1da668aa1SThomas Huth /* 2da668aa1SThomas Huth * Copyright (C) 2015 Red Hat, Inc. 3da668aa1SThomas Huth * 4da668aa1SThomas Huth * This library is free software; you can redistribute it and/or 5da668aa1SThomas Huth * modify it under the terms of the GNU Lesser General Public 6da668aa1SThomas Huth * License as published by the Free Software Foundation; either 7da668aa1SThomas Huth * version 2.1 of the License, or (at your option) any later version. 8da668aa1SThomas Huth * 9da668aa1SThomas Huth * This library is distributed in the hope that it will be useful, 10da668aa1SThomas Huth * but WITHOUT ANY WARRANTY; without even the implied warranty of 11da668aa1SThomas Huth * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12da668aa1SThomas Huth * Lesser General Public License for more details. 13da668aa1SThomas Huth * 14da668aa1SThomas Huth * You should have received a copy of the GNU Lesser General Public 15da668aa1SThomas Huth * License along with this library. If not, see 16da668aa1SThomas Huth * <http://www.gnu.org/licenses/>. 17da668aa1SThomas Huth * 18da668aa1SThomas Huth * Author: Daniel P. Berrange <berrange@redhat.com> 19da668aa1SThomas Huth */ 20da668aa1SThomas Huth 21da668aa1SThomas Huth #ifndef TESTS_CRYPTO_TLS_X509_HELPERS_H 22da668aa1SThomas Huth #define TESTS_CRYPTO_TLS_X509_HELPERS_H 23da668aa1SThomas Huth 24da668aa1SThomas Huth #include <gnutls/gnutls.h> 25da668aa1SThomas Huth #include <gnutls/x509.h> 26da668aa1SThomas Huth 27da668aa1SThomas Huth 285bc6364bSDaniel P. Berrangé #define QCRYPTO_TLS_TEST_CLIENT_NAME "ACME QEMU Client" 295bc6364bSDaniel P. Berrangé #define QCRYPTO_TLS_TEST_CLIENT_HOSTILE_NAME "ACME Hostile Client" 305bc6364bSDaniel P. Berrangé 31da668aa1SThomas Huth /* 32da668aa1SThomas Huth * This contains parameter about how to generate 33da668aa1SThomas Huth * certificates. 34da668aa1SThomas Huth */ 35da668aa1SThomas Huth typedef struct QCryptoTLSTestCertReq QCryptoTLSTestCertReq; 36da668aa1SThomas Huth struct QCryptoTLSTestCertReq { 37da668aa1SThomas Huth gnutls_x509_crt_t crt; 38da668aa1SThomas Huth 39da668aa1SThomas Huth const char *filename; 40da668aa1SThomas Huth 41da668aa1SThomas Huth /* Identifying information */ 42da668aa1SThomas Huth const char *country; 43da668aa1SThomas Huth const char *cn; 44da668aa1SThomas Huth const char *altname1; 45da668aa1SThomas Huth const char *altname2; 46da668aa1SThomas Huth const char *ipaddr1; 47da668aa1SThomas Huth const char *ipaddr2; 48da668aa1SThomas Huth 49da668aa1SThomas Huth /* Basic constraints */ 50da668aa1SThomas Huth bool basicConstraintsEnable; 51da668aa1SThomas Huth bool basicConstraintsCritical; 52da668aa1SThomas Huth bool basicConstraintsIsCA; 53da668aa1SThomas Huth 54da668aa1SThomas Huth /* Key usage */ 55da668aa1SThomas Huth bool keyUsageEnable; 56da668aa1SThomas Huth bool keyUsageCritical; 57da668aa1SThomas Huth int keyUsageValue; 58da668aa1SThomas Huth 59da668aa1SThomas Huth /* Key purpose (aka Extended key usage) */ 60da668aa1SThomas Huth bool keyPurposeEnable; 61da668aa1SThomas Huth bool keyPurposeCritical; 62da668aa1SThomas Huth const char *keyPurposeOID1; 63da668aa1SThomas Huth const char *keyPurposeOID2; 64da668aa1SThomas Huth 65da668aa1SThomas Huth /* zero for current time, or non-zero for hours from now */ 66da668aa1SThomas Huth int start_offset; 67da668aa1SThomas Huth /* zero for 24 hours from now, or non-zero for hours from now */ 68da668aa1SThomas Huth int expire_offset; 69da668aa1SThomas Huth }; 70da668aa1SThomas Huth 71da668aa1SThomas Huth void test_tls_generate_cert(QCryptoTLSTestCertReq *req, 72da668aa1SThomas Huth gnutls_x509_crt_t ca); 73da668aa1SThomas Huth void test_tls_write_cert_chain(const char *filename, 74da668aa1SThomas Huth gnutls_x509_crt_t *certs, 75da668aa1SThomas Huth size_t ncerts); 76*2cf6dc41SPeter Maydell /* 77*2cf6dc41SPeter Maydell * Deinitialize the QCryptoTLSTestCertReq, but don't delete the certificate 78*2cf6dc41SPeter Maydell * file on disk. (The caller is then responsible for doing that themselves. 79*2cf6dc41SPeter Maydell */ 80*2cf6dc41SPeter Maydell void test_tls_deinit_cert(QCryptoTLSTestCertReq *req); 81*2cf6dc41SPeter Maydell /* Deinit the QCryptoTLSTestCertReq, and delete the certificate file */ 82da668aa1SThomas Huth void test_tls_discard_cert(QCryptoTLSTestCertReq *req); 83da668aa1SThomas Huth 84da668aa1SThomas Huth void test_tls_init(const char *keyfile); 85da668aa1SThomas Huth void test_tls_cleanup(const char *keyfile); 86da668aa1SThomas Huth 87da668aa1SThomas Huth # define TLS_CERT_REQ(varname, cavarname, \ 88da668aa1SThomas Huth country, commonname, \ 89da668aa1SThomas Huth altname1, altname2, \ 90da668aa1SThomas Huth ipaddr1, ipaddr2, \ 91da668aa1SThomas Huth basicconsenable, basicconscritical, basicconsca, \ 92da668aa1SThomas Huth keyusageenable, keyusagecritical, keyusagevalue, \ 93da668aa1SThomas Huth keypurposeenable, keypurposecritical, \ 94da668aa1SThomas Huth keypurposeoid1, keypurposeoid2, \ 95da668aa1SThomas Huth startoffset, endoffset) \ 96da668aa1SThomas Huth static QCryptoTLSTestCertReq varname = { \ 97da668aa1SThomas Huth NULL, WORKDIR #varname "-ctx.pem", \ 98da668aa1SThomas Huth country, commonname, altname1, altname2, \ 99da668aa1SThomas Huth ipaddr1, ipaddr2, \ 100da668aa1SThomas Huth basicconsenable, basicconscritical, basicconsca, \ 101da668aa1SThomas Huth keyusageenable, keyusagecritical, keyusagevalue, \ 102da668aa1SThomas Huth keypurposeenable, keypurposecritical, \ 103da668aa1SThomas Huth keypurposeoid1, keypurposeoid2, \ 104da668aa1SThomas Huth startoffset, endoffset \ 105da668aa1SThomas Huth }; \ 106da668aa1SThomas Huth test_tls_generate_cert(&varname, cavarname.crt) 107da668aa1SThomas Huth 108da668aa1SThomas Huth # define TLS_ROOT_REQ(varname, \ 109da668aa1SThomas Huth country, commonname, \ 110da668aa1SThomas Huth altname1, altname2, \ 111da668aa1SThomas Huth ipaddr1, ipaddr2, \ 112da668aa1SThomas Huth basicconsenable, basicconscritical, basicconsca, \ 113da668aa1SThomas Huth keyusageenable, keyusagecritical, keyusagevalue, \ 114da668aa1SThomas Huth keypurposeenable, keypurposecritical, \ 115da668aa1SThomas Huth keypurposeoid1, keypurposeoid2, \ 116da668aa1SThomas Huth startoffset, endoffset) \ 117da668aa1SThomas Huth static QCryptoTLSTestCertReq varname = { \ 118da668aa1SThomas Huth NULL, WORKDIR #varname "-ctx.pem", \ 119da668aa1SThomas Huth country, commonname, altname1, altname2, \ 120da668aa1SThomas Huth ipaddr1, ipaddr2, \ 121da668aa1SThomas Huth basicconsenable, basicconscritical, basicconsca, \ 122da668aa1SThomas Huth keyusageenable, keyusagecritical, keyusagevalue, \ 123da668aa1SThomas Huth keypurposeenable, keypurposecritical, \ 124da668aa1SThomas Huth keypurposeoid1, keypurposeoid2, \ 125da668aa1SThomas Huth startoffset, endoffset \ 126da668aa1SThomas Huth }; \ 127da668aa1SThomas Huth test_tls_generate_cert(&varname, NULL) 128da668aa1SThomas Huth 1295bc6364bSDaniel P. Berrangé # define TLS_ROOT_REQ_SIMPLE(varname, fname) \ 1305bc6364bSDaniel P. Berrangé QCryptoTLSTestCertReq varname = { \ 1315bc6364bSDaniel P. Berrangé .filename = fname, \ 1325bc6364bSDaniel P. Berrangé .cn = "qemu-CA", \ 1335bc6364bSDaniel P. Berrangé .basicConstraintsEnable = true, \ 1345bc6364bSDaniel P. Berrangé .basicConstraintsCritical = true, \ 1355bc6364bSDaniel P. Berrangé .basicConstraintsIsCA = true, \ 1365bc6364bSDaniel P. Berrangé .keyUsageEnable = true, \ 1375bc6364bSDaniel P. Berrangé .keyUsageCritical = true, \ 1385bc6364bSDaniel P. Berrangé .keyUsageValue = GNUTLS_KEY_KEY_CERT_SIGN, \ 1395bc6364bSDaniel P. Berrangé }; \ 1405bc6364bSDaniel P. Berrangé test_tls_generate_cert(&varname, NULL) 1415bc6364bSDaniel P. Berrangé 1425bc6364bSDaniel P. Berrangé # define TLS_CERT_REQ_SIMPLE_CLIENT(varname, cavarname, cname, fname) \ 1435bc6364bSDaniel P. Berrangé QCryptoTLSTestCertReq varname = { \ 1445bc6364bSDaniel P. Berrangé .filename = fname, \ 1455bc6364bSDaniel P. Berrangé .cn = cname, \ 1465bc6364bSDaniel P. Berrangé .basicConstraintsEnable = true, \ 1475bc6364bSDaniel P. Berrangé .basicConstraintsCritical = true, \ 1485bc6364bSDaniel P. Berrangé .basicConstraintsIsCA = false, \ 1495bc6364bSDaniel P. Berrangé .keyUsageEnable = true, \ 1505bc6364bSDaniel P. Berrangé .keyUsageCritical = true, \ 1515bc6364bSDaniel P. Berrangé .keyUsageValue = \ 1525bc6364bSDaniel P. Berrangé GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ 1535bc6364bSDaniel P. Berrangé .keyPurposeEnable = true, \ 1545bc6364bSDaniel P. Berrangé .keyPurposeCritical = true, \ 1555bc6364bSDaniel P. Berrangé .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_CLIENT, \ 1565bc6364bSDaniel P. Berrangé }; \ 1575bc6364bSDaniel P. Berrangé test_tls_generate_cert(&varname, cavarname.crt) 1585bc6364bSDaniel P. Berrangé 1595bc6364bSDaniel P. Berrangé # define TLS_CERT_REQ_SIMPLE_SERVER(varname, cavarname, fname, \ 1605bc6364bSDaniel P. Berrangé hostname, ipaddr) \ 1615bc6364bSDaniel P. Berrangé QCryptoTLSTestCertReq varname = { \ 1625bc6364bSDaniel P. Berrangé .filename = fname, \ 1635bc6364bSDaniel P. Berrangé .cn = hostname ? hostname : ipaddr, \ 1645bc6364bSDaniel P. Berrangé .altname1 = hostname, \ 1655bc6364bSDaniel P. Berrangé .ipaddr1 = ipaddr, \ 1665bc6364bSDaniel P. Berrangé .basicConstraintsEnable = true, \ 1675bc6364bSDaniel P. Berrangé .basicConstraintsCritical = true, \ 1685bc6364bSDaniel P. Berrangé .basicConstraintsIsCA = false, \ 1695bc6364bSDaniel P. Berrangé .keyUsageEnable = true, \ 1705bc6364bSDaniel P. Berrangé .keyUsageCritical = true, \ 1715bc6364bSDaniel P. Berrangé .keyUsageValue = \ 1725bc6364bSDaniel P. Berrangé GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ 1735bc6364bSDaniel P. Berrangé .keyPurposeEnable = true, \ 1745bc6364bSDaniel P. Berrangé .keyPurposeCritical = true, \ 1755bc6364bSDaniel P. Berrangé .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_SERVER, \ 1765bc6364bSDaniel P. Berrangé }; \ 1775bc6364bSDaniel P. Berrangé test_tls_generate_cert(&varname, cavarname.crt) 1785bc6364bSDaniel P. Berrangé 179da668aa1SThomas Huth #endif 180