1 /* 2 * Copyright (C) 2015 Red Hat, Inc. 3 * 4 * This library is free software; you can redistribute it and/or 5 * modify it under the terms of the GNU Lesser General Public 6 * License as published by the Free Software Foundation; either 7 * version 2.1 of the License, or (at your option) any later version. 8 * 9 * This library is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 * Lesser General Public License for more details. 13 * 14 * You should have received a copy of the GNU Lesser General Public 15 * License along with this library. If not, see 16 * <http://www.gnu.org/licenses/>. 17 * 18 * Author: Daniel P. Berrange <berrange@redhat.com> 19 */ 20 21 #ifndef TESTS_CRYPTO_TLS_X509_HELPERS_H 22 #define TESTS_CRYPTO_TLS_X509_HELPERS_H 23 24 #include <gnutls/gnutls.h> 25 #include <gnutls/x509.h> 26 27 28 #define QCRYPTO_TLS_TEST_CLIENT_NAME "ACME QEMU Client" 29 #define QCRYPTO_TLS_TEST_CLIENT_HOSTILE_NAME "ACME Hostile Client" 30 31 /* 32 * This contains parameter about how to generate 33 * certificates. 34 */ 35 typedef struct QCryptoTLSTestCertReq QCryptoTLSTestCertReq; 36 struct QCryptoTLSTestCertReq { 37 gnutls_x509_crt_t crt; 38 39 const char *filename; 40 41 /* Identifying information */ 42 const char *country; 43 const char *cn; 44 const char *altname1; 45 const char *altname2; 46 const char *ipaddr1; 47 const char *ipaddr2; 48 49 /* Basic constraints */ 50 bool basicConstraintsEnable; 51 bool basicConstraintsCritical; 52 bool basicConstraintsIsCA; 53 54 /* Key usage */ 55 bool keyUsageEnable; 56 bool keyUsageCritical; 57 int keyUsageValue; 58 59 /* Key purpose (aka Extended key usage) */ 60 bool keyPurposeEnable; 61 bool keyPurposeCritical; 62 const char *keyPurposeOID1; 63 const char *keyPurposeOID2; 64 65 /* zero for current time, or non-zero for hours from now */ 66 int start_offset; 67 /* zero for 24 hours from now, or non-zero for hours from now */ 68 int expire_offset; 69 }; 70 71 void test_tls_generate_cert(QCryptoTLSTestCertReq *req, 72 gnutls_x509_crt_t ca); 73 void test_tls_write_cert_chain(const char *filename, 74 gnutls_x509_crt_t *certs, 75 size_t ncerts); 76 /* 77 * Deinitialize the QCryptoTLSTestCertReq, but don't delete the certificate 78 * file on disk. (The caller is then responsible for doing that themselves. 79 */ 80 void test_tls_deinit_cert(QCryptoTLSTestCertReq *req); 81 /* Deinit the QCryptoTLSTestCertReq, and delete the certificate file */ 82 void test_tls_discard_cert(QCryptoTLSTestCertReq *req); 83 84 void test_tls_init(const char *keyfile); 85 void test_tls_cleanup(const char *keyfile); 86 87 # define TLS_CERT_REQ(varname, cavarname, \ 88 country, commonname, \ 89 altname1, altname2, \ 90 ipaddr1, ipaddr2, \ 91 basicconsenable, basicconscritical, basicconsca, \ 92 keyusageenable, keyusagecritical, keyusagevalue, \ 93 keypurposeenable, keypurposecritical, \ 94 keypurposeoid1, keypurposeoid2, \ 95 startoffset, endoffset) \ 96 static QCryptoTLSTestCertReq varname = { \ 97 NULL, WORKDIR #varname "-ctx.pem", \ 98 country, commonname, altname1, altname2, \ 99 ipaddr1, ipaddr2, \ 100 basicconsenable, basicconscritical, basicconsca, \ 101 keyusageenable, keyusagecritical, keyusagevalue, \ 102 keypurposeenable, keypurposecritical, \ 103 keypurposeoid1, keypurposeoid2, \ 104 startoffset, endoffset \ 105 }; \ 106 test_tls_generate_cert(&varname, cavarname.crt) 107 108 # define TLS_ROOT_REQ(varname, \ 109 country, commonname, \ 110 altname1, altname2, \ 111 ipaddr1, ipaddr2, \ 112 basicconsenable, basicconscritical, basicconsca, \ 113 keyusageenable, keyusagecritical, keyusagevalue, \ 114 keypurposeenable, keypurposecritical, \ 115 keypurposeoid1, keypurposeoid2, \ 116 startoffset, endoffset) \ 117 static QCryptoTLSTestCertReq varname = { \ 118 NULL, WORKDIR #varname "-ctx.pem", \ 119 country, commonname, altname1, altname2, \ 120 ipaddr1, ipaddr2, \ 121 basicconsenable, basicconscritical, basicconsca, \ 122 keyusageenable, keyusagecritical, keyusagevalue, \ 123 keypurposeenable, keypurposecritical, \ 124 keypurposeoid1, keypurposeoid2, \ 125 startoffset, endoffset \ 126 }; \ 127 test_tls_generate_cert(&varname, NULL) 128 129 # define TLS_ROOT_REQ_SIMPLE(varname, fname) \ 130 QCryptoTLSTestCertReq varname = { \ 131 .filename = fname, \ 132 .cn = "qemu-CA", \ 133 .basicConstraintsEnable = true, \ 134 .basicConstraintsCritical = true, \ 135 .basicConstraintsIsCA = true, \ 136 .keyUsageEnable = true, \ 137 .keyUsageCritical = true, \ 138 .keyUsageValue = GNUTLS_KEY_KEY_CERT_SIGN, \ 139 }; \ 140 test_tls_generate_cert(&varname, NULL) 141 142 # define TLS_CERT_REQ_SIMPLE_CLIENT(varname, cavarname, cname, fname) \ 143 QCryptoTLSTestCertReq varname = { \ 144 .filename = fname, \ 145 .cn = cname, \ 146 .basicConstraintsEnable = true, \ 147 .basicConstraintsCritical = true, \ 148 .basicConstraintsIsCA = false, \ 149 .keyUsageEnable = true, \ 150 .keyUsageCritical = true, \ 151 .keyUsageValue = \ 152 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ 153 .keyPurposeEnable = true, \ 154 .keyPurposeCritical = true, \ 155 .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_CLIENT, \ 156 }; \ 157 test_tls_generate_cert(&varname, cavarname.crt) 158 159 # define TLS_CERT_REQ_SIMPLE_SERVER(varname, cavarname, fname, \ 160 hostname, ipaddr) \ 161 QCryptoTLSTestCertReq varname = { \ 162 .filename = fname, \ 163 .cn = hostname ? hostname : ipaddr, \ 164 .altname1 = hostname, \ 165 .ipaddr1 = ipaddr, \ 166 .basicConstraintsEnable = true, \ 167 .basicConstraintsCritical = true, \ 168 .basicConstraintsIsCA = false, \ 169 .keyUsageEnable = true, \ 170 .keyUsageCritical = true, \ 171 .keyUsageValue = \ 172 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ 173 .keyPurposeEnable = true, \ 174 .keyPurposeCritical = true, \ 175 .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_SERVER, \ 176 }; \ 177 test_tls_generate_cert(&varname, cavarname.crt) 178 179 #endif 180