/* * Copyright (C) 2015 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library. If not, see * . * * Author: Daniel P. Berrange */ #ifndef TESTS_CRYPTO_TLS_X509_HELPERS_H #define TESTS_CRYPTO_TLS_X509_HELPERS_H #include #include #define QCRYPTO_TLS_TEST_CLIENT_NAME "ACME QEMU Client" #define QCRYPTO_TLS_TEST_CLIENT_HOSTILE_NAME "ACME Hostile Client" /* * This contains parameter about how to generate * certificates. */ typedef struct QCryptoTLSTestCertReq QCryptoTLSTestCertReq; struct QCryptoTLSTestCertReq { gnutls_x509_crt_t crt; const char *filename; /* Identifying information */ const char *country; const char *cn; const char *altname1; const char *altname2; const char *ipaddr1; const char *ipaddr2; /* Basic constraints */ bool basicConstraintsEnable; bool basicConstraintsCritical; bool basicConstraintsIsCA; /* Key usage */ bool keyUsageEnable; bool keyUsageCritical; int keyUsageValue; /* Key purpose (aka Extended key usage) */ bool keyPurposeEnable; bool keyPurposeCritical; const char *keyPurposeOID1; const char *keyPurposeOID2; /* zero for current time, or non-zero for hours from now */ int start_offset; /* zero for 24 hours from now, or non-zero for hours from now */ int expire_offset; }; void test_tls_generate_cert(QCryptoTLSTestCertReq *req, gnutls_x509_crt_t ca); void test_tls_write_cert_chain(const char *filename, gnutls_x509_crt_t *certs, size_t ncerts); /* * Deinitialize the QCryptoTLSTestCertReq, but don't delete the certificate * file on disk. (The caller is then responsible for doing that themselves. */ void test_tls_deinit_cert(QCryptoTLSTestCertReq *req); /* Deinit the QCryptoTLSTestCertReq, and delete the certificate file */ void test_tls_discard_cert(QCryptoTLSTestCertReq *req); void test_tls_init(const char *keyfile); void test_tls_cleanup(const char *keyfile); # define TLS_CERT_REQ(varname, cavarname, \ country, commonname, \ altname1, altname2, \ ipaddr1, ipaddr2, \ basicconsenable, basicconscritical, basicconsca, \ keyusageenable, keyusagecritical, keyusagevalue, \ keypurposeenable, keypurposecritical, \ keypurposeoid1, keypurposeoid2, \ startoffset, endoffset) \ static QCryptoTLSTestCertReq varname = { \ NULL, WORKDIR #varname "-ctx.pem", \ country, commonname, altname1, altname2, \ ipaddr1, ipaddr2, \ basicconsenable, basicconscritical, basicconsca, \ keyusageenable, keyusagecritical, keyusagevalue, \ keypurposeenable, keypurposecritical, \ keypurposeoid1, keypurposeoid2, \ startoffset, endoffset \ }; \ test_tls_generate_cert(&varname, cavarname.crt) # define TLS_ROOT_REQ(varname, \ country, commonname, \ altname1, altname2, \ ipaddr1, ipaddr2, \ basicconsenable, basicconscritical, basicconsca, \ keyusageenable, keyusagecritical, keyusagevalue, \ keypurposeenable, keypurposecritical, \ keypurposeoid1, keypurposeoid2, \ startoffset, endoffset) \ static QCryptoTLSTestCertReq varname = { \ NULL, WORKDIR #varname "-ctx.pem", \ country, commonname, altname1, altname2, \ ipaddr1, ipaddr2, \ basicconsenable, basicconscritical, basicconsca, \ keyusageenable, keyusagecritical, keyusagevalue, \ keypurposeenable, keypurposecritical, \ keypurposeoid1, keypurposeoid2, \ startoffset, endoffset \ }; \ test_tls_generate_cert(&varname, NULL) # define TLS_ROOT_REQ_SIMPLE(varname, fname) \ QCryptoTLSTestCertReq varname = { \ .filename = fname, \ .cn = "qemu-CA", \ .basicConstraintsEnable = true, \ .basicConstraintsCritical = true, \ .basicConstraintsIsCA = true, \ .keyUsageEnable = true, \ .keyUsageCritical = true, \ .keyUsageValue = GNUTLS_KEY_KEY_CERT_SIGN, \ }; \ test_tls_generate_cert(&varname, NULL) # define TLS_CERT_REQ_SIMPLE_CLIENT(varname, cavarname, cname, fname) \ QCryptoTLSTestCertReq varname = { \ .filename = fname, \ .cn = cname, \ .basicConstraintsEnable = true, \ .basicConstraintsCritical = true, \ .basicConstraintsIsCA = false, \ .keyUsageEnable = true, \ .keyUsageCritical = true, \ .keyUsageValue = \ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ .keyPurposeEnable = true, \ .keyPurposeCritical = true, \ .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_CLIENT, \ }; \ test_tls_generate_cert(&varname, cavarname.crt) # define TLS_CERT_REQ_SIMPLE_SERVER(varname, cavarname, fname, \ hostname, ipaddr) \ QCryptoTLSTestCertReq varname = { \ .filename = fname, \ .cn = hostname ? hostname : ipaddr, \ .altname1 = hostname, \ .ipaddr1 = ipaddr, \ .basicConstraintsEnable = true, \ .basicConstraintsCritical = true, \ .basicConstraintsIsCA = false, \ .keyUsageEnable = true, \ .keyUsageCritical = true, \ .keyUsageValue = \ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ .keyPurposeEnable = true, \ .keyPurposeCritical = true, \ .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_SERVER, \ }; \ test_tls_generate_cert(&varname, cavarname.crt) #endif