1#!/usr/bin/env bash
2#
3# Helpers for TLS related config
4#
5# Copyright (C) 2018 Red Hat, Inc.
6#
7# This program is free software; you can redistribute it and/or modify
8# it under the terms of the GNU General Public License as published by
9# the Free Software Foundation; either version 2 of the License, or
10# (at your option) any later version.
11#
12# This program is distributed in the hope that it will be useful,
13# but WITHOUT ANY WARRANTY; without even the implied warranty of
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15# GNU General Public License for more details.
16#
17# You should have received a copy of the GNU General Public License
18# along with this program.  If not, see <http://www.gnu.org/licenses/>.
19#
20
21tls_dir="${TEST_DIR}/tls"
22
23tls_x509_cleanup()
24{
25    rm -f "${tls_dir}"/*.pem
26    rm -f "${tls_dir}"/*/*.pem
27    rmdir "${tls_dir}"/*
28    rmdir "${tls_dir}"
29}
30
31
32tls_certtool()
33{
34    certtool "$@" 1>"${tls_dir}"/certtool.log 2>&1
35    if test "$?" = 0; then
36      head -1 "${tls_dir}"/certtool.log
37    else
38      cat "${tls_dir}"/certtool.log
39    fi
40    rm -f "${tls_dir}"/certtool.log
41}
42
43tls_x509_init()
44{
45    (certtool --help) >/dev/null 2>&1 || \
46	_notrun "certtool utility not found, skipping test"
47
48    mkdir -p "${tls_dir}"
49
50    # use a fixed key so we don't waste system entropy on
51    # each test run
52    cat > "${tls_dir}/key.pem" <<EOF
53-----BEGIN PRIVATE KEY-----
54MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr
55BL40Tm6yq88FBhJNw1aaoCjmtg0l4dWQZ/e9Fimx4ARxFpT+ji4FE
56Cgl9s/SGqC+1nvlkm9ViSo0j7MKDbnDB+VRHDvMAzQhA2X7e8M0n9
57rPolUY2lIVC83q0BBaOBkCj2RSmT2xTEbbC2xLukSrg2WP/ihVOxc
58kXRuyFtzAgMBAAECgYB7slBexDwXrtItAMIH6m/U+LUpNe0Xx48OL
59IOn4a4whNgO/o84uIwygUK27ZGFZT0kAGAk8CdF9hA6ArcbQ62s1H
60myxrUbF9/mrLsQw1NEqpuUk9Ay2Tx5U/wPx35S3W/X2AvR/ZpTnCn
612q/7ym9fyiSoj86drD7BTvmKXlOnOwQJBAPOFMp4mMa9NGpGuEssO
62m3Uwbp6lhcP0cA9MK+iOmeANpoKWfBdk5O34VbmeXnGYWEkrnX+9J
63bM4wVhnnBWtgBMCQQC+qAEmvwcfhauERKYznMVUVksyeuhxhCe7EK
64mPh+U2+g0WwdKvGDgO0PPt1gq0ILEjspMDeMHVdTwkaVBo/uMhAkA
65Z5SsZyCP2aTOPFDypXRdI4eqRcjaEPOUBq27r3uYb/jeboVb2weLa
66L1MmVuHiIHoa5clswPdWVI2y0em2IGoDAkBPSp/v9VKJEZabk9Frd
67a+7u4fanrM9QrEjY3KhduslSilXZZSxrWjjAJPyPiqFb3M8XXA26W
68nz1KYGnqYKhLcBAkB7dt57n9xfrhDpuyVEv+Uv1D3VVAhZlsaZ5Pp
69dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci
70-----END PRIVATE KEY-----
71EOF
72}
73
74
75tls_x509_create_root_ca()
76{
77    name=${1:-ca-cert}
78
79    cat > "${tls_dir}/ca.info" <<EOF
80cn = Cthulhu Dark Lord Enterprises $name
81ca
82cert_signing_key
83EOF
84
85    tls_certtool \
86        --generate-self-signed \
87        --load-privkey "${tls_dir}/key.pem" \
88        --template "${tls_dir}/ca.info" \
89        --outfile "${tls_dir}/$name-cert.pem"
90
91    rm -f "${tls_dir}/ca.info"
92}
93
94
95tls_x509_create_server()
96{
97    caname=$1
98    name=$2
99
100    mkdir -p "${tls_dir}/$name"
101    cat > "${tls_dir}/cert.info" <<EOF
102organization = Cthulhu Dark Lord Enterprises $name
103cn = localhost
104dns_name = localhost
105dns_name = localhost.localdomain
106ip_address = 127.0.0.1
107ip_address = ::1
108tls_www_server
109encryption_key
110signing_key
111EOF
112
113    tls_certtool \
114        --generate-certificate \
115        --load-ca-privkey "${tls_dir}/key.pem" \
116        --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
117        --load-privkey "${tls_dir}/key.pem" \
118        --template "${tls_dir}/cert.info" \
119        --outfile "${tls_dir}/$name/server-cert.pem"
120
121    ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
122    ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem"
123
124    rm -f "${tls_dir}/cert.info"
125}
126
127
128tls_x509_create_client()
129{
130    caname=$1
131    name=$2
132
133    mkdir -p "${tls_dir}/$name"
134    cat > "${tls_dir}/cert.info" <<EOF
135country = South Pacific
136locality =  R'lyeh
137organization = Cthulhu Dark Lord Enterprises $name
138cn = localhost
139tls_www_client
140encryption_key
141signing_key
142EOF
143
144    tls_certtool \
145        --generate-certificate \
146        --load-ca-privkey "${tls_dir}/key.pem" \
147        --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
148        --load-privkey "${tls_dir}/key.pem" \
149        --template "${tls_dir}/cert.info" \
150        --outfile "${tls_dir}/$name/client-cert.pem"
151
152    ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
153    ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem"
154
155    rm -f "${tls_dir}/cert.info"
156}
157