111a82d14SPhilippe Mathieu-Daudé#!/usr/bin/env bash 2a46b6841SDaniel P. Berrangé# 3a46b6841SDaniel P. Berrangé# Helpers for TLS related config 4a46b6841SDaniel P. Berrangé# 5a46b6841SDaniel P. Berrangé# Copyright (C) 2018 Red Hat, Inc. 6a46b6841SDaniel P. Berrangé# 7a46b6841SDaniel P. Berrangé# This program is free software; you can redistribute it and/or modify 8a46b6841SDaniel P. Berrangé# it under the terms of the GNU General Public License as published by 9a46b6841SDaniel P. Berrangé# the Free Software Foundation; either version 2 of the License, or 10a46b6841SDaniel P. Berrangé# (at your option) any later version. 11a46b6841SDaniel P. Berrangé# 12a46b6841SDaniel P. Berrangé# This program is distributed in the hope that it will be useful, 13a46b6841SDaniel P. Berrangé# but WITHOUT ANY WARRANTY; without even the implied warranty of 14a46b6841SDaniel P. Berrangé# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15a46b6841SDaniel P. Berrangé# GNU General Public License for more details. 16a46b6841SDaniel P. Berrangé# 17a46b6841SDaniel P. Berrangé# You should have received a copy of the GNU General Public License 18a46b6841SDaniel P. Berrangé# along with this program. If not, see <http://www.gnu.org/licenses/>. 19a46b6841SDaniel P. Berrangé# 20a46b6841SDaniel P. Berrangé 21a46b6841SDaniel P. Berrangétls_dir="${TEST_DIR}/tls" 22a46b6841SDaniel P. Berrangé 238cedcffdSEric Blaketls_x509_cleanup() 24a46b6841SDaniel P. Berrangé{ 25a46b6841SDaniel P. Berrangé rm -f "${tls_dir}"/*.pem 26a46b6841SDaniel P. Berrangé rm -f "${tls_dir}"/*/*.pem 27*10cc95c3SDaniel P. Berrangé rm -f "${tls_dir}"/*/*.psk 28a46b6841SDaniel P. Berrangé rmdir "${tls_dir}"/* 29a46b6841SDaniel P. Berrangé rmdir "${tls_dir}" 30a46b6841SDaniel P. Berrangé} 31a46b6841SDaniel P. Berrangé 32a46b6841SDaniel P. Berrangé 333e6f4544SDaniel P. Berrangétls_certtool() 343e6f4544SDaniel P. Berrangé{ 353e6f4544SDaniel P. Berrangé certtool "$@" 1>"${tls_dir}"/certtool.log 2>&1 363e6f4544SDaniel P. Berrangé if test "$?" = 0; then 373e6f4544SDaniel P. Berrangé head -1 "${tls_dir}"/certtool.log 383e6f4544SDaniel P. Berrangé else 393e6f4544SDaniel P. Berrangé cat "${tls_dir}"/certtool.log 403e6f4544SDaniel P. Berrangé fi 413e6f4544SDaniel P. Berrangé rm -f "${tls_dir}"/certtool.log 423e6f4544SDaniel P. Berrangé} 433e6f4544SDaniel P. Berrangé 44*10cc95c3SDaniel P. Berrangétls_psktool() 45*10cc95c3SDaniel P. Berrangé{ 46*10cc95c3SDaniel P. Berrangé psktool "$@" 1>"${tls_dir}"/psktool.log 2>&1 47*10cc95c3SDaniel P. Berrangé if test "$?" = 0; then 48*10cc95c3SDaniel P. Berrangé head -1 "${tls_dir}"/psktool.log 49*10cc95c3SDaniel P. Berrangé else 50*10cc95c3SDaniel P. Berrangé cat "${tls_dir}"/psktool.log 51*10cc95c3SDaniel P. Berrangé fi 52*10cc95c3SDaniel P. Berrangé rm -f "${tls_dir}"/psktool.log 53*10cc95c3SDaniel P. Berrangé} 54*10cc95c3SDaniel P. Berrangé 55*10cc95c3SDaniel P. Berrangé 568cedcffdSEric Blaketls_x509_init() 57a46b6841SDaniel P. Berrangé{ 58155af09dSEric Blake (certtool --help) >/dev/null 2>&1 || \ 59155af09dSEric Blake _notrun "certtool utility not found, skipping test" 60155af09dSEric Blake 61a46b6841SDaniel P. Berrangé mkdir -p "${tls_dir}" 62a46b6841SDaniel P. Berrangé 63a46b6841SDaniel P. Berrangé # use a fixed key so we don't waste system entropy on 64a46b6841SDaniel P. Berrangé # each test run 65a46b6841SDaniel P. Berrangé cat > "${tls_dir}/key.pem" <<EOF 663e018afbSDaniel P. Berrangé-----BEGIN RSA PRIVATE KEY----- 673e018afbSDaniel P. BerrangéMIIG5AIBAAKCAYEAyjWyLSNm5PZvYUKUcDWGqbLX10b2ood+YaFjWSnJrqx/q3qh 683e018afbSDaniel P. BerrangérVGBJglD25AJENJsmZF3zPP1oMhfIxsXu63Hdkb6Rdlc2RUoUP34x9VC1izH25mR 693e018afbSDaniel P. Berrangé6c8DPDp1d6IraZ/llDMI1HsBFz0qGWtvOHgm815XG4PAr/N8rDsuqfv/cJ01KlnO 703e018afbSDaniel P. Berrangé0OdO5QRXCJf9g/dYd41MPu7wOXk9FqjQlmRoP59HgtJ+zUpE4z+Keruw9cMT9VJj 713e018afbSDaniel P. Berrangé0oT+pQ9ysenqeZ3gbT224T1khrEhT5kifhtFLNyDssRchUUWH0hiqoOO1vgb+850 723e018afbSDaniel P. BerrangéW6/1VdxvuPam48py4diSPi1Vip8NITCOBaX9FIpVp4Ruw4rTPVMNMjq9Cpx/DwMP 733e018afbSDaniel P. Berrangé9MbfXfnaVaZaMrmq67/zPhl0eVbUrecH2hQ3ZB9oIF4GkNskzlWF5+yPy6zqk304 743e018afbSDaniel P. BerrangéAKaiFR6jRyh3YfHo2XFqV8x/hxdsIEXOtEUGhSIcpynsW+ckUCartzu7xbhXjd4b 753e018afbSDaniel P. BerrangékxJT89+riPFYij09AgMBAAECggGBAKyFkaZXXROeejrmHlV6JZGlp+fhgM38gkRz 763e018afbSDaniel P. Berrangé+Jp7P7rLLAY3E7gXIPQ91WqAAmwazFNdvHPd9USfkCQYmnAi/VoZhrCPmlsQZRxt 773e018afbSDaniel P. BerrangéA5QjjOnEvSPMa6SrXZxGWDCg6R8uMCb4P+FhrPWR1thnRDZOtRTQ+crc50p3mHgt 783e018afbSDaniel P. Berrangé6ktXWIJRbqnag8zSfQqCYGtRmhe8sfsWT+Yl4El4+jjaAVU/B364u7+PLmaiphGp 793e018afbSDaniel P. BerrangéBdJfTsTwEpgtGkPj+osDmhzXcZkfq3V+fz5JLkemsCiQKmn4VJRpg8c3ZmE8NPNt 803e018afbSDaniel P. BerrangégRtGWZ4W3WKDvhotT65WpQx4+6R8Duux/blNPBmH1Upmwd7kj7GYFBArbCjgd9PT 813e018afbSDaniel P. BerrangéxgfCSUZpgOZHHkcgSB+022a8XncXna7WYYij28SLtwImFyu0nNtqECFQHH5u+k6C 823e018afbSDaniel P. BerrangéLRYBSN+3t3At8dQuk01NVrJBndmjmXRfxpqUtTdeaNgVpdUYRY98s30G68NYGSra 833e018afbSDaniel P. BerrangéaEvhhRSghkcLNetkobpY9pUgeqW/tQKBwQDZHHK9nDMt/zk1TxtILeUSitPXcv1/ 843e018afbSDaniel P. Berrangé8ufXqO0miHdH23XuXhIEA6Ef26RRVGDGgpjkveDJK/1w5feJ4H/ni4Vclil/cm38 853e018afbSDaniel P. BerrangéOwRqjjd7ElHJX6JQbsxEx/gNTk5/QW1iAL9TXUalgepsSXYT6AJ0/CJv0jmJSJ36 863e018afbSDaniel P. BerrangéYoKMOM8uqzb2KhN6i+RlJRi5iY53kUhWTJq5ArWvNhUzQNSYODI4bNxlsKSBL2Ik 873e018afbSDaniel P. BerrangéLZ5QKHuaEjQet0IlPlfIb4PzMm8CHa/urOcCgcEA7m3zW/lL5bIFoKPjWig5Lbn1 883e018afbSDaniel P. BerrangéaHfrG2ngqzWtgWtfZqMH8OkZc1Mdhhmvd46titjiLjeI+UP/uHXR0068PnrNngzl 893e018afbSDaniel P. BerrangétTgwlakzu+bWzqhBm1F+3/341st/FEk07r0P/3/PhezVjwfO8c8Exj7pLxH4wrH0 903e018afbSDaniel P. BerrangéROHgDbClmlJRu6OO78wk1+Vapf5DWa8YfA+q+fdvr7KvgGyytheKMT/b/dsqOq7y 913e018afbSDaniel P. BerrangéqZPjmaJKWAvV3RWG8lWHFSdHx2IAHMHfGr17Y/w7AoHBALzwZeYebeekiVucGSjq 923e018afbSDaniel P. BerrangéT8SgLhT7zCIx+JMUPjVfYzaUhP/Iu7Lkma6IzWm9nW6Drpy5pUpMzwUWDCLfzU9q 933e018afbSDaniel P. BerrangéeseFIl337kEn9wLn+t5OpgAyCqYmlftxbqvdrrBN9uvnrJjWvqk/8wsDrw9JxAGc 943e018afbSDaniel P. BerrangéfjeD4nBXUqvYWLXApoR9mZoGKedmoH9pFig4zlO9ig8YITnKYuQ0k6SD0b8agJHc 953e018afbSDaniel P. BerrangéIr0YSUDnRGgpjvFBGbeOCe+FGbohk/EpItJc3IAh5740lwKBwAdXd2DjokSmYKn7 963e018afbSDaniel P. BerrangéoeqKxofz6+yVlLW5YuOiuX78sWlVp87xPolgi84vSEnkKM/Xsc8+goc6YstpRVa+ 973e018afbSDaniel P. BerrangéW+mImoA9YW1dF5HkLeWhTAf9AlgoAEIhbeIfTgBv6KNZSv7RDrDPBBxtXx/vAfSg 983e018afbSDaniel P. Berrangéx0ldwk0scZsVYXLKd67yzfV7KdGUdaX4N/xYgfZm/9gCG3+q8NN2KxVHQ5F71BOE 993e018afbSDaniel P. BerrangéJeABOaGo9WvnU+DNMIDZjHJMUWVw4MHz/a/UArDf/2CxaPVBNQKBwASg6j4ohSTk 1003e018afbSDaniel P. BerrangéJ7aE6RQ3OBmmDDpixcoCJt9u9SjHVYMlbs5CEJGVSczk0SG3y8P1lOWNDSRnMksZ 1013e018afbSDaniel P. BerrangéxWnHdP/ogcuYMuvK7UACNAF0zNddtzOhzcpNmejFj+WCHYY/UmPr2/Kf6t7Cxk2K 1023e018afbSDaniel P. Berrangé3cZ4tqWsiTmBT8Bknmah7L5DrhS+ZBJliDeFAA8fZHdMH0Xjr4UBp9kF90EMTdW1 1033e018afbSDaniel P. BerrangéXr5uz7ZrMsYpYQI7mmyqV9SSjUg4iBXwVSoag1iDJ1K8Qg/L7Semgg== 1043e018afbSDaniel P. Berrangé-----END RSA PRIVATE KEY----- 105a46b6841SDaniel P. BerrangéEOF 106a46b6841SDaniel P. Berrangé} 107a46b6841SDaniel P. Berrangé 108a46b6841SDaniel P. Berrangé 1098cedcffdSEric Blaketls_x509_create_root_ca() 110a46b6841SDaniel P. Berrangé{ 111a46b6841SDaniel P. Berrangé name=${1:-ca-cert} 112a46b6841SDaniel P. Berrangé 113a46b6841SDaniel P. Berrangé cat > "${tls_dir}/ca.info" <<EOF 114a46b6841SDaniel P. Berrangécn = Cthulhu Dark Lord Enterprises $name 115a46b6841SDaniel P. Berrangéca 116a46b6841SDaniel P. Berrangécert_signing_key 117a46b6841SDaniel P. BerrangéEOF 118a46b6841SDaniel P. Berrangé 1193e6f4544SDaniel P. Berrangé tls_certtool \ 1203e6f4544SDaniel P. Berrangé --generate-self-signed \ 121a46b6841SDaniel P. Berrangé --load-privkey "${tls_dir}/key.pem" \ 122a46b6841SDaniel P. Berrangé --template "${tls_dir}/ca.info" \ 1233e6f4544SDaniel P. Berrangé --outfile "${tls_dir}/$name-cert.pem" 124a46b6841SDaniel P. Berrangé 125a46b6841SDaniel P. Berrangé rm -f "${tls_dir}/ca.info" 126a46b6841SDaniel P. Berrangé} 127a46b6841SDaniel P. Berrangé 128a46b6841SDaniel P. Berrangé 1298cedcffdSEric Blaketls_x509_create_server() 130a46b6841SDaniel P. Berrangé{ 131a46b6841SDaniel P. Berrangé caname=$1 132a46b6841SDaniel P. Berrangé name=$2 133a46b6841SDaniel P. Berrangé 1343da93d4bSDaniel P. Berrangé # We don't include 'localhost' in the cert, as 1353da93d4bSDaniel P. Berrangé # we want to keep it unlisted to let tests 1363da93d4bSDaniel P. Berrangé # validate hostname override 137a46b6841SDaniel P. Berrangé mkdir -p "${tls_dir}/$name" 138a46b6841SDaniel P. Berrangé cat > "${tls_dir}/cert.info" <<EOF 139a46b6841SDaniel P. Berrangéorganization = Cthulhu Dark Lord Enterprises $name 1403da93d4bSDaniel P. Berrangécn = iotests.qemu.org 141a46b6841SDaniel P. Berrangéip_address = 127.0.0.1 142a46b6841SDaniel P. Berrangéip_address = ::1 143a46b6841SDaniel P. Berrangétls_www_server 144a46b6841SDaniel P. Berrangéencryption_key 145a46b6841SDaniel P. Berrangésigning_key 146a46b6841SDaniel P. BerrangéEOF 147a46b6841SDaniel P. Berrangé 1483e6f4544SDaniel P. Berrangé tls_certtool \ 1493e6f4544SDaniel P. Berrangé --generate-certificate \ 150a46b6841SDaniel P. Berrangé --load-ca-privkey "${tls_dir}/key.pem" \ 151a46b6841SDaniel P. Berrangé --load-ca-certificate "${tls_dir}/$caname-cert.pem" \ 152a46b6841SDaniel P. Berrangé --load-privkey "${tls_dir}/key.pem" \ 153a46b6841SDaniel P. Berrangé --template "${tls_dir}/cert.info" \ 1543e6f4544SDaniel P. Berrangé --outfile "${tls_dir}/$name/server-cert.pem" 1553e6f4544SDaniel P. Berrangé 156a46b6841SDaniel P. Berrangé ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem" 157a46b6841SDaniel P. Berrangé ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem" 158a46b6841SDaniel P. Berrangé 159a46b6841SDaniel P. Berrangé rm -f "${tls_dir}/cert.info" 160a46b6841SDaniel P. Berrangé} 161a46b6841SDaniel P. Berrangé 162a46b6841SDaniel P. Berrangé 1638cedcffdSEric Blaketls_x509_create_client() 164a46b6841SDaniel P. Berrangé{ 165a46b6841SDaniel P. Berrangé caname=$1 166a46b6841SDaniel P. Berrangé name=$2 167a46b6841SDaniel P. Berrangé 168a46b6841SDaniel P. Berrangé mkdir -p "${tls_dir}/$name" 169a46b6841SDaniel P. Berrangé cat > "${tls_dir}/cert.info" <<EOF 170a46b6841SDaniel P. Berrangécountry = South Pacific 171a46b6841SDaniel P. Berrangélocality = R'lyeh 172a46b6841SDaniel P. Berrangéorganization = Cthulhu Dark Lord Enterprises $name 173a46b6841SDaniel P. Berrangécn = localhost 174a46b6841SDaniel P. Berrangétls_www_client 175a46b6841SDaniel P. Berrangéencryption_key 176a46b6841SDaniel P. Berrangésigning_key 177a46b6841SDaniel P. BerrangéEOF 178a46b6841SDaniel P. Berrangé 1793e6f4544SDaniel P. Berrangé tls_certtool \ 1803e6f4544SDaniel P. Berrangé --generate-certificate \ 181a46b6841SDaniel P. Berrangé --load-ca-privkey "${tls_dir}/key.pem" \ 182a46b6841SDaniel P. Berrangé --load-ca-certificate "${tls_dir}/$caname-cert.pem" \ 183a46b6841SDaniel P. Berrangé --load-privkey "${tls_dir}/key.pem" \ 184a46b6841SDaniel P. Berrangé --template "${tls_dir}/cert.info" \ 1853e6f4544SDaniel P. Berrangé --outfile "${tls_dir}/$name/client-cert.pem" 1863e6f4544SDaniel P. Berrangé 187a46b6841SDaniel P. Berrangé ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem" 188a46b6841SDaniel P. Berrangé ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem" 189a46b6841SDaniel P. Berrangé 190a46b6841SDaniel P. Berrangé rm -f "${tls_dir}/cert.info" 191a46b6841SDaniel P. Berrangé} 192*10cc95c3SDaniel P. Berrangé 193*10cc95c3SDaniel P. Berrangétls_psk_create_creds() 194*10cc95c3SDaniel P. Berrangé{ 195*10cc95c3SDaniel P. Berrangé name=$1 196*10cc95c3SDaniel P. Berrangé 197*10cc95c3SDaniel P. Berrangé mkdir -p "${tls_dir}/$name" 198*10cc95c3SDaniel P. Berrangé 199*10cc95c3SDaniel P. Berrangé tls_psktool \ 200*10cc95c3SDaniel P. Berrangé --pskfile "${tls_dir}/$name/keys.psk" \ 201*10cc95c3SDaniel P. Berrangé --username "$name" 202*10cc95c3SDaniel P. Berrangé} 203