1 /* 2 * Copyright (C) 2015 Red Hat, Inc. 3 * 4 * This library is free software; you can redistribute it and/or 5 * modify it under the terms of the GNU Lesser General Public 6 * License as published by the Free Software Foundation; either 7 * version 2.1 of the License, or (at your option) any later version. 8 * 9 * This library is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 * Lesser General Public License for more details. 13 * 14 * You should have received a copy of the GNU Lesser General Public 15 * License along with this library. If not, see 16 * <http://www.gnu.org/licenses/>. 17 * 18 * Author: Daniel P. Berrange <berrange@redhat.com> 19 */ 20 21 #ifndef TESTS_CRYPTO_TLS_X509_HELPERS_H 22 #define TESTS_CRYPTO_TLS_X509_HELPERS_H 23 24 #include <gnutls/gnutls.h> 25 #include <gnutls/x509.h> 26 27 28 #define QCRYPTO_TLS_TEST_CLIENT_NAME "ACME QEMU Client" 29 #define QCRYPTO_TLS_TEST_CLIENT_HOSTILE_NAME "ACME Hostile Client" 30 31 /* 32 * This contains parameter about how to generate 33 * certificates. 34 */ 35 typedef struct QCryptoTLSTestCertReq QCryptoTLSTestCertReq; 36 struct QCryptoTLSTestCertReq { 37 gnutls_x509_crt_t crt; 38 39 const char *filename; 40 41 /* Identifying information */ 42 const char *country; 43 const char *cn; 44 const char *altname1; 45 const char *altname2; 46 const char *ipaddr1; 47 const char *ipaddr2; 48 49 /* Basic constraints */ 50 bool basicConstraintsEnable; 51 bool basicConstraintsCritical; 52 bool basicConstraintsIsCA; 53 54 /* Key usage */ 55 bool keyUsageEnable; 56 bool keyUsageCritical; 57 int keyUsageValue; 58 59 /* Key purpose (aka Extended key usage) */ 60 bool keyPurposeEnable; 61 bool keyPurposeCritical; 62 const char *keyPurposeOID1; 63 const char *keyPurposeOID2; 64 65 /* zero for current time, or non-zero for hours from now */ 66 int start_offset; 67 /* zero for 24 hours from now, or non-zero for hours from now */ 68 int expire_offset; 69 }; 70 71 void test_tls_generate_cert(QCryptoTLSTestCertReq *req, 72 gnutls_x509_crt_t ca); 73 void test_tls_write_cert_chain(const char *filename, 74 gnutls_x509_crt_t *certs, 75 size_t ncerts); 76 void test_tls_discard_cert(QCryptoTLSTestCertReq *req); 77 78 void test_tls_init(const char *keyfile); 79 void test_tls_cleanup(const char *keyfile); 80 81 # define TLS_CERT_REQ(varname, cavarname, \ 82 country, commonname, \ 83 altname1, altname2, \ 84 ipaddr1, ipaddr2, \ 85 basicconsenable, basicconscritical, basicconsca, \ 86 keyusageenable, keyusagecritical, keyusagevalue, \ 87 keypurposeenable, keypurposecritical, \ 88 keypurposeoid1, keypurposeoid2, \ 89 startoffset, endoffset) \ 90 static QCryptoTLSTestCertReq varname = { \ 91 NULL, WORKDIR #varname "-ctx.pem", \ 92 country, commonname, altname1, altname2, \ 93 ipaddr1, ipaddr2, \ 94 basicconsenable, basicconscritical, basicconsca, \ 95 keyusageenable, keyusagecritical, keyusagevalue, \ 96 keypurposeenable, keypurposecritical, \ 97 keypurposeoid1, keypurposeoid2, \ 98 startoffset, endoffset \ 99 }; \ 100 test_tls_generate_cert(&varname, cavarname.crt) 101 102 # define TLS_ROOT_REQ(varname, \ 103 country, commonname, \ 104 altname1, altname2, \ 105 ipaddr1, ipaddr2, \ 106 basicconsenable, basicconscritical, basicconsca, \ 107 keyusageenable, keyusagecritical, keyusagevalue, \ 108 keypurposeenable, keypurposecritical, \ 109 keypurposeoid1, keypurposeoid2, \ 110 startoffset, endoffset) \ 111 static QCryptoTLSTestCertReq varname = { \ 112 NULL, WORKDIR #varname "-ctx.pem", \ 113 country, commonname, altname1, altname2, \ 114 ipaddr1, ipaddr2, \ 115 basicconsenable, basicconscritical, basicconsca, \ 116 keyusageenable, keyusagecritical, keyusagevalue, \ 117 keypurposeenable, keypurposecritical, \ 118 keypurposeoid1, keypurposeoid2, \ 119 startoffset, endoffset \ 120 }; \ 121 test_tls_generate_cert(&varname, NULL) 122 123 # define TLS_ROOT_REQ_SIMPLE(varname, fname) \ 124 QCryptoTLSTestCertReq varname = { \ 125 .filename = fname, \ 126 .cn = "qemu-CA", \ 127 .basicConstraintsEnable = true, \ 128 .basicConstraintsCritical = true, \ 129 .basicConstraintsIsCA = true, \ 130 .keyUsageEnable = true, \ 131 .keyUsageCritical = true, \ 132 .keyUsageValue = GNUTLS_KEY_KEY_CERT_SIGN, \ 133 }; \ 134 test_tls_generate_cert(&varname, NULL) 135 136 # define TLS_CERT_REQ_SIMPLE_CLIENT(varname, cavarname, cname, fname) \ 137 QCryptoTLSTestCertReq varname = { \ 138 .filename = fname, \ 139 .cn = cname, \ 140 .basicConstraintsEnable = true, \ 141 .basicConstraintsCritical = true, \ 142 .basicConstraintsIsCA = false, \ 143 .keyUsageEnable = true, \ 144 .keyUsageCritical = true, \ 145 .keyUsageValue = \ 146 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ 147 .keyPurposeEnable = true, \ 148 .keyPurposeCritical = true, \ 149 .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_CLIENT, \ 150 }; \ 151 test_tls_generate_cert(&varname, cavarname.crt) 152 153 # define TLS_CERT_REQ_SIMPLE_SERVER(varname, cavarname, fname, \ 154 hostname, ipaddr) \ 155 QCryptoTLSTestCertReq varname = { \ 156 .filename = fname, \ 157 .cn = hostname ? hostname : ipaddr, \ 158 .altname1 = hostname, \ 159 .ipaddr1 = ipaddr, \ 160 .basicConstraintsEnable = true, \ 161 .basicConstraintsCritical = true, \ 162 .basicConstraintsIsCA = false, \ 163 .keyUsageEnable = true, \ 164 .keyUsageCritical = true, \ 165 .keyUsageValue = \ 166 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ 167 .keyPurposeEnable = true, \ 168 .keyPurposeCritical = true, \ 169 .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_SERVER, \ 170 }; \ 171 test_tls_generate_cert(&varname, cavarname.crt) 172 173 #endif 174