19a2fd434SDaniel P. Berrange /* 29a2fd434SDaniel P. Berrange * Copyright (C) 2015 Red Hat, Inc. 39a2fd434SDaniel P. Berrange * 49a2fd434SDaniel P. Berrange * This library is free software; you can redistribute it and/or 59a2fd434SDaniel P. Berrange * modify it under the terms of the GNU Lesser General Public 69a2fd434SDaniel P. Berrange * License as published by the Free Software Foundation; either 79a2fd434SDaniel P. Berrange * version 2.1 of the License, or (at your option) any later version. 89a2fd434SDaniel P. Berrange * 99a2fd434SDaniel P. Berrange * This library is distributed in the hope that it will be useful, 109a2fd434SDaniel P. Berrange * but WITHOUT ANY WARRANTY; without even the implied warranty of 119a2fd434SDaniel P. Berrange * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 129a2fd434SDaniel P. Berrange * Lesser General Public License for more details. 139a2fd434SDaniel P. Berrange * 149a2fd434SDaniel P. Berrange * You should have received a copy of the GNU Lesser General Public 159a2fd434SDaniel P. Berrange * License along with this library. If not, see 169a2fd434SDaniel P. Berrange * <http://www.gnu.org/licenses/>. 179a2fd434SDaniel P. Berrange * 189a2fd434SDaniel P. Berrange * Author: Daniel P. Berrange <berrange@redhat.com> 199a2fd434SDaniel P. Berrange */ 209a2fd434SDaniel P. Berrange 21f91005e1SMarkus Armbruster #ifndef TESTS_CRYPTO_TLS_X509_HELPERS_H 22f91005e1SMarkus Armbruster #define TESTS_CRYPTO_TLS_X509_HELPERS_H 23f91005e1SMarkus Armbruster 249a2fd434SDaniel P. Berrange #include <gnutls/gnutls.h> 259a2fd434SDaniel P. Berrange #include <gnutls/x509.h> 269a2fd434SDaniel P. Berrange 279a2fd434SDaniel P. Berrange 285bc6364bSDaniel P. Berrangé #define QCRYPTO_TLS_TEST_CLIENT_NAME "ACME QEMU Client" 295bc6364bSDaniel P. Berrangé #define QCRYPTO_TLS_TEST_CLIENT_HOSTILE_NAME "ACME Hostile Client" 305bc6364bSDaniel P. Berrangé 319a2fd434SDaniel P. Berrange /* 329a2fd434SDaniel P. Berrange * This contains parameter about how to generate 339a2fd434SDaniel P. Berrange * certificates. 349a2fd434SDaniel P. Berrange */ 359a2fd434SDaniel P. Berrange typedef struct QCryptoTLSTestCertReq QCryptoTLSTestCertReq; 369a2fd434SDaniel P. Berrange struct QCryptoTLSTestCertReq { 379a2fd434SDaniel P. Berrange gnutls_x509_crt_t crt; 389a2fd434SDaniel P. Berrange 399a2fd434SDaniel P. Berrange const char *filename; 409a2fd434SDaniel P. Berrange 419a2fd434SDaniel P. Berrange /* Identifying information */ 429a2fd434SDaniel P. Berrange const char *country; 439a2fd434SDaniel P. Berrange const char *cn; 449a2fd434SDaniel P. Berrange const char *altname1; 459a2fd434SDaniel P. Berrange const char *altname2; 469a2fd434SDaniel P. Berrange const char *ipaddr1; 479a2fd434SDaniel P. Berrange const char *ipaddr2; 489a2fd434SDaniel P. Berrange 499a2fd434SDaniel P. Berrange /* Basic constraints */ 509a2fd434SDaniel P. Berrange bool basicConstraintsEnable; 519a2fd434SDaniel P. Berrange bool basicConstraintsCritical; 529a2fd434SDaniel P. Berrange bool basicConstraintsIsCA; 539a2fd434SDaniel P. Berrange 549a2fd434SDaniel P. Berrange /* Key usage */ 559a2fd434SDaniel P. Berrange bool keyUsageEnable; 569a2fd434SDaniel P. Berrange bool keyUsageCritical; 579a2fd434SDaniel P. Berrange int keyUsageValue; 589a2fd434SDaniel P. Berrange 599a2fd434SDaniel P. Berrange /* Key purpose (aka Extended key usage) */ 609a2fd434SDaniel P. Berrange bool keyPurposeEnable; 619a2fd434SDaniel P. Berrange bool keyPurposeCritical; 629a2fd434SDaniel P. Berrange const char *keyPurposeOID1; 639a2fd434SDaniel P. Berrange const char *keyPurposeOID2; 649a2fd434SDaniel P. Berrange 659a2fd434SDaniel P. Berrange /* zero for current time, or non-zero for hours from now */ 669a2fd434SDaniel P. Berrange int start_offset; 679a2fd434SDaniel P. Berrange /* zero for 24 hours from now, or non-zero for hours from now */ 689a2fd434SDaniel P. Berrange int expire_offset; 699a2fd434SDaniel P. Berrange }; 709a2fd434SDaniel P. Berrange 719a2fd434SDaniel P. Berrange void test_tls_generate_cert(QCryptoTLSTestCertReq *req, 729a2fd434SDaniel P. Berrange gnutls_x509_crt_t ca); 739a2fd434SDaniel P. Berrange void test_tls_write_cert_chain(const char *filename, 749a2fd434SDaniel P. Berrange gnutls_x509_crt_t *certs, 759a2fd434SDaniel P. Berrange size_t ncerts); 76*2cf6dc41SPeter Maydell /* 77*2cf6dc41SPeter Maydell * Deinitialize the QCryptoTLSTestCertReq, but don't delete the certificate 78*2cf6dc41SPeter Maydell * file on disk. (The caller is then responsible for doing that themselves. 79*2cf6dc41SPeter Maydell */ 80*2cf6dc41SPeter Maydell void test_tls_deinit_cert(QCryptoTLSTestCertReq *req); 81*2cf6dc41SPeter Maydell /* Deinit the QCryptoTLSTestCertReq, and delete the certificate file */ 829a2fd434SDaniel P. Berrange void test_tls_discard_cert(QCryptoTLSTestCertReq *req); 839a2fd434SDaniel P. Berrange 849a2fd434SDaniel P. Berrange void test_tls_init(const char *keyfile); 859a2fd434SDaniel P. Berrange void test_tls_cleanup(const char *keyfile); 869a2fd434SDaniel P. Berrange 879a2fd434SDaniel P. Berrange # define TLS_CERT_REQ(varname, cavarname, \ 889a2fd434SDaniel P. Berrange country, commonname, \ 899a2fd434SDaniel P. Berrange altname1, altname2, \ 909a2fd434SDaniel P. Berrange ipaddr1, ipaddr2, \ 919a2fd434SDaniel P. Berrange basicconsenable, basicconscritical, basicconsca, \ 929a2fd434SDaniel P. Berrange keyusageenable, keyusagecritical, keyusagevalue, \ 939a2fd434SDaniel P. Berrange keypurposeenable, keypurposecritical, \ 949a2fd434SDaniel P. Berrange keypurposeoid1, keypurposeoid2, \ 959a2fd434SDaniel P. Berrange startoffset, endoffset) \ 969a2fd434SDaniel P. Berrange static QCryptoTLSTestCertReq varname = { \ 979a2fd434SDaniel P. Berrange NULL, WORKDIR #varname "-ctx.pem", \ 989a2fd434SDaniel P. Berrange country, commonname, altname1, altname2, \ 999a2fd434SDaniel P. Berrange ipaddr1, ipaddr2, \ 1009a2fd434SDaniel P. Berrange basicconsenable, basicconscritical, basicconsca, \ 1019a2fd434SDaniel P. Berrange keyusageenable, keyusagecritical, keyusagevalue, \ 1029a2fd434SDaniel P. Berrange keypurposeenable, keypurposecritical, \ 1039a2fd434SDaniel P. Berrange keypurposeoid1, keypurposeoid2, \ 1049a2fd434SDaniel P. Berrange startoffset, endoffset \ 1059a2fd434SDaniel P. Berrange }; \ 1069a2fd434SDaniel P. Berrange test_tls_generate_cert(&varname, cavarname.crt) 1079a2fd434SDaniel P. Berrange 1089a2fd434SDaniel P. Berrange # define TLS_ROOT_REQ(varname, \ 1099a2fd434SDaniel P. Berrange country, commonname, \ 1109a2fd434SDaniel P. Berrange altname1, altname2, \ 1119a2fd434SDaniel P. Berrange ipaddr1, ipaddr2, \ 1129a2fd434SDaniel P. Berrange basicconsenable, basicconscritical, basicconsca, \ 1139a2fd434SDaniel P. Berrange keyusageenable, keyusagecritical, keyusagevalue, \ 1149a2fd434SDaniel P. Berrange keypurposeenable, keypurposecritical, \ 1159a2fd434SDaniel P. Berrange keypurposeoid1, keypurposeoid2, \ 1169a2fd434SDaniel P. Berrange startoffset, endoffset) \ 1179a2fd434SDaniel P. Berrange static QCryptoTLSTestCertReq varname = { \ 1189a2fd434SDaniel P. Berrange NULL, WORKDIR #varname "-ctx.pem", \ 1199a2fd434SDaniel P. Berrange country, commonname, altname1, altname2, \ 1209a2fd434SDaniel P. Berrange ipaddr1, ipaddr2, \ 1219a2fd434SDaniel P. Berrange basicconsenable, basicconscritical, basicconsca, \ 1229a2fd434SDaniel P. Berrange keyusageenable, keyusagecritical, keyusagevalue, \ 1239a2fd434SDaniel P. Berrange keypurposeenable, keypurposecritical, \ 1249a2fd434SDaniel P. Berrange keypurposeoid1, keypurposeoid2, \ 1259a2fd434SDaniel P. Berrange startoffset, endoffset \ 1269a2fd434SDaniel P. Berrange }; \ 1279a2fd434SDaniel P. Berrange test_tls_generate_cert(&varname, NULL) 1289a2fd434SDaniel P. Berrange 1295bc6364bSDaniel P. Berrangé # define TLS_ROOT_REQ_SIMPLE(varname, fname) \ 1305bc6364bSDaniel P. Berrangé QCryptoTLSTestCertReq varname = { \ 1315bc6364bSDaniel P. Berrangé .filename = fname, \ 1325bc6364bSDaniel P. Berrangé .cn = "qemu-CA", \ 1335bc6364bSDaniel P. Berrangé .basicConstraintsEnable = true, \ 1345bc6364bSDaniel P. Berrangé .basicConstraintsCritical = true, \ 1355bc6364bSDaniel P. Berrangé .basicConstraintsIsCA = true, \ 1365bc6364bSDaniel P. Berrangé .keyUsageEnable = true, \ 1375bc6364bSDaniel P. Berrangé .keyUsageCritical = true, \ 1385bc6364bSDaniel P. Berrangé .keyUsageValue = GNUTLS_KEY_KEY_CERT_SIGN, \ 1395bc6364bSDaniel P. Berrangé }; \ 1405bc6364bSDaniel P. Berrangé test_tls_generate_cert(&varname, NULL) 1415bc6364bSDaniel P. Berrangé 1425bc6364bSDaniel P. Berrangé # define TLS_CERT_REQ_SIMPLE_CLIENT(varname, cavarname, cname, fname) \ 1435bc6364bSDaniel P. Berrangé QCryptoTLSTestCertReq varname = { \ 1445bc6364bSDaniel P. Berrangé .filename = fname, \ 1455bc6364bSDaniel P. Berrangé .cn = cname, \ 1465bc6364bSDaniel P. Berrangé .basicConstraintsEnable = true, \ 1475bc6364bSDaniel P. Berrangé .basicConstraintsCritical = true, \ 1485bc6364bSDaniel P. Berrangé .basicConstraintsIsCA = false, \ 1495bc6364bSDaniel P. Berrangé .keyUsageEnable = true, \ 1505bc6364bSDaniel P. Berrangé .keyUsageCritical = true, \ 1515bc6364bSDaniel P. Berrangé .keyUsageValue = \ 1525bc6364bSDaniel P. Berrangé GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ 1535bc6364bSDaniel P. Berrangé .keyPurposeEnable = true, \ 1545bc6364bSDaniel P. Berrangé .keyPurposeCritical = true, \ 1555bc6364bSDaniel P. Berrangé .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_CLIENT, \ 1565bc6364bSDaniel P. Berrangé }; \ 1575bc6364bSDaniel P. Berrangé test_tls_generate_cert(&varname, cavarname.crt) 1585bc6364bSDaniel P. Berrangé 1595bc6364bSDaniel P. Berrangé # define TLS_CERT_REQ_SIMPLE_SERVER(varname, cavarname, fname, \ 1605bc6364bSDaniel P. Berrangé hostname, ipaddr) \ 1615bc6364bSDaniel P. Berrangé QCryptoTLSTestCertReq varname = { \ 1625bc6364bSDaniel P. Berrangé .filename = fname, \ 1635bc6364bSDaniel P. Berrangé .cn = hostname ? hostname : ipaddr, \ 1645bc6364bSDaniel P. Berrangé .altname1 = hostname, \ 1655bc6364bSDaniel P. Berrangé .ipaddr1 = ipaddr, \ 1665bc6364bSDaniel P. Berrangé .basicConstraintsEnable = true, \ 1675bc6364bSDaniel P. Berrangé .basicConstraintsCritical = true, \ 1685bc6364bSDaniel P. Berrangé .basicConstraintsIsCA = false, \ 1695bc6364bSDaniel P. Berrangé .keyUsageEnable = true, \ 1705bc6364bSDaniel P. Berrangé .keyUsageCritical = true, \ 1715bc6364bSDaniel P. Berrangé .keyUsageValue = \ 1725bc6364bSDaniel P. Berrangé GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ 1735bc6364bSDaniel P. Berrangé .keyPurposeEnable = true, \ 1745bc6364bSDaniel P. Berrangé .keyPurposeCritical = true, \ 1755bc6364bSDaniel P. Berrangé .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_SERVER, \ 1765bc6364bSDaniel P. Berrangé }; \ 1775bc6364bSDaniel P. Berrangé test_tls_generate_cert(&varname, cavarname.crt) 1785bc6364bSDaniel P. Berrangé 179f91005e1SMarkus Armbruster #endif 180