1 /*
2 * Copyright (C) 2011-2014 Red Hat, Inc.
3 *
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
8 *
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library. If not, see
16 * <http://www.gnu.org/licenses/>.
17 */
18
19 #include <config.h>
20
21 #include <fcntl.h>
22 #include <unistd.h>
23
24 #include "testutils.h"
25 #include "virnettlshelpers.h"
26 #include "virerror.h"
27 #include "viralloc.h"
28 #include "virlog.h"
29 #include "virfile.h"
30 #include "vircommand.h"
31 #include "virsocket.h"
32
33 #if !defined WIN32 && WITH_LIBTASN1_H && LIBGNUTLS_VERSION_NUMBER >= 0x020600
34
35 # include "rpc/virnettlscontext.h"
36
37 # define VIR_FROM_THIS VIR_FROM_RPC
38
39 VIR_LOG_INIT("tests.nettlscontexttest");
40
41 # define KEYFILE "key-ctx.pem"
42
43 struct testTLSContextData {
44 bool isServer;
45 const char *cacrt;
46 const char *crt;
47 bool expectFail;
48 };
49
50
51 /*
52 * This tests sanity checking of our own certificates
53 *
54 * This code is done when libvirtd starts up, or before
55 * a libvirt client connects. The test is ensuring that
56 * the creation of virNetTLSContext *fails if we
57 * give bogus certs, or succeeds for good certs
58 */
testTLSContextInit(const void * opaque)59 static int testTLSContextInit(const void *opaque)
60 {
61 struct testTLSContextData *data = (struct testTLSContextData *)opaque;
62 virNetTLSContext *ctxt = NULL;
63 int ret = -1;
64
65 if (data->isServer) {
66 ctxt = virNetTLSContextNewServer(data->cacrt,
67 NULL,
68 data->crt,
69 KEYFILE,
70 NULL,
71 "NORMAL",
72 true,
73 true);
74 } else {
75 ctxt = virNetTLSContextNewClient(data->cacrt,
76 NULL,
77 data->crt,
78 KEYFILE,
79 "NORMAL",
80 true,
81 true);
82 }
83
84 if (ctxt) {
85 if (data->expectFail) {
86 VIR_WARN("Expected failure %s against %s",
87 data->cacrt, data->crt);
88 goto cleanup;
89 }
90 } else {
91 if (!data->expectFail) {
92 VIR_WARN("Unexpected failure %s against %s",
93 data->cacrt, data->crt);
94 goto cleanup;
95 }
96 VIR_DEBUG("Got error %s", virGetLastErrorMessage());
97 }
98
99 ret = 0;
100
101 cleanup:
102 virObjectUnref(ctxt);
103 return ret;
104 }
105
106
107
108 static int
mymain(void)109 mymain(void)
110 {
111 int ret = 0;
112
113 g_setenv("GNUTLS_FORCE_FIPS_MODE", "2", TRUE);
114
115 testTLSInit(KEYFILE);
116
117 # define DO_CTX_TEST(_isServer, _caCrt, _crt, _expectFail) \
118 do { \
119 static struct testTLSContextData data; \
120 data.isServer = _isServer; \
121 data.cacrt = _caCrt; \
122 data.crt = _crt; \
123 data.expectFail = _expectFail; \
124 if (virTestRun("TLS Context " #_caCrt " + " #_crt, \
125 testTLSContextInit, &data) < 0) \
126 ret = -1; \
127 } while (0)
128
129 # define TLS_CERT_REQ(varname, cavarname, \
130 co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
131 kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
132 static struct testTLSCertReq varname = { \
133 NULL, #varname "-ctx.pem", \
134 co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
135 kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo \
136 }; \
137 testTLSGenerateCert(&varname, cavarname.crt)
138
139 VIR_WARNINGS_NO_DECLARATION_AFTER_STATEMENT
140 # define TLS_ROOT_REQ(varname, \
141 co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
142 kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
143 static struct testTLSCertReq varname = { \
144 NULL, #varname "-ctx.pem", \
145 co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
146 kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo \
147 }; \
148 testTLSGenerateCert(&varname, NULL)
149
150
151 /* A perfect CA, perfect client & perfect server */
152
153 /* Basic:CA:critical */
154 TLS_ROOT_REQ(cacertreq,
155 "UK", "libvirt CA", NULL, NULL, NULL, NULL,
156 true, true, true,
157 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
158 false, false, NULL, NULL,
159 0, 0);
160
161 TLS_CERT_REQ(servercertreq, cacertreq,
162 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
163 true, true, false,
164 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
165 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
166 0, 0);
167 TLS_CERT_REQ(clientcertreq, cacertreq,
168 "UK", "libvirt", NULL, NULL, NULL, NULL,
169 true, true, false,
170 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
171 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
172 0, 0);
173
174 DO_CTX_TEST(true, cacertreq.filename, servercertreq.filename, false);
175 DO_CTX_TEST(false, cacertreq.filename, clientcertreq.filename, false);
176
177
178 /* Some other CAs which are good */
179
180 /* Basic:CA:critical */
181 TLS_ROOT_REQ(cacert1req,
182 "UK", "libvirt CA 1", NULL, NULL, NULL, NULL,
183 true, true, true,
184 false, false, 0,
185 false, false, NULL, NULL,
186 0, 0);
187 TLS_CERT_REQ(servercert1req, cacert1req,
188 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
189 true, true, false,
190 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
191 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
192 0, 0);
193
194 /* Basic:CA:not-critical */
195 TLS_ROOT_REQ(cacert2req,
196 "UK", "libvirt CA 2", NULL, NULL, NULL, NULL,
197 true, false, true,
198 false, false, 0,
199 false, false, NULL, NULL,
200 0, 0);
201 TLS_CERT_REQ(servercert2req, cacert2req,
202 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
203 true, true, false,
204 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
205 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
206 0, 0);
207
208 /* Key usage:cert-sign:critical */
209 TLS_ROOT_REQ(cacert3req,
210 "UK", "libvirt CA 3", NULL, NULL, NULL, NULL,
211 true, true, true,
212 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
213 false, false, NULL, NULL,
214 0, 0);
215 TLS_CERT_REQ(servercert3req, cacert3req,
216 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
217 true, true, false,
218 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
219 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
220 0, 0);
221
222 DO_CTX_TEST(true, cacert1req.filename, servercert1req.filename, false);
223 DO_CTX_TEST(true, cacert2req.filename, servercert2req.filename, false);
224 DO_CTX_TEST(true, cacert3req.filename, servercert3req.filename, false);
225
226 /* Now some bad certs */
227
228 /* Key usage:dig-sig:not-critical */
229 TLS_ROOT_REQ(cacert4req,
230 "UK", "libvirt CA 4", NULL, NULL, NULL, NULL,
231 true, true, true,
232 true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
233 false, false, NULL, NULL,
234 0, 0);
235 TLS_CERT_REQ(servercert4req, cacert4req,
236 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
237 true, true, false,
238 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
239 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
240 0, 0);
241 /* no-basic */
242 TLS_ROOT_REQ(cacert5req,
243 "UK", "libvirt CA 5", NULL, NULL, NULL, NULL,
244 false, false, false,
245 false, false, 0,
246 false, false, NULL, NULL,
247 0, 0);
248 TLS_CERT_REQ(servercert5req, cacert5req,
249 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
250 true, true, false,
251 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
252 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
253 0, 0);
254 /* Key usage:dig-sig:critical */
255 TLS_ROOT_REQ(cacert6req,
256 "UK", "libvirt CA 6", NULL, NULL, NULL, NULL,
257 true, true, true,
258 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
259 false, false, NULL, NULL,
260 0, 0);
261 TLS_CERT_REQ(servercert6req, cacert6req,
262 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
263 true, true, false,
264 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
265 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
266 0, 0);
267
268 /* Technically a CA cert with basic constraints
269 * key purpose == key signing + non-critical should
270 * be rejected. GNUTLS < 3.1 does not reject it and
271 * we don't anticipate them changing this behaviour
272 */
273 DO_CTX_TEST(true, cacert4req.filename, servercert4req.filename,
274 (GNUTLS_VERSION_MAJOR == 3 && GNUTLS_VERSION_MINOR >= 1) ||
275 GNUTLS_VERSION_MAJOR > 3);
276 DO_CTX_TEST(true, cacert5req.filename, servercert5req.filename, true);
277 DO_CTX_TEST(true, cacert6req.filename, servercert6req.filename, true);
278
279
280 /* Various good servers */
281 /* no usage or purpose */
282 TLS_CERT_REQ(servercert7req, cacertreq,
283 "UK", "libvirt", NULL, NULL, NULL, NULL,
284 true, true, false,
285 false, false, 0,
286 false, false, NULL, NULL,
287 0, 0);
288 /* usage:cert-sign+dig-sig+encipher:critical */
289 TLS_CERT_REQ(servercert8req, cacertreq,
290 "UK", "libvirt", NULL, NULL, NULL, NULL,
291 true, true, false,
292 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
293 false, false, NULL, NULL,
294 0, 0);
295 /* usage:cert-sign:not-critical */
296 TLS_CERT_REQ(servercert9req, cacertreq,
297 "UK", "libvirt", NULL, NULL, NULL, NULL,
298 true, true, false,
299 true, false, GNUTLS_KEY_KEY_CERT_SIGN,
300 false, false, NULL, NULL,
301 0, 0);
302 /* purpose:server:critical */
303 TLS_CERT_REQ(servercert10req, cacertreq,
304 "UK", "libvirt", NULL, NULL, NULL, NULL,
305 true, true, false,
306 false, false, 0,
307 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
308 0, 0);
309 /* purpose:server:not-critical */
310 TLS_CERT_REQ(servercert11req, cacertreq,
311 "UK", "libvirt", NULL, NULL, NULL, NULL,
312 true, true, false,
313 false, false, 0,
314 true, false, GNUTLS_KP_TLS_WWW_SERVER, NULL,
315 0, 0);
316 /* purpose:client+server:critical */
317 TLS_CERT_REQ(servercert12req, cacertreq,
318 "UK", "libvirt", NULL, NULL, NULL, NULL,
319 true, true, false,
320 false, false, 0,
321 true, true, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
322 0, 0);
323 /* purpose:client+server:not-critical */
324 TLS_CERT_REQ(servercert13req, cacertreq,
325 "UK", "libvirt", NULL, NULL, NULL, NULL,
326 true, true, false,
327 false, false, 0,
328 true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
329 0, 0);
330
331 DO_CTX_TEST(true, cacertreq.filename, servercert7req.filename, false);
332 DO_CTX_TEST(true, cacertreq.filename, servercert8req.filename, false);
333 DO_CTX_TEST(true, cacertreq.filename, servercert9req.filename, false);
334 DO_CTX_TEST(true, cacertreq.filename, servercert10req.filename, false);
335 DO_CTX_TEST(true, cacertreq.filename, servercert11req.filename, false);
336 DO_CTX_TEST(true, cacertreq.filename, servercert12req.filename, false);
337 DO_CTX_TEST(true, cacertreq.filename, servercert13req.filename, false);
338 /* Bad servers */
339
340 /* usage:cert-sign:critical */
341 TLS_CERT_REQ(servercert14req, cacertreq,
342 "UK", "libvirt", NULL, NULL, NULL, NULL,
343 true, true, false,
344 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
345 false, false, NULL, NULL,
346 0, 0);
347 /* purpose:client:critical */
348 TLS_CERT_REQ(servercert15req, cacertreq,
349 "UK", "libvirt", NULL, NULL, NULL, NULL,
350 true, true, false,
351 false, false, 0,
352 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
353 0, 0);
354 /* usage: none:critical */
355 TLS_CERT_REQ(servercert16req, cacertreq,
356 "UK", "libvirt", NULL, NULL, NULL, NULL,
357 true, true, false,
358 true, true, 0,
359 false, false, NULL, NULL,
360 0, 0);
361
362 DO_CTX_TEST(true, cacertreq.filename, servercert14req.filename, true);
363 DO_CTX_TEST(true, cacertreq.filename, servercert15req.filename, true);
364 DO_CTX_TEST(true, cacertreq.filename, servercert16req.filename, true);
365
366
367
368 /* Various good clients */
369 /* no usage or purpose */
370 TLS_CERT_REQ(clientcert1req, cacertreq,
371 "UK", "libvirt", NULL, NULL, NULL, NULL,
372 true, true, false,
373 false, false, 0,
374 false, false, NULL, NULL,
375 0, 0);
376 /* usage:cert-sign+dig-sig+encipher:critical */
377 TLS_CERT_REQ(clientcert2req, cacertreq,
378 "UK", "libvirt", NULL, NULL, NULL, NULL,
379 true, true, false,
380 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
381 false, false, NULL, NULL,
382 0, 0);
383 /* usage:cert-sign:not-critical */
384 TLS_CERT_REQ(clientcert3req, cacertreq,
385 "UK", "libvirt", NULL, NULL, NULL, NULL,
386 true, true, false,
387 true, false, GNUTLS_KEY_KEY_CERT_SIGN,
388 false, false, NULL, NULL,
389 0, 0);
390 /* purpose:client:critical */
391 TLS_CERT_REQ(clientcert4req, cacertreq,
392 "UK", "libvirt", NULL, NULL, NULL, NULL,
393 true, true, false,
394 false, false, 0,
395 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
396 0, 0);
397 /* purpose:client:not-critical */
398 TLS_CERT_REQ(clientcert5req, cacertreq,
399 "UK", "libvirt", NULL, NULL, NULL, NULL,
400 true, true, false,
401 false, false, 0,
402 true, false, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
403 0, 0);
404 /* purpose:client+client:critical */
405 TLS_CERT_REQ(clientcert6req, cacertreq,
406 "UK", "libvirt", NULL, NULL, NULL, NULL,
407 true, true, false,
408 false, false, 0,
409 true, true, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
410 0, 0);
411 /* purpose:client+client:not-critical */
412 TLS_CERT_REQ(clientcert7req, cacertreq,
413 "UK", "libvirt", NULL, NULL, NULL, NULL,
414 true, true, false,
415 false, false, 0,
416 true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
417 0, 0);
418
419 DO_CTX_TEST(false, cacertreq.filename, clientcert1req.filename, false);
420 DO_CTX_TEST(false, cacertreq.filename, clientcert2req.filename, false);
421 DO_CTX_TEST(false, cacertreq.filename, clientcert3req.filename, false);
422 DO_CTX_TEST(false, cacertreq.filename, clientcert4req.filename, false);
423 DO_CTX_TEST(false, cacertreq.filename, clientcert5req.filename, false);
424 DO_CTX_TEST(false, cacertreq.filename, clientcert6req.filename, false);
425 DO_CTX_TEST(false, cacertreq.filename, clientcert7req.filename, false);
426 /* Bad clients */
427
428 /* usage:cert-sign:critical */
429 TLS_CERT_REQ(clientcert8req, cacertreq,
430 "UK", "libvirt", NULL, NULL, NULL, NULL,
431 true, true, false,
432 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
433 false, false, NULL, NULL,
434 0, 0);
435 /* purpose:client:critical */
436 TLS_CERT_REQ(clientcert9req, cacertreq,
437 "UK", "libvirt", NULL, NULL, NULL, NULL,
438 true, true, false,
439 false, false, 0,
440 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
441 0, 0);
442 /* usage: none:critical */
443 TLS_CERT_REQ(clientcert10req, cacertreq,
444 "UK", "libvirt", NULL, NULL, NULL, NULL,
445 true, true, false,
446 true, true, 0,
447 false, false, NULL, NULL,
448 0, 0);
449
450 DO_CTX_TEST(false, cacertreq.filename, clientcert8req.filename, true);
451 DO_CTX_TEST(false, cacertreq.filename, clientcert9req.filename, true);
452 DO_CTX_TEST(false, cacertreq.filename, clientcert10req.filename, true);
453
454
455
456 /* Expired stuff */
457
458 TLS_ROOT_REQ(cacertexpreq,
459 "UK", "libvirt", NULL, NULL, NULL, NULL,
460 true, true, true,
461 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
462 false, false, NULL, NULL,
463 0, -1);
464 TLS_CERT_REQ(servercertexpreq, cacertexpreq,
465 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
466 true, true, false,
467 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
468 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
469 0, 0);
470 TLS_CERT_REQ(servercertexp1req, cacertreq,
471 "UK", "libvirt", NULL, NULL, NULL, NULL,
472 true, true, false,
473 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
474 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
475 0, -1);
476 TLS_CERT_REQ(clientcertexp1req, cacertreq,
477 "UK", "libvirt", NULL, NULL, NULL, NULL,
478 true, true, false,
479 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
480 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
481 0, -1);
482
483 DO_CTX_TEST(true, cacertexpreq.filename, servercertexpreq.filename, true);
484 DO_CTX_TEST(true, cacertreq.filename, servercertexp1req.filename, true);
485 DO_CTX_TEST(false, cacertreq.filename, clientcertexp1req.filename, true);
486
487
488 /* Not activated stuff */
489
490 TLS_ROOT_REQ(cacertnewreq,
491 "UK", "libvirt", NULL, NULL, NULL, NULL,
492 true, true, true,
493 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
494 false, false, NULL, NULL,
495 1, 2);
496 TLS_CERT_REQ(servercertnewreq, cacertnewreq,
497 "UK", "libvirt", NULL, NULL, NULL, NULL,
498 true, true, false,
499 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
500 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
501 0, 0);
502 TLS_CERT_REQ(servercertnew1req, cacertreq,
503 "UK", "libvirt", NULL, NULL, NULL, NULL,
504 true, true, false,
505 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
506 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
507 1, 2);
508 TLS_CERT_REQ(clientcertnew1req, cacertreq,
509 "UK", "libvirt", NULL, NULL, NULL, NULL,
510 true, true, false,
511 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
512 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
513 1, 2);
514
515 DO_CTX_TEST(true, cacertnewreq.filename, servercertnewreq.filename, true);
516 DO_CTX_TEST(true, cacertreq.filename, servercertnew1req.filename, true);
517 DO_CTX_TEST(false, cacertreq.filename, clientcertnew1req.filename, true);
518
519 TLS_ROOT_REQ(cacertrootreq,
520 "UK", "libvirt root", NULL, NULL, NULL, NULL,
521 true, true, true,
522 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
523 false, false, NULL, NULL,
524 0, 0);
525 TLS_CERT_REQ(cacertlevel1areq, cacertrootreq,
526 "UK", "libvirt level 1a", NULL, NULL, NULL, NULL,
527 true, true, true,
528 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
529 false, false, NULL, NULL,
530 0, 0);
531 TLS_CERT_REQ(cacertlevel1breq, cacertrootreq,
532 "UK", "libvirt level 1b", NULL, NULL, NULL, NULL,
533 true, true, true,
534 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
535 false, false, NULL, NULL,
536 0, 0);
537 TLS_CERT_REQ(cacertlevel2areq, cacertlevel1areq,
538 "UK", "libvirt level 2a", NULL, NULL, NULL, NULL,
539 true, true, true,
540 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
541 false, false, NULL, NULL,
542 0, 0);
543 TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
544 "UK", "libvirt.org", NULL, NULL, NULL, NULL,
545 true, true, false,
546 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
547 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
548 0, 0);
549 TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
550 "UK", "libvirt client level 2b", NULL, NULL, NULL, NULL,
551 true, true, false,
552 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
553 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
554 0, 0);
555
556 gnutls_x509_crt_t certchain[] = {
557 cacertrootreq.crt,
558 cacertlevel1areq.crt,
559 cacertlevel1breq.crt,
560 cacertlevel2areq.crt,
561 };
562
563 testTLSWriteCertChain("cacertchain-ctx.pem",
564 certchain,
565 G_N_ELEMENTS(certchain));
566
567 VIR_WARNINGS_RESET
568
569 DO_CTX_TEST(true, "cacertchain-ctx.pem", servercertlevel3areq.filename, false);
570 DO_CTX_TEST(false, "cacertchain-ctx.pem", clientcertlevel2breq.filename, false);
571
572 DO_CTX_TEST(false, "cacertdoesnotexist.pem", "servercertdoesnotexist.pem", true);
573
574 testTLSDiscardCert(&cacertreq);
575 testTLSDiscardCert(&cacert1req);
576 testTLSDiscardCert(&cacert2req);
577 testTLSDiscardCert(&cacert3req);
578 testTLSDiscardCert(&cacert4req);
579 testTLSDiscardCert(&cacert5req);
580 testTLSDiscardCert(&cacert6req);
581
582 testTLSDiscardCert(&servercertreq);
583 testTLSDiscardCert(&servercert1req);
584 testTLSDiscardCert(&servercert2req);
585 testTLSDiscardCert(&servercert3req);
586 testTLSDiscardCert(&servercert4req);
587 testTLSDiscardCert(&servercert5req);
588 testTLSDiscardCert(&servercert6req);
589 testTLSDiscardCert(&servercert7req);
590 testTLSDiscardCert(&servercert8req);
591 testTLSDiscardCert(&servercert9req);
592 testTLSDiscardCert(&servercert10req);
593 testTLSDiscardCert(&servercert11req);
594 testTLSDiscardCert(&servercert12req);
595 testTLSDiscardCert(&servercert13req);
596 testTLSDiscardCert(&servercert14req);
597 testTLSDiscardCert(&servercert15req);
598 testTLSDiscardCert(&servercert16req);
599
600 testTLSDiscardCert(&clientcertreq);
601 testTLSDiscardCert(&clientcert1req);
602 testTLSDiscardCert(&clientcert2req);
603 testTLSDiscardCert(&clientcert3req);
604 testTLSDiscardCert(&clientcert4req);
605 testTLSDiscardCert(&clientcert5req);
606 testTLSDiscardCert(&clientcert6req);
607 testTLSDiscardCert(&clientcert7req);
608 testTLSDiscardCert(&clientcert8req);
609 testTLSDiscardCert(&clientcert9req);
610 testTLSDiscardCert(&clientcert10req);
611
612 testTLSDiscardCert(&cacertexpreq);
613 testTLSDiscardCert(&servercertexpreq);
614 testTLSDiscardCert(&servercertexp1req);
615 testTLSDiscardCert(&clientcertexp1req);
616
617 testTLSDiscardCert(&cacertnewreq);
618 testTLSDiscardCert(&servercertnewreq);
619 testTLSDiscardCert(&servercertnew1req);
620 testTLSDiscardCert(&clientcertnew1req);
621
622 testTLSDiscardCert(&cacertrootreq);
623 testTLSDiscardCert(&cacertlevel1areq);
624 testTLSDiscardCert(&cacertlevel1breq);
625 testTLSDiscardCert(&cacertlevel2areq);
626 testTLSDiscardCert(&servercertlevel3areq);
627 testTLSDiscardCert(&clientcertlevel2breq);
628 unlink("cacertchain-ctx.pem");
629
630 testTLSCleanup(KEYFILE);
631
632 return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
633 }
634
635 VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virrandom"))
636
637 #else
638
639 int
640 main(void)
641 {
642 return EXIT_AM_SKIP;
643 }
644
645 #endif
646