1 /*
2  * Copyright (C) 2015 Red Hat, Inc.
3  *
4  * This library is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU Lesser General Public
6  * License as published by the Free Software Foundation; either
7  * version 2.1 of the License, or (at your option) any later version.
8  *
9  * This library is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12  * Lesser General Public License for more details.
13  *
14  * You should have received a copy of the GNU Lesser General Public
15  * License along with this library.  If not, see
16  * <http://www.gnu.org/licenses/>.
17  *
18  * Author: Daniel P. Berrange <berrange@redhat.com>
19  */
20 
21 #include "qemu/osdep.h"
22 
23 #include "crypto-tls-x509-helpers.h"
24 #include "crypto/tlscredsx509.h"
25 #include "qapi/error.h"
26 #include "qemu/module.h"
27 
28 #define WORKDIR "tests/test-crypto-tlscredsx509-work/"
29 #define KEYFILE WORKDIR "key-ctx.pem"
30 
31 struct QCryptoTLSCredsTestData {
32     bool isServer;
33     const char *cacrt;
34     const char *crt;
35     bool expectFail;
36 };
37 
38 
39 static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
40                                               const char *certdir,
41                                               Error **errp)
42 {
43     Object *parent = object_get_objects_root();
44     Object *creds = object_new_with_props(
45         TYPE_QCRYPTO_TLS_CREDS_X509,
46         parent,
47         "testtlscreds",
48         errp,
49         "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
50                      "server" : "client"),
51         "dir", certdir,
52         "verify-peer", "yes",
53         "sanity-check", "yes",
54         NULL);
55 
56     if (!creds) {
57         return NULL;
58     }
59     return QCRYPTO_TLS_CREDS(creds);
60 }
61 
62 /*
63  * This tests sanity checking of our own certificates
64  *
65  * The code being tested is used when TLS creds are created,
66  * and aim to ensure QMEU has been configured with sane
67  * certificates. This allows us to give much much much
68  * clearer error messages to the admin when they misconfigure
69  * things.
70  */
71 static void test_tls_creds(const void *opaque)
72 {
73     struct QCryptoTLSCredsTestData *data =
74         (struct QCryptoTLSCredsTestData *)opaque;
75     QCryptoTLSCreds *creds;
76 
77 #define CERT_DIR "tests/test-crypto-tlscredsx509-certs/"
78     mkdir(CERT_DIR, 0700);
79 
80     unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
81     if (data->isServer) {
82         unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
83         unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
84     } else {
85         unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
86         unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
87     }
88 
89     if (access(data->cacrt, R_OK) == 0) {
90         g_assert(link(data->cacrt,
91                       CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
92     }
93     if (data->isServer) {
94         if (access(data->crt, R_OK) == 0) {
95             g_assert(link(data->crt,
96                           CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
97         }
98         g_assert(link(KEYFILE,
99                       CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
100     } else {
101         if (access(data->crt, R_OK) == 0) {
102             g_assert(link(data->crt,
103                           CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
104         }
105         g_assert(link(KEYFILE,
106                       CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
107     }
108 
109     creds = test_tls_creds_create(
110         (data->isServer ?
111          QCRYPTO_TLS_CREDS_ENDPOINT_SERVER :
112          QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT),
113         CERT_DIR,
114         data->expectFail ? NULL : &error_abort);
115 
116     if (data->expectFail) {
117         g_assert(creds == NULL);
118     } else {
119         g_assert(creds != NULL);
120     }
121 
122     unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
123     if (data->isServer) {
124         unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
125         unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
126     } else {
127         unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
128         unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
129     }
130     rmdir(CERT_DIR);
131     if (creds) {
132         object_unparent(OBJECT(creds));
133     }
134 }
135 
136 int main(int argc, char **argv)
137 {
138     int ret;
139 
140     module_call_init(MODULE_INIT_QOM);
141     g_test_init(&argc, &argv, NULL);
142     g_setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
143 
144     mkdir(WORKDIR, 0700);
145 
146     test_tls_init(KEYFILE);
147 
148 # define TLS_TEST_REG(name, isServer, caCrt, crt, expectFail)           \
149     struct QCryptoTLSCredsTestData name = {                             \
150         isServer, caCrt, crt, expectFail                                \
151     };                                                                  \
152     g_test_add_data_func("/qcrypto/tlscredsx509/" # name,               \
153                          &name, test_tls_creds);                        \
154 
155     /* A perfect CA, perfect client & perfect server */
156 
157     /* Basic:CA:critical */
158     TLS_ROOT_REQ(cacertreq,
159                  "UK", "qemu CA", NULL, NULL, NULL, NULL,
160                  true, true, true,
161                  true, true, GNUTLS_KEY_KEY_CERT_SIGN,
162                  false, false, NULL, NULL,
163                  0, 0);
164 
165     TLS_CERT_REQ(servercertreq, cacertreq,
166                  "UK", "qemu.org", NULL, NULL, NULL, NULL,
167                  true, true, false,
168                  true, true,
169                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
170                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
171                  0, 0);
172     TLS_CERT_REQ(clientcertreq, cacertreq,
173                  "UK", "qemu", NULL, NULL, NULL, NULL,
174                  true, true, false,
175                  true, true,
176                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
177                  true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
178                  0, 0);
179 
180     TLS_TEST_REG(perfectserver, true,
181                  cacertreq.filename, servercertreq.filename, false);
182     TLS_TEST_REG(perfectclient, false,
183                  cacertreq.filename, clientcertreq.filename, false);
184 
185 
186     /* Some other CAs which are good */
187 
188     /* Basic:CA:critical */
189     TLS_ROOT_REQ(cacert1req,
190                  "UK", "qemu CA 1", NULL, NULL, NULL, NULL,
191                  true, true, true,
192                  false, false, 0,
193                  false, false, NULL, NULL,
194                  0, 0);
195     TLS_CERT_REQ(servercert1req, cacert1req,
196                  "UK", "qemu.org", NULL, NULL, NULL, NULL,
197                  true, true, false,
198                  true, true,
199                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
200                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
201                  0, 0);
202 
203     /* Basic:CA:not-critical */
204     TLS_ROOT_REQ(cacert2req,
205                  "UK", "qemu CA 2", NULL, NULL, NULL, NULL,
206                  true, false, true,
207                  false, false, 0,
208                  false, false, NULL, NULL,
209                  0, 0);
210     TLS_CERT_REQ(servercert2req, cacert2req,
211                  "UK", "qemu.org", NULL, NULL, NULL, NULL,
212                  true, true, false,
213                  true, true,
214                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
215                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
216                  0, 0);
217 
218     /* Key usage:cert-sign:critical */
219     TLS_ROOT_REQ(cacert3req,
220                  "UK", "qemu CA 3", NULL, NULL, NULL, NULL,
221                  true, true, true,
222                  true, true, GNUTLS_KEY_KEY_CERT_SIGN,
223                  false, false, NULL, NULL,
224                  0, 0);
225     TLS_CERT_REQ(servercert3req, cacert3req,
226                  "UK", "qemu.org", NULL, NULL, NULL, NULL,
227                  true, true, false,
228                  true, true,
229                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
230                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
231                  0, 0);
232 
233     TLS_TEST_REG(goodca1, true,
234                  cacert1req.filename, servercert1req.filename, false);
235     TLS_TEST_REG(goodca2, true,
236                  cacert2req.filename, servercert2req.filename, false);
237     TLS_TEST_REG(goodca3, true,
238                  cacert3req.filename, servercert3req.filename, false);
239 
240     /* Now some bad certs */
241 
242     /* Key usage:dig-sig:not-critical */
243     TLS_ROOT_REQ(cacert4req,
244                  "UK", "qemu CA 4", NULL, NULL, NULL, NULL,
245                  true, true, true,
246                  true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
247                  false, false, NULL, NULL,
248                  0, 0);
249     TLS_CERT_REQ(servercert4req, cacert4req,
250                  "UK", "qemu.org", NULL, NULL, NULL, NULL,
251                  true, true, false,
252                  true, true,
253                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
254                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
255                  0, 0);
256     /* no-basic */
257     TLS_ROOT_REQ(cacert5req,
258                  "UK", "qemu CA 5", NULL, NULL, NULL, NULL,
259                  false, false, false,
260                  false, false, 0,
261                  false, false, NULL, NULL,
262                  0, 0);
263     TLS_CERT_REQ(servercert5req, cacert5req,
264                  "UK", "qemu.org", NULL, NULL, NULL, NULL,
265                  true, true, false,
266                  true, true,
267                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
268                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
269                  0, 0);
270     /* Key usage:dig-sig:critical */
271     TLS_ROOT_REQ(cacert6req,
272                  "UK", "qemu CA 6", NULL, NULL, NULL, NULL,
273                  true, true, true,
274                  true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
275                  false, false, NULL, NULL,
276                  0, 0);
277     TLS_CERT_REQ(servercert6req, cacert6req,
278                  "UK", "qemu.org", NULL, NULL, NULL, NULL,
279                  true, true, false,
280                  true, true,
281                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
282                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
283                  0, 0);
284 
285     TLS_TEST_REG(badca1, true, cacert4req.filename, servercert4req.filename,
286                  true);
287     TLS_TEST_REG(badca2, true,
288                  cacert5req.filename, servercert5req.filename, true);
289     TLS_TEST_REG(badca3, true,
290                  cacert6req.filename, servercert6req.filename, true);
291 
292 
293     /* Various good servers */
294     /* no usage or purpose */
295     TLS_CERT_REQ(servercert7req, cacertreq,
296                  "UK", "qemu", NULL, NULL, NULL, NULL,
297                  true, true, false,
298                  false, false, 0,
299                  false, false, NULL, NULL,
300                  0, 0);
301     /* usage:cert-sign+dig-sig+encipher:critical */
302     TLS_CERT_REQ(servercert8req, cacertreq,
303                  "UK", "qemu", NULL, NULL, NULL, NULL,
304                  true, true, false,
305                  true, true,
306                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT |
307                  GNUTLS_KEY_KEY_CERT_SIGN,
308                  false, false, NULL, NULL,
309                  0, 0);
310     /* usage:cert-sign:not-critical */
311     TLS_CERT_REQ(servercert9req, cacertreq,
312                  "UK", "qemu", NULL, NULL, NULL, NULL,
313                  true, true, false,
314                  true, false, GNUTLS_KEY_KEY_CERT_SIGN,
315                  false, false, NULL, NULL,
316                  0, 0);
317     /* purpose:server:critical */
318     TLS_CERT_REQ(servercert10req, cacertreq,
319                  "UK", "qemu", NULL, NULL, NULL, NULL,
320                  true, true, false,
321                  false, false, 0,
322                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
323                  0, 0);
324     /* purpose:server:not-critical */
325     TLS_CERT_REQ(servercert11req, cacertreq,
326                  "UK", "qemu", NULL, NULL, NULL, NULL,
327                  true, true, false,
328                  false, false, 0,
329                  true, false, GNUTLS_KP_TLS_WWW_SERVER, NULL,
330                  0, 0);
331     /* purpose:client+server:critical */
332     TLS_CERT_REQ(servercert12req, cacertreq,
333                  "UK", "qemu", NULL, NULL, NULL, NULL,
334                  true, true, false,
335                  false, false, 0,
336                  true, true,
337                  GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
338                  0, 0);
339     /* purpose:client+server:not-critical */
340     TLS_CERT_REQ(servercert13req, cacertreq,
341                  "UK", "qemu", NULL, NULL, NULL, NULL,
342                  true, true, false,
343                  false, false, 0,
344                  true, false,
345                  GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
346                  0, 0);
347 
348     TLS_TEST_REG(goodserver1, true,
349                  cacertreq.filename, servercert7req.filename, false);
350     TLS_TEST_REG(goodserver2, true,
351                  cacertreq.filename, servercert8req.filename, false);
352     TLS_TEST_REG(goodserver3, true,
353                  cacertreq.filename, servercert9req.filename, false);
354     TLS_TEST_REG(goodserver4, true,
355                  cacertreq.filename, servercert10req.filename, false);
356     TLS_TEST_REG(goodserver5, true,
357                  cacertreq.filename, servercert11req.filename, false);
358     TLS_TEST_REG(goodserver6, true,
359                  cacertreq.filename, servercert12req.filename, false);
360     TLS_TEST_REG(goodserver7, true,
361                  cacertreq.filename, servercert13req.filename, false);
362 
363     /* Bad servers */
364 
365     /* usage:cert-sign:critical */
366     TLS_CERT_REQ(servercert14req, cacertreq,
367                  "UK", "qemu", NULL, NULL, NULL, NULL,
368                  true, true, false,
369                  true, true, GNUTLS_KEY_KEY_CERT_SIGN,
370                  false, false, NULL, NULL,
371                  0, 0);
372     /* purpose:client:critical */
373     TLS_CERT_REQ(servercert15req, cacertreq,
374                  "UK", "qemu", NULL, NULL, NULL, NULL,
375                  true, true, false,
376                  false, false, 0,
377                  true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
378                  0, 0);
379     /* usage: none:critical */
380     TLS_CERT_REQ(servercert16req, cacertreq,
381                  "UK", "qemu", NULL, NULL, NULL, NULL,
382                  true, true, false,
383                  true, true, 0,
384                  false, false, NULL, NULL,
385                  0, 0);
386 
387     TLS_TEST_REG(badserver1, true,
388                  cacertreq.filename, servercert14req.filename, true);
389     TLS_TEST_REG(badserver2, true,
390                  cacertreq.filename, servercert15req.filename, true);
391     TLS_TEST_REG(badserver3, true,
392                  cacertreq.filename, servercert16req.filename, true);
393 
394 
395 
396     /* Various good clients */
397     /* no usage or purpose */
398     TLS_CERT_REQ(clientcert1req, cacertreq,
399                  "UK", "qemu", NULL, NULL, NULL, NULL,
400                  true, true, false,
401                  false, false, 0,
402                  false, false, NULL, NULL,
403                  0, 0);
404     /* usage:cert-sign+dig-sig+encipher:critical */
405     TLS_CERT_REQ(clientcert2req, cacertreq,
406                  "UK", "qemu", NULL, NULL, NULL, NULL,
407                  true, true, false,
408                  true, true,
409                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT |
410                  GNUTLS_KEY_KEY_CERT_SIGN,
411                  false, false, NULL, NULL,
412                  0, 0);
413     /* usage:cert-sign:not-critical */
414     TLS_CERT_REQ(clientcert3req, cacertreq,
415                  "UK", "qemu", NULL, NULL, NULL, NULL,
416                  true, true, false,
417                  true, false, GNUTLS_KEY_KEY_CERT_SIGN,
418                  false, false, NULL, NULL,
419                  0, 0);
420     /* purpose:client:critical */
421     TLS_CERT_REQ(clientcert4req, cacertreq,
422                  "UK", "qemu", NULL, NULL, NULL, NULL,
423                  true, true, false,
424                  false, false, 0,
425                  true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
426                  0, 0);
427     /* purpose:client:not-critical */
428     TLS_CERT_REQ(clientcert5req, cacertreq,
429                  "UK", "qemu", NULL, NULL, NULL, NULL,
430                  true, true, false,
431                  false, false, 0,
432                  true, false, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
433                  0, 0);
434     /* purpose:client+client:critical */
435     TLS_CERT_REQ(clientcert6req, cacertreq,
436                  "UK", "qemu", NULL, NULL, NULL, NULL,
437                  true, true, false,
438                  false, false, 0,
439                  true, true,
440                  GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
441                  0, 0);
442     /* purpose:client+client:not-critical */
443     TLS_CERT_REQ(clientcert7req, cacertreq,
444                  "UK", "qemu", NULL, NULL, NULL, NULL,
445                  true, true, false,
446                  false, false, 0,
447                  true, false,
448                  GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
449                  0, 0);
450 
451     TLS_TEST_REG(goodclient1, false,
452                  cacertreq.filename, clientcert1req.filename, false);
453     TLS_TEST_REG(goodclient2, false,
454                  cacertreq.filename, clientcert2req.filename, false);
455     TLS_TEST_REG(goodclient3, false,
456                  cacertreq.filename, clientcert3req.filename, false);
457     TLS_TEST_REG(goodclient4, false,
458                  cacertreq.filename, clientcert4req.filename, false);
459     TLS_TEST_REG(goodclient5, false,
460                  cacertreq.filename, clientcert5req.filename, false);
461     TLS_TEST_REG(goodclient6, false,
462                  cacertreq.filename, clientcert6req.filename, false);
463     TLS_TEST_REG(goodclient7, false,
464                  cacertreq.filename, clientcert7req.filename, false);
465 
466     /* Bad clients */
467 
468     /* usage:cert-sign:critical */
469     TLS_CERT_REQ(clientcert8req, cacertreq,
470                  "UK", "qemu", NULL, NULL, NULL, NULL,
471                  true, true, false,
472                  true, true, GNUTLS_KEY_KEY_CERT_SIGN,
473                  false, false, NULL, NULL,
474                  0, 0);
475     /* purpose:client:critical */
476     TLS_CERT_REQ(clientcert9req, cacertreq,
477                  "UK", "qemu", NULL, NULL, NULL, NULL,
478                  true, true, false,
479                  false, false, 0,
480                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
481                  0, 0);
482     /* usage: none:critical */
483     TLS_CERT_REQ(clientcert10req, cacertreq,
484                  "UK", "qemu", NULL, NULL, NULL, NULL,
485                  true, true, false,
486                  true, true, 0,
487                  false, false, NULL, NULL,
488                  0, 0);
489 
490     TLS_TEST_REG(badclient1, false,
491                  cacertreq.filename, clientcert8req.filename, true);
492     TLS_TEST_REG(badclient2, false,
493                  cacertreq.filename, clientcert9req.filename, true);
494     TLS_TEST_REG(badclient3, false,
495                  cacertreq.filename, clientcert10req.filename, true);
496 
497 
498 
499     /* Expired stuff */
500 
501     TLS_ROOT_REQ(cacertexpreq,
502                  "UK", "qemu", NULL, NULL, NULL, NULL,
503                  true, true, true,
504                  true, true, GNUTLS_KEY_KEY_CERT_SIGN,
505                  false, false, NULL, NULL,
506                  0, -1);
507     TLS_CERT_REQ(servercertexpreq, cacertexpreq,
508                  "UK", "qemu.org", NULL, NULL, NULL, NULL,
509                  true, true, false,
510                  true, true,
511                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
512                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
513                  0, 0);
514     TLS_CERT_REQ(servercertexp1req, cacertreq,
515                  "UK", "qemu", NULL, NULL, NULL, NULL,
516                  true, true, false,
517                  true, true,
518                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
519                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
520                  0, -1);
521     TLS_CERT_REQ(clientcertexp1req, cacertreq,
522                  "UK", "qemu", NULL, NULL, NULL, NULL,
523                  true, true, false,
524                  true, true,
525                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
526                  true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
527                  0, -1);
528 
529     TLS_TEST_REG(expired1, true,
530                  cacertexpreq.filename, servercertexpreq.filename, true);
531     TLS_TEST_REG(expired2, true,
532                  cacertreq.filename, servercertexp1req.filename, true);
533     TLS_TEST_REG(expired3, false,
534                  cacertreq.filename, clientcertexp1req.filename, true);
535 
536 
537     /* Not activated stuff */
538 
539     TLS_ROOT_REQ(cacertnewreq,
540                  "UK", "qemu", NULL, NULL, NULL, NULL,
541                  true, true, true,
542                  true, true, GNUTLS_KEY_KEY_CERT_SIGN,
543                  false, false, NULL, NULL,
544                  1, 2);
545     TLS_CERT_REQ(servercertnewreq, cacertnewreq,
546                  "UK", "qemu", NULL, NULL, NULL, NULL,
547                  true, true, false,
548                  true, true,
549                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
550                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
551                  0, 0);
552     TLS_CERT_REQ(servercertnew1req, cacertreq,
553                  "UK", "qemu", NULL, NULL, NULL, NULL,
554                  true, true, false,
555                  true, true,
556                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
557                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
558                  1, 2);
559     TLS_CERT_REQ(clientcertnew1req, cacertreq,
560                  "UK", "qemu", NULL, NULL, NULL, NULL,
561                  true, true, false,
562                  true, true,
563                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
564                  true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
565                  1, 2);
566 
567     TLS_TEST_REG(inactive1, true,
568                  cacertnewreq.filename, servercertnewreq.filename, true);
569     TLS_TEST_REG(inactive2, true,
570                  cacertreq.filename, servercertnew1req.filename, true);
571     TLS_TEST_REG(inactive3, false,
572                  cacertreq.filename, clientcertnew1req.filename, true);
573 
574     TLS_ROOT_REQ(cacertrootreq,
575                  "UK", "qemu root", NULL, NULL, NULL, NULL,
576                  true, true, true,
577                  true, true, GNUTLS_KEY_KEY_CERT_SIGN,
578                  false, false, NULL, NULL,
579                  0, 0);
580     TLS_CERT_REQ(cacertlevel1areq, cacertrootreq,
581                  "UK", "qemu level 1a", NULL, NULL, NULL, NULL,
582                  true, true, true,
583                  true, true, GNUTLS_KEY_KEY_CERT_SIGN,
584                  false, false, NULL, NULL,
585                  0, 0);
586     TLS_CERT_REQ(cacertlevel1breq, cacertrootreq,
587                  "UK", "qemu level 1b", NULL, NULL, NULL, NULL,
588                  true, true, true,
589                  true, true, GNUTLS_KEY_KEY_CERT_SIGN,
590                  false, false, NULL, NULL,
591                  0, 0);
592     TLS_CERT_REQ(cacertlevel2areq, cacertlevel1areq,
593                  "UK", "qemu level 2a", NULL, NULL, NULL, NULL,
594                  true, true, true,
595                  true, true, GNUTLS_KEY_KEY_CERT_SIGN,
596                  false, false, NULL, NULL,
597                  0, 0);
598     TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
599                  "UK", "qemu.org", NULL, NULL, NULL, NULL,
600                  true, true, false,
601                  true, true,
602                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
603                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
604                  0, 0);
605     TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
606                  "UK", "qemu client level 2b", NULL, NULL, NULL, NULL,
607                  true, true, false,
608                  true, true,
609                  GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
610                  true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
611                  0, 0);
612 
613     gnutls_x509_crt_t certchain[] = {
614         cacertrootreq.crt,
615         cacertlevel1areq.crt,
616         cacertlevel1breq.crt,
617         cacertlevel2areq.crt,
618     };
619 
620     test_tls_write_cert_chain(WORKDIR "cacertchain-ctx.pem",
621                               certchain,
622                               G_N_ELEMENTS(certchain));
623 
624     TLS_TEST_REG(chain1, true,
625                  WORKDIR "cacertchain-ctx.pem",
626                  servercertlevel3areq.filename, false);
627     TLS_TEST_REG(chain2, false,
628                  WORKDIR "cacertchain-ctx.pem",
629                  clientcertlevel2breq.filename, false);
630 
631     /* Some missing certs - first two are fatal, the last
632      * is ok
633      */
634     TLS_TEST_REG(missingca, true,
635                  "cacertdoesnotexist.pem",
636                  servercert1req.filename, true);
637     TLS_TEST_REG(missingserver, true,
638                  cacert1req.filename,
639                  "servercertdoesnotexist.pem", true);
640     TLS_TEST_REG(missingclient, false,
641                  cacert1req.filename,
642                  "clientcertdoesnotexist.pem", false);
643 
644     ret = g_test_run();
645 
646     test_tls_discard_cert(&cacertreq);
647     test_tls_discard_cert(&cacert1req);
648     test_tls_discard_cert(&cacert2req);
649     test_tls_discard_cert(&cacert3req);
650     test_tls_discard_cert(&cacert4req);
651     test_tls_discard_cert(&cacert5req);
652     test_tls_discard_cert(&cacert6req);
653 
654     test_tls_discard_cert(&servercertreq);
655     test_tls_discard_cert(&servercert1req);
656     test_tls_discard_cert(&servercert2req);
657     test_tls_discard_cert(&servercert3req);
658     test_tls_discard_cert(&servercert4req);
659     test_tls_discard_cert(&servercert5req);
660     test_tls_discard_cert(&servercert6req);
661     test_tls_discard_cert(&servercert7req);
662     test_tls_discard_cert(&servercert8req);
663     test_tls_discard_cert(&servercert9req);
664     test_tls_discard_cert(&servercert10req);
665     test_tls_discard_cert(&servercert11req);
666     test_tls_discard_cert(&servercert12req);
667     test_tls_discard_cert(&servercert13req);
668     test_tls_discard_cert(&servercert14req);
669     test_tls_discard_cert(&servercert15req);
670     test_tls_discard_cert(&servercert16req);
671 
672     test_tls_discard_cert(&clientcertreq);
673     test_tls_discard_cert(&clientcert1req);
674     test_tls_discard_cert(&clientcert2req);
675     test_tls_discard_cert(&clientcert3req);
676     test_tls_discard_cert(&clientcert4req);
677     test_tls_discard_cert(&clientcert5req);
678     test_tls_discard_cert(&clientcert6req);
679     test_tls_discard_cert(&clientcert7req);
680     test_tls_discard_cert(&clientcert8req);
681     test_tls_discard_cert(&clientcert9req);
682     test_tls_discard_cert(&clientcert10req);
683 
684     test_tls_discard_cert(&cacertexpreq);
685     test_tls_discard_cert(&servercertexpreq);
686     test_tls_discard_cert(&servercertexp1req);
687     test_tls_discard_cert(&clientcertexp1req);
688 
689     test_tls_discard_cert(&cacertnewreq);
690     test_tls_discard_cert(&servercertnewreq);
691     test_tls_discard_cert(&servercertnew1req);
692     test_tls_discard_cert(&clientcertnew1req);
693 
694     test_tls_discard_cert(&cacertrootreq);
695     test_tls_discard_cert(&cacertlevel1areq);
696     test_tls_discard_cert(&cacertlevel1breq);
697     test_tls_discard_cert(&cacertlevel2areq);
698     test_tls_discard_cert(&servercertlevel3areq);
699     test_tls_discard_cert(&clientcertlevel2breq);
700     unlink(WORKDIR "cacertchain-ctx.pem");
701 
702     test_tls_cleanup(KEYFILE);
703     rmdir(WORKDIR);
704 
705     return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
706 }
707