19a2fd434SDaniel P. Berrange /* 29a2fd434SDaniel P. Berrange * Copyright (C) 2015 Red Hat, Inc. 39a2fd434SDaniel P. Berrange * 49a2fd434SDaniel P. Berrange * This library is free software; you can redistribute it and/or 59a2fd434SDaniel P. Berrange * modify it under the terms of the GNU Lesser General Public 69a2fd434SDaniel P. Berrange * License as published by the Free Software Foundation; either 79a2fd434SDaniel P. Berrange * version 2.1 of the License, or (at your option) any later version. 89a2fd434SDaniel P. Berrange * 99a2fd434SDaniel P. Berrange * This library is distributed in the hope that it will be useful, 109a2fd434SDaniel P. Berrange * but WITHOUT ANY WARRANTY; without even the implied warranty of 119a2fd434SDaniel P. Berrange * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 129a2fd434SDaniel P. Berrange * Lesser General Public License for more details. 139a2fd434SDaniel P. Berrange * 149a2fd434SDaniel P. Berrange * You should have received a copy of the GNU Lesser General Public 159a2fd434SDaniel P. Berrange * License along with this library. If not, see 169a2fd434SDaniel P. Berrange * <http://www.gnu.org/licenses/>. 179a2fd434SDaniel P. Berrange * 189a2fd434SDaniel P. Berrange * Author: Daniel P. Berrange <berrange@redhat.com> 199a2fd434SDaniel P. Berrange */ 209a2fd434SDaniel P. Berrange 21f91005e1SMarkus Armbruster #ifndef TESTS_CRYPTO_TLS_X509_HELPERS_H 22f91005e1SMarkus Armbruster #define TESTS_CRYPTO_TLS_X509_HELPERS_H 23f91005e1SMarkus Armbruster 249a2fd434SDaniel P. Berrange #include <gnutls/gnutls.h> 259a2fd434SDaniel P. Berrange #include <gnutls/x509.h> 269a2fd434SDaniel P. Berrange #include <libtasn1.h> 279a2fd434SDaniel P. Berrange 289a2fd434SDaniel P. Berrange 29*5bc6364bSDaniel P. Berrangé #define QCRYPTO_TLS_TEST_CLIENT_NAME "ACME QEMU Client" 30*5bc6364bSDaniel P. Berrangé #define QCRYPTO_TLS_TEST_CLIENT_HOSTILE_NAME "ACME Hostile Client" 31*5bc6364bSDaniel P. Berrangé 329a2fd434SDaniel P. Berrange /* 339a2fd434SDaniel P. Berrange * This contains parameter about how to generate 349a2fd434SDaniel P. Berrange * certificates. 359a2fd434SDaniel P. Berrange */ 369a2fd434SDaniel P. Berrange typedef struct QCryptoTLSTestCertReq QCryptoTLSTestCertReq; 379a2fd434SDaniel P. Berrange struct QCryptoTLSTestCertReq { 389a2fd434SDaniel P. Berrange gnutls_x509_crt_t crt; 399a2fd434SDaniel P. Berrange 409a2fd434SDaniel P. Berrange const char *filename; 419a2fd434SDaniel P. Berrange 429a2fd434SDaniel P. Berrange /* Identifying information */ 439a2fd434SDaniel P. Berrange const char *country; 449a2fd434SDaniel P. Berrange const char *cn; 459a2fd434SDaniel P. Berrange const char *altname1; 469a2fd434SDaniel P. Berrange const char *altname2; 479a2fd434SDaniel P. Berrange const char *ipaddr1; 489a2fd434SDaniel P. Berrange const char *ipaddr2; 499a2fd434SDaniel P. Berrange 509a2fd434SDaniel P. Berrange /* Basic constraints */ 519a2fd434SDaniel P. Berrange bool basicConstraintsEnable; 529a2fd434SDaniel P. Berrange bool basicConstraintsCritical; 539a2fd434SDaniel P. Berrange bool basicConstraintsIsCA; 549a2fd434SDaniel P. Berrange 559a2fd434SDaniel P. Berrange /* Key usage */ 569a2fd434SDaniel P. Berrange bool keyUsageEnable; 579a2fd434SDaniel P. Berrange bool keyUsageCritical; 589a2fd434SDaniel P. Berrange int keyUsageValue; 599a2fd434SDaniel P. Berrange 609a2fd434SDaniel P. Berrange /* Key purpose (aka Extended key usage) */ 619a2fd434SDaniel P. Berrange bool keyPurposeEnable; 629a2fd434SDaniel P. Berrange bool keyPurposeCritical; 639a2fd434SDaniel P. Berrange const char *keyPurposeOID1; 649a2fd434SDaniel P. Berrange const char *keyPurposeOID2; 659a2fd434SDaniel P. Berrange 669a2fd434SDaniel P. Berrange /* zero for current time, or non-zero for hours from now */ 679a2fd434SDaniel P. Berrange int start_offset; 689a2fd434SDaniel P. Berrange /* zero for 24 hours from now, or non-zero for hours from now */ 699a2fd434SDaniel P. Berrange int expire_offset; 709a2fd434SDaniel P. Berrange }; 719a2fd434SDaniel P. Berrange 729a2fd434SDaniel P. Berrange void test_tls_generate_cert(QCryptoTLSTestCertReq *req, 739a2fd434SDaniel P. Berrange gnutls_x509_crt_t ca); 749a2fd434SDaniel P. Berrange void test_tls_write_cert_chain(const char *filename, 759a2fd434SDaniel P. Berrange gnutls_x509_crt_t *certs, 769a2fd434SDaniel P. Berrange size_t ncerts); 779a2fd434SDaniel P. Berrange void test_tls_discard_cert(QCryptoTLSTestCertReq *req); 789a2fd434SDaniel P. Berrange 799a2fd434SDaniel P. Berrange void test_tls_init(const char *keyfile); 809a2fd434SDaniel P. Berrange void test_tls_cleanup(const char *keyfile); 819a2fd434SDaniel P. Berrange 829a2fd434SDaniel P. Berrange # define TLS_CERT_REQ(varname, cavarname, \ 839a2fd434SDaniel P. Berrange country, commonname, \ 849a2fd434SDaniel P. Berrange altname1, altname2, \ 859a2fd434SDaniel P. Berrange ipaddr1, ipaddr2, \ 869a2fd434SDaniel P. Berrange basicconsenable, basicconscritical, basicconsca, \ 879a2fd434SDaniel P. Berrange keyusageenable, keyusagecritical, keyusagevalue, \ 889a2fd434SDaniel P. Berrange keypurposeenable, keypurposecritical, \ 899a2fd434SDaniel P. Berrange keypurposeoid1, keypurposeoid2, \ 909a2fd434SDaniel P. Berrange startoffset, endoffset) \ 919a2fd434SDaniel P. Berrange static QCryptoTLSTestCertReq varname = { \ 929a2fd434SDaniel P. Berrange NULL, WORKDIR #varname "-ctx.pem", \ 939a2fd434SDaniel P. Berrange country, commonname, altname1, altname2, \ 949a2fd434SDaniel P. Berrange ipaddr1, ipaddr2, \ 959a2fd434SDaniel P. Berrange basicconsenable, basicconscritical, basicconsca, \ 969a2fd434SDaniel P. Berrange keyusageenable, keyusagecritical, keyusagevalue, \ 979a2fd434SDaniel P. Berrange keypurposeenable, keypurposecritical, \ 989a2fd434SDaniel P. Berrange keypurposeoid1, keypurposeoid2, \ 999a2fd434SDaniel P. Berrange startoffset, endoffset \ 1009a2fd434SDaniel P. Berrange }; \ 1019a2fd434SDaniel P. Berrange test_tls_generate_cert(&varname, cavarname.crt) 1029a2fd434SDaniel P. Berrange 1039a2fd434SDaniel P. Berrange # define TLS_ROOT_REQ(varname, \ 1049a2fd434SDaniel P. Berrange country, commonname, \ 1059a2fd434SDaniel P. Berrange altname1, altname2, \ 1069a2fd434SDaniel P. Berrange ipaddr1, ipaddr2, \ 1079a2fd434SDaniel P. Berrange basicconsenable, basicconscritical, basicconsca, \ 1089a2fd434SDaniel P. Berrange keyusageenable, keyusagecritical, keyusagevalue, \ 1099a2fd434SDaniel P. Berrange keypurposeenable, keypurposecritical, \ 1109a2fd434SDaniel P. Berrange keypurposeoid1, keypurposeoid2, \ 1119a2fd434SDaniel P. Berrange startoffset, endoffset) \ 1129a2fd434SDaniel P. Berrange static QCryptoTLSTestCertReq varname = { \ 1139a2fd434SDaniel P. Berrange NULL, WORKDIR #varname "-ctx.pem", \ 1149a2fd434SDaniel P. Berrange country, commonname, altname1, altname2, \ 1159a2fd434SDaniel P. Berrange ipaddr1, ipaddr2, \ 1169a2fd434SDaniel P. Berrange basicconsenable, basicconscritical, basicconsca, \ 1179a2fd434SDaniel P. Berrange keyusageenable, keyusagecritical, keyusagevalue, \ 1189a2fd434SDaniel P. Berrange keypurposeenable, keypurposecritical, \ 1199a2fd434SDaniel P. Berrange keypurposeoid1, keypurposeoid2, \ 1209a2fd434SDaniel P. Berrange startoffset, endoffset \ 1219a2fd434SDaniel P. Berrange }; \ 1229a2fd434SDaniel P. Berrange test_tls_generate_cert(&varname, NULL) 1239a2fd434SDaniel P. Berrange 124*5bc6364bSDaniel P. Berrangé # define TLS_ROOT_REQ_SIMPLE(varname, fname) \ 125*5bc6364bSDaniel P. Berrangé QCryptoTLSTestCertReq varname = { \ 126*5bc6364bSDaniel P. Berrangé .filename = fname, \ 127*5bc6364bSDaniel P. Berrangé .cn = "qemu-CA", \ 128*5bc6364bSDaniel P. Berrangé .basicConstraintsEnable = true, \ 129*5bc6364bSDaniel P. Berrangé .basicConstraintsCritical = true, \ 130*5bc6364bSDaniel P. Berrangé .basicConstraintsIsCA = true, \ 131*5bc6364bSDaniel P. Berrangé .keyUsageEnable = true, \ 132*5bc6364bSDaniel P. Berrangé .keyUsageCritical = true, \ 133*5bc6364bSDaniel P. Berrangé .keyUsageValue = GNUTLS_KEY_KEY_CERT_SIGN, \ 134*5bc6364bSDaniel P. Berrangé }; \ 135*5bc6364bSDaniel P. Berrangé test_tls_generate_cert(&varname, NULL) 136*5bc6364bSDaniel P. Berrangé 137*5bc6364bSDaniel P. Berrangé # define TLS_CERT_REQ_SIMPLE_CLIENT(varname, cavarname, cname, fname) \ 138*5bc6364bSDaniel P. Berrangé QCryptoTLSTestCertReq varname = { \ 139*5bc6364bSDaniel P. Berrangé .filename = fname, \ 140*5bc6364bSDaniel P. Berrangé .cn = cname, \ 141*5bc6364bSDaniel P. Berrangé .basicConstraintsEnable = true, \ 142*5bc6364bSDaniel P. Berrangé .basicConstraintsCritical = true, \ 143*5bc6364bSDaniel P. Berrangé .basicConstraintsIsCA = false, \ 144*5bc6364bSDaniel P. Berrangé .keyUsageEnable = true, \ 145*5bc6364bSDaniel P. Berrangé .keyUsageCritical = true, \ 146*5bc6364bSDaniel P. Berrangé .keyUsageValue = \ 147*5bc6364bSDaniel P. Berrangé GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ 148*5bc6364bSDaniel P. Berrangé .keyPurposeEnable = true, \ 149*5bc6364bSDaniel P. Berrangé .keyPurposeCritical = true, \ 150*5bc6364bSDaniel P. Berrangé .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_CLIENT, \ 151*5bc6364bSDaniel P. Berrangé }; \ 152*5bc6364bSDaniel P. Berrangé test_tls_generate_cert(&varname, cavarname.crt) 153*5bc6364bSDaniel P. Berrangé 154*5bc6364bSDaniel P. Berrangé # define TLS_CERT_REQ_SIMPLE_SERVER(varname, cavarname, fname, \ 155*5bc6364bSDaniel P. Berrangé hostname, ipaddr) \ 156*5bc6364bSDaniel P. Berrangé QCryptoTLSTestCertReq varname = { \ 157*5bc6364bSDaniel P. Berrangé .filename = fname, \ 158*5bc6364bSDaniel P. Berrangé .cn = hostname ? hostname : ipaddr, \ 159*5bc6364bSDaniel P. Berrangé .altname1 = hostname, \ 160*5bc6364bSDaniel P. Berrangé .ipaddr1 = ipaddr, \ 161*5bc6364bSDaniel P. Berrangé .basicConstraintsEnable = true, \ 162*5bc6364bSDaniel P. Berrangé .basicConstraintsCritical = true, \ 163*5bc6364bSDaniel P. Berrangé .basicConstraintsIsCA = false, \ 164*5bc6364bSDaniel P. Berrangé .keyUsageEnable = true, \ 165*5bc6364bSDaniel P. Berrangé .keyUsageCritical = true, \ 166*5bc6364bSDaniel P. Berrangé .keyUsageValue = \ 167*5bc6364bSDaniel P. Berrangé GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ 168*5bc6364bSDaniel P. Berrangé .keyPurposeEnable = true, \ 169*5bc6364bSDaniel P. Berrangé .keyPurposeCritical = true, \ 170*5bc6364bSDaniel P. Berrangé .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_SERVER, \ 171*5bc6364bSDaniel P. Berrangé }; \ 172*5bc6364bSDaniel P. Berrangé test_tls_generate_cert(&varname, cavarname.crt) 173*5bc6364bSDaniel P. Berrangé 174ecb98f5cSStefan Weil extern const asn1_static_node pkix_asn1_tab[]; 1759a2fd434SDaniel P. Berrange 176f91005e1SMarkus Armbruster #endif 177