huth /*
192da668aa1SThomas Huth * This is a fairly lame x509 certificate generator.
193da668aa1SThomas Huth *
194da668aa1SThomas Huth * Do not copy/use this code for generating real certificates
195da668aa1SThomas Huth * since it leaves out many things that you would want in
196da668aa1SThomas Huth * certificates for real world usage.
197da668aa1SThomas Huth *
198da668aa1SThomas Huth * This is good enough only for doing tests of the QEMU
199da668aa1SThomas Huth * TLS certificate code
200da668aa1SThomas Huth */
201da668aa1SThomas Huth void
test_tls_generate_cert(QCryptoTLSTestCertReq * req,gnutls_x509_crt_t ca)202da668aa1SThomas Huth test_tls_generate_cert(QCryptoTLSTestCertReq *req,
203da668aa1SThomas Huth gnutls_x509_crt_t ca)
204da668aa1SThomas Huth {
205da668aa1SThomas Huth gnutls_x509_crt_t crt;
206da668aa1SThomas Huth int err;
207da668aa1SThomas Huth static char buffer[1024 * 1024];
208da668aa1SThomas Huth size_t size = sizeof(buffer);
209da668aa1SThomas Huth char serial[5] = { 1, 2, 3, 4, 0 };
210da668aa1SThomas Huth gnutls_datum_t der;
211da668aa1SThomas Huth time_t start = time(NULL) + (60 * 60 * req->start_offset);
212da668aa1SThomas Huth time_t expire = time(NULL) + (60 * 60 * (req->expire_offset
213da668aa1SThomas Huth ? req->expire_offset : 24));
214da668aa1SThomas Huth
215da668aa1SThomas Huth /*
216da668aa1SThomas Huth * Prepare our new certificate object
217da668aa1SThomas Huth */
218da668aa1SThomas Huth err = gnutls_x509_crt_init(&crt);
219da668aa1SThomas Huth if (err < 0) {
220da668aa1SThomas Huth g_critical("Failed to initialize certificate %s", gnutls_strerror(err));
221da668aa1SThomas Huth abort();
222da668aa1SThomas Huth }
223da668aa1SThomas Huth err = gnutls_x509_crt_set_key(crt, privkey);
224da668aa1SThomas Huth if (err < 0) {
225da668aa1SThomas Huth g_critical("Failed to set certificate key %s", gnutls_strerror(err));
226da668aa1SThomas Huth abort();
227da668aa1SThomas Huth }
228da668aa1SThomas Huth
229da668aa1SThomas Huth /*
230da668aa1SThomas Huth * A v3 certificate is required in order to be able
231da668aa1SThomas Huth * set any of the basic constraints, key purpose and
232da668aa1SThomas Huth * key usage data
233da668aa1SThomas Huth */
234da668aa1SThomas Huth gnutls_x509_crt_set_version(crt, 3);
235da668aa1SThomas Huth
236da668aa1SThomas Huth if (req->country) {
237da668aa1SThomas Huth err = gnutls_x509_crt_set_dn_by_oid(
238da668aa1SThomas Huth crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
239da668aa1SThomas Huth req->country, strlen(req->country));
240da668aa1SThomas Huth if (err < 0) {
241da668aa1SThomas Huth g_critical("Failed to set certificate country name %s",
242da668aa1SThomas Huth gnutls_strerror(err));
243da668aa1SThomas Huth abort();
244da668aa1SThomas Huth }
245da668aa1SThomas Huth }
246da668aa1SThomas Huth if (req->cn) {
247da668aa1SThomas Huth err = gnutls_x509_crt_set_dn_by_oid(
248da668aa1SThomas Huth crt, GNUTLS_OID_X520_COMMON_NAME, 0,
249da668aa1SThomas Huth req->cn, strlen(req->cn));
250da668aa1SThomas Huth if (err < 0) {
251da668aa1SThomas Huth g_critical("Failed to set certificate common name %s",
252da668aa1SThomas Huth gnutls_strerror(err));
253da668aa1SThomas Huth abort();
254da668aa1SThomas Huth }
255da668aa1SThomas Huth }
256da668aa1SThomas Huth
257da668aa1SThomas Huth /*
258da668aa1SThomas Huth * Setup the subject altnames, which are used
259da668aa1SThomas Huth * for hostname checks in live sessions
260da668aa1SThomas Huth */
261da668aa1SThomas Huth if (req->altname1) {
262da668aa1SThomas Huth err = gnutls_x509_crt_set_subject_alt_name(
263da668aa1SThomas Huth crt, GNUTLS_SAN_DNSNAME,
264da668aa1SThomas Huth req->altname1,
265da668aa1SThomas Huth strlen(req->altname1),
266da668aa1SThomas Huth GNUTLS_FSAN_APPEND);
267da668aa1SThomas Huth if (err < 0) {
268da668aa1SThomas Huth g_critical("Failed to set certificate alt name %s",
269da668aa1SThomas Huth gnutls_strerror(err));
270da668aa1SThomas Huth abort();
271da668aa1SThomas Huth }
272da668aa1SThomas Huth }
273da668aa1SThomas Huth if (req->altname2) {
274da668aa1SThomas Huth err = gnutls_x509_crt_set_subject_alt_name(
275da668aa1SThomas Huth crt, GNUTLS_SAN_DNSNAME,
276da668aa1SThomas Huth req->altname2,
277da668aa1SThomas Huth strlen(req->altname2),
278da668aa1SThomas Huth GNUTLS_FSAN_APPEND);
279da668aa1SThomas Huth if (err < 0) {
280da668aa1SThomas Huth g_critical("Failed to set certificate %s alt name",
281da668aa1SThomas Huth gnutls_strerror(err));
282da668aa1SThomas Huth abort();
283da668aa1SThomas Huth }
284da668aa1SThomas Huth }
285da668aa1SThomas Huth
286da668aa1SThomas Huth /*
287da668aa1SThomas Huth * IP address need to be put into the cert in their
288da668aa1SThomas Huth * raw byte form, not strings, hence this is a little
289da668aa1SThomas Huth * more complicated
290da668aa1SThomas Huth */
291da668aa1SThomas Huth if (req->ipaddr1) {
292da668aa1SThomas Huth char *data;
293da668aa1SThomas Huth int len;
294da668aa1SThomas Huth
295da668aa1SThomas Huth test_tls_get_ipaddr(req->ipaddr1, &data, &len);
296da668aa1SThomas Huth
297da668aa1SThomas Huth err = gnutls_x509_crt_set_subject_alt_name(
298da668aa1SThomas Huth crt, GNUTLS_SAN_IPADDRESS,
299da668aa1SThomas Huth data, len, GNUTLS_FSAN_APPEND);
300da668aa1SThomas Huth if (err < 0) {
301da668aa1SThomas Huth g_critical("Failed to set certificate alt name %s",
302da668aa1SThomas Huth gnutls_strerror(err));
303da668aa1SThomas Huth abort();
304da668aa1SThomas Huth }
305da668aa1SThomas Huth g_free(data);
306da668aa1SThomas Huth }
307da668aa1SThomas Huth if (req->ipaddr2) {
308da668aa1SThomas Huth char *data;
309da668aa1SThomas Huth int len;
310da668aa1SThomas Huth
311da668aa1SThomas Huth test_tls_get_ipaddr(req->ipaddr2, &data, &len);
312da668aa1SThomas Huth
313da668aa1SThomas Huth err = gnutls_x509_crt_set_subject_alt_name(
314da668aa1SThomas Huth crt, GNUTLS_SAN_IPADDRESS,
315da668aa1SThomas Huth data, len, GNUTLS_FSAN_APPEND);
316da668aa1SThomas Huth if (err < 0) {
317da668aa1SThomas Huth g_critical("Failed to set certificate alt name %s",
318da668aa1SThomas Huth gnutls_strerror(err));
319da668aa1SThomas Huth abort();
320da668aa1SThomas Huth }
321da668aa1SThomas Huth g_free(data);
322da668aa1SThomas Huth }
323da668aa1SThomas Huth
324da668aa1SThomas Huth
325da668aa1SThomas Huth /*
326da668aa1SThomas Huth * Basic constraints are used to decide if the cert
327da668aa1SThomas Huth * is for a CA or not. We can't use the convenient
328da668aa1SThomas Huth * gnutls API for setting this, since it hardcodes
329da668aa1SThomas Huth * the 'critical' field which we want control over
330da668aa1SThomas Huth */
331da668aa1SThomas Huth if (req->basicConstraintsEnable) {
332da668aa1SThomas Huth asn1_node ext = NULL;
333da668aa1SThomas Huth
334da668aa1SThomas Huth asn1_create_element(pkix_asn1, "PKIX1.BasicConstraints", &ext);
335da668aa1SThomas Huth asn1_write_value(ext, "cA",
336da668aa1SThomas Huth req->basicConstraintsIsCA ? "TRUE" : "FALSE", 1);
337da668aa1SThomas Huth asn1_write_value(ext, "pathLenConstraint", NULL, 0);
338da668aa1SThomas Huth test_tls_der_encode(ext, "", &der);
339da668aa1SThomas Huth err = gnutls_x509_crt_set_extension_by_oid(
340da668aa1SThomas Huth crt, "2.5.29.19",
341da668aa1SThomas Huth der.data, der.size,
342da668aa1SThomas Huth req->basicConstraintsCritical);
343da668aa1SThomas Huth if (err < 0) {
344da668aa1SThomas Huth g_critical("Failed to set certificate basic constraints %s",
345da668aa1SThomas Huth gnutls_strerror(err));
346da668aa1SThomas Huth g_free(der.data);
347da668aa1SThomas Huth abort();
348da668aa1SThomas Huth }
349da668aa1SThomas Huth asn1_delete_structure(&ext);
350da668aa1SThomas Huth g_free(der.data);
351da668aa1SThomas Huth }
352da668aa1SThomas Huth
353da668aa1SThomas Huth /*
354da668aa1SThomas Huth * Next up the key usage extension. Again we can't
355da668aa1SThomas Huth * use the gnutls API since it hardcodes the extension
356da668aa1SThomas Huth * to be 'critical'
357da668aa1SThomas Huth */
358da668aa1SThomas Huth if (req->keyUsageEnable) {
359da668aa1SThomas Huth asn1_node ext = NULL;
360da668aa1SThomas Huth char str[2];
361da668aa1SThomas Huth
362da668aa1SThomas Huth str[0] = req->keyUsageValue & 0xff;
363da668aa1SThomas Huth str[1] = (req->keyUsageValue >> 8) & 0xff;
364da668aa1SThomas Huth
365da668aa1SThomas Huth asn1_create_element(pkix_asn1, "PKIX1.KeyUsage", &ext);
366da668aa1SThomas Huth asn1_write_value(ext, "", str, 9);
367da668aa1SThomas Huth test_tls_der_encode(ext, "", &der);
368da668aa1SThomas Huth err = gnutls_x509_crt_set_extension_by_oid(
369da668aa1SThomas Huth crt, "2.5.29.15",
370da668aa1SThomas Huth der.data, der.size,
371da668aa1SThomas Huth req->keyUsageCritical);
372da668aa1SThomas Huth if (err < 0) {
373da668aa1SThomas Huth g_critical("Failed to set certificate key usage %s",
374da668aa1SThomas Huth gnutls_strerror(err));
375da668aa1SThomas Huth g_free(der.data);
376da668aa1SThomas Huth abort();
377da668aa1SThomas Huth }
378da668aa1SThomas Huth asn1_delete_structure(&ext);
379da668aa1SThomas Huth g_free(der.data);
380da668aa1SThomas Huth }
381da668aa1SThomas Huth
382da668aa1SThomas Huth /*
383da668aa1SThomas Huth * Finally the key purpose extension. This time
384da668aa1SThomas Huth * gnutls has the opposite problem, always hardcoding
385da668aa1SThomas Huth * it to be non-critical. So once again we have to
386da668aa1SThomas Huth * set this the hard way building up ASN1 data ourselves
387da668aa1SThomas Huth */
388da668aa1SThomas Huth if (req->keyPurposeEnable) {
389da668aa1SThomas Huth asn1_node ext = NULL;
390da668aa1SThomas Huth
391da668aa1SThomas Huth asn1_create_element(pkix_asn1, "PKIX1.ExtKeyUsageSyntax", &ext);
392da668aa1SThomas Huth if (req->keyPurposeOID1) {
393da668aa1SThomas Huth asn1_write_value(ext, "", "NEW", 1);
394da668aa1SThomas Huth asn1_write_value(ext, "?LAST", req->keyPurposeOID1, 1);
395da668aa1SThomas Huth }
396da668aa1SThomas Huth if (req->keyPurposeOID2) {
397da668aa1SThomas Huth asn1_write_value(ext, "", "NEW", 1);
398da668aa1SThomas Huth asn1_write_value(ext, "?LAST", req->keyPurposeOID2, 1);
399da668aa1SThomas Huth }
400da668aa1SThomas Huth test_tls_der_encode(ext, "", &der);
401da668aa1SThomas Huth err = gnutls_x509_crt_set_extension_by_oid(
402da668aa1SThomas Huth crt, "2.5.29.37",
403da668aa1SThomas Huth der.data, der.size,
404da668aa1SThomas Huth req->keyPurposeCritical);
405da668aa1SThomas Huth if (err < 0) {
406da668aa1SThomas Huth g_critical("Failed to set certificate key purpose %s",
407da668aa1SThomas Huth gnutls_strerror(err));
408da668aa1SThomas Huth g_free(der.data);
409da668aa1SThomas Huth abort();
410da668aa1SThomas Huth }
411da668aa1SThomas Huth asn1_delete_structure(&ext);
412da668aa1SThomas Huth g_free(der.data);
413da668aa1SThomas Huth }
414da668aa1SThomas Huth
415da668aa1SThomas Huth /*
416da668aa1SThomas Huth * Any old serial number will do, so lets pick 5
417da668aa1SThomas Huth */
418da668aa1SThomas Huth err = gnutls_x509_crt_set_serial(crt, serial, 5);
419da668aa1SThomas Huth if (err < 0) {
420da668aa1SThomas Huth g_critical("Failed to set certificate serial %s",
421da668aa1SThomas Huth gnutls_strerror(err));
422da668aa1SThomas Huth abort();
423da668aa1SThomas Huth }
424da668aa1SThomas Huth
425da668aa1SThomas Huth err = gnutls_x509_crt_set_activation_time(crt, start);
426da668aa1SThomas Huth if (err < 0) {
427da668aa1SThomas Huth g_critical("Failed to set certificate activation %s",
428da668aa1SThomas Huth gnutls_strerror(err));
429da668aa1SThomas Huth abort();
430da668aa1SThomas Huth }
431da668aa1SThomas Huth err = gnutls_x509_crt_set_expiration_time(crt, expire);
432da668aa1SThomas Huth if (err < 0) {
433da668aa1SThomas Huth g_critical("Failed to set certificate expiration %s",
434da668aa1SThomas Huth gnutls_strerror(err));
435da668aa1SThomas Huth abort();
436da668aa1SThomas Huth }
437da668aa1SThomas Huth
438da668aa1SThomas Huth
439da668aa1SThomas Huth /*
440da668aa1SThomas Huth * If no 'ca' is set then we are self signing
441da668aa1SThomas Huth * the cert. This is done for the root CA certs
442da668aa1SThomas Huth */
443da668aa1SThomas Huth err = gnutls_x509_crt_sign2(crt, ca ? ca : crt, privkey,
444da668aa1SThomas Huth GNUTLS_DIG_SHA256, 0);
445da668aa1SThomas Huth if (err < 0) {
446da668aa1SThomas Huth g_critical("Failed to sign certificate %s",
447da668aa1SThomas Huth gnutls_strerror(err));
448da668aa1SThomas Huth abort();
449da668aa1SThomas Huth }
450da668aa1SThomas Huth
451da668aa1SThomas Huth /*
452da668aa1SThomas Huth * Finally write the new cert out to disk
453da668aa1SThomas Huth */
454da668aa1SThomas Huth err = gnutls_x509_crt_export(
455da668aa1SThomas Huth crt, GNUTLS_X509_FMT_PEM, buffer, &size);
456da668aa1SThomas Huth if (err < 0) {
457da668aa1SThomas Huth g_critical("Failed to export certificate %s: %d",
458da668aa1SThomas Huth gnutls_strerror(err), err);
459da668aa1SThomas Huth abort();
460da668aa1SThomas Huth }
461da668aa1SThomas Huth
462da668aa1SThomas Huth if (!g_file_set_contents(req->filename, buffer, -1, NULL)) {
463da668aa1SThomas Huth g_critical("Failed to write certificate %s",
464da668aa1SThomas Huth req->filename);
465da668aa1SThomas Huth abort();
466da668aa1SThomas Huth }
467da668aa1SThomas Huth
468da668aa1SThomas Huth req->crt = crt;
469da668aa1SThomas Huth }
470da668aa1SThomas Huth
471da668aa1SThomas Huth
test_tls_write_cert_chain(const char * filename,gnutls_x509_crt_t * certs,size_t ncerts)472da668aa1SThomas Huth void test_tls_write_cert_chain(const char *filename,
473da668aa1SThomas Huth gnutls_x509_crt_t *certs,
474da668aa1SThomas Huth size_t ncerts)
475da668aa1SThomas Huth {
476da668aa1SThomas Huth size_t i;
477da668aa1SThomas Huth size_t capacity = 1024, offset = 0;
478da668aa1SThomas Huth char *buffer = g_new0(char, capacity);
479da668aa1SThomas Huth int err;
480da668aa1SThomas Huth
481da668aa1SThomas Huth for (i = 0; i < ncerts; i++) {
482da668aa1SThomas Huth size_t len = capacity - offset;
483da668aa1SThomas Huth retry:
484da668aa1SThomas Huth err = gnutls_x509_crt_export(certs[i], GNUTLS_X509_FMT_PEM,
485da668aa1SThomas Huth buffer + offset, &len);
486da668aa1SThomas Huth if (err < 0) {
487da668aa1SThomas Huth if (err == GNUTLS_E_SHORT_MEMORY_BUFFER) {
488da668aa1SThomas Huth buffer = g_renew(char, buffer, offset + len);
489da668aa1SThomas Huth capacity = offset + len;
490da668aa1SThomas Huth goto retry;
491da668aa1SThomas Huth }
492da668aa1SThomas Huth g_critical("Failed to export certificate chain %s: %d",
493da668aa1SThomas Huth gnutls_strerror(err), err);
494da668aa1SThomas Huth abort();
495da668aa1SThomas Huth }
496da668aa1SThomas Huth offset += len;
497da668aa1SThomas Huth }
498da668aa1SThomas Huth
499da668aa1SThomas Huth if (!g_file_set_contents(filename, buffer, offset, NULL)) {
500da668aa1SThomas Huth abort();
501da668aa1SThomas Huth }
502da668aa1SThomas Huth g_free(buffer);
503da668aa1SThomas Huth }
504da668aa1SThomas Huth
505da668aa1SThomas Huth
test_tls_discard_cert(QCryptoTLSTestCertReq * req)506da668aa1SThomas Huth void test_tls_discard_cert(QCryptoTLSTestCertReq *req)
507da668aa1SThomas Huth {
508da668aa1SThomas Huth if (!req->crt) {
509da668aa1SThomas Huth return;
510da668aa1SThomas Huth }
511da668aa1SThomas Huth
512da668aa1SThomas Huth gnutls_x509_crt_deinit(req->crt);
513da668aa1SThomas Huth req->crt = NULL;
514da668aa1SThomas Huth
515da668aa1SThomas Huth if (getenv("QEMU_TEST_DEBUG_CERTS") == NULL) {
516da668aa1SThomas Huth unlink(req->filename);
517da668aa1SThomas Huth }
518da668aa1SThomas Huth }
519