qemu/tests/test-crypto-tlscredsx509.c
<<
>>
Prefs
   1/*
   2 * Copyright (C) 2015 Red Hat, Inc.
   3 *
   4 * This library is free software; you can redistribute it and/or
   5 * modify it under the terms of the GNU Lesser General Public
   6 * License as published by the Free Software Foundation; either
   7 * version 2.1 of the License, or (at your option) any later version.
   8 *
   9 * This library is distributed in the hope that it will be useful,
  10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  12 * Lesser General Public License for more details.
  13 *
  14 * You should have received a copy of the GNU Lesser General Public
  15 * License along with this library.  If not, see
  16 * <http://www.gnu.org/licenses/>.
  17 *
  18 * Author: Daniel P. Berrange <berrange@redhat.com>
  19 */
  20
  21#include "qemu/osdep.h"
  22
  23#include "crypto-tls-x509-helpers.h"
  24#include "crypto/tlscredsx509.h"
  25#include "qapi/error.h"
  26
  27#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
  28
  29#define WORKDIR "tests/test-crypto-tlscredsx509-work/"
  30#define KEYFILE WORKDIR "key-ctx.pem"
  31
  32struct QCryptoTLSCredsTestData {
  33    bool isServer;
  34    const char *cacrt;
  35    const char *crt;
  36    bool expectFail;
  37};
  38
  39
  40static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
  41                                              const char *certdir,
  42                                              Error **errp)
  43{
  44    Object *parent = object_get_objects_root();
  45    Object *creds = object_new_with_props(
  46        TYPE_QCRYPTO_TLS_CREDS_X509,
  47        parent,
  48        "testtlscreds",
  49        errp,
  50        "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
  51                     "server" : "client"),
  52        "dir", certdir,
  53        "verify-peer", "yes",
  54        "sanity-check", "yes",
  55        NULL);
  56
  57    if (*errp) {
  58        return NULL;
  59    }
  60    return QCRYPTO_TLS_CREDS(creds);
  61}
  62
  63/*
  64 * This tests sanity checking of our own certificates
  65 *
  66 * The code being tested is used when TLS creds are created,
  67 * and aim to ensure QMEU has been configured with sane
  68 * certificates. This allows us to give much much much
  69 * clearer error messages to the admin when they misconfigure
  70 * things.
  71 */
  72static void test_tls_creds(const void *opaque)
  73{
  74    struct QCryptoTLSCredsTestData *data =
  75        (struct QCryptoTLSCredsTestData *)opaque;
  76    QCryptoTLSCreds *creds;
  77    Error *err = NULL;
  78
  79#define CERT_DIR "tests/test-crypto-tlscredsx509-certs/"
  80    mkdir(CERT_DIR, 0700);
  81
  82    unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
  83    if (data->isServer) {
  84        unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
  85        unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
  86    } else {
  87        unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
  88        unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
  89    }
  90
  91    if (access(data->cacrt, R_OK) == 0) {
  92        g_assert(link(data->cacrt,
  93                      CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
  94    }
  95    if (data->isServer) {
  96        if (access(data->crt, R_OK) == 0) {
  97            g_assert(link(data->crt,
  98                          CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
  99        }
 100        g_assert(link(KEYFILE,
 101                      CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
 102    } else {
 103        if (access(data->crt, R_OK) == 0) {
 104            g_assert(link(data->crt,
 105                          CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
 106        }
 107        g_assert(link(KEYFILE,
 108                      CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
 109    }
 110
 111    creds = test_tls_creds_create(
 112        (data->isServer ?
 113         QCRYPTO_TLS_CREDS_ENDPOINT_SERVER :
 114         QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT),
 115        CERT_DIR,
 116        &err);
 117
 118    if (data->expectFail) {
 119        error_free(err);
 120        g_assert(creds == NULL);
 121    } else {
 122        if (err) {
 123            g_printerr("Failed to generate creds: %s\n",
 124                       error_get_pretty(err));
 125            error_free(err);
 126        }
 127        g_assert(creds != NULL);
 128    }
 129
 130    unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
 131    if (data->isServer) {
 132        unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
 133        unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
 134    } else {
 135        unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
 136        unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
 137    }
 138    rmdir(CERT_DIR);
 139    if (creds) {
 140        object_unparent(OBJECT(creds));
 141    }
 142}
 143
 144int main(int argc, char **argv)
 145{
 146    int ret;
 147
 148    module_call_init(MODULE_INIT_QOM);
 149    g_test_init(&argc, &argv, NULL);
 150    setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
 151
 152    mkdir(WORKDIR, 0700);
 153
 154    test_tls_init(KEYFILE);
 155
 156# define TLS_TEST_REG(name, isServer, caCrt, crt, expectFail)           \
 157    struct QCryptoTLSCredsTestData name = {                             \
 158        isServer, caCrt, crt, expectFail                                \
 159    };                                                                  \
 160    g_test_add_data_func("/qcrypto/tlscredsx509/" # name,               \
 161                         &name, test_tls_creds);                        \
 162
 163    /* A perfect CA, perfect client & perfect server */
 164
 165    /* Basic:CA:critical */
 166    TLS_ROOT_REQ(cacertreq,
 167                 "UK", "qemu CA", NULL, NULL, NULL, NULL,
 168                 true, true, true,
 169                 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
 170                 false, false, NULL, NULL,
 171                 0, 0);
 172
 173    TLS_CERT_REQ(servercertreq, cacertreq,
 174                 "UK", "qemu.org", NULL, NULL, NULL, NULL,
 175                 true, true, false,
 176                 true, true,
 177                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 178                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 179                 0, 0);
 180    TLS_CERT_REQ(clientcertreq, cacertreq,
 181                 "UK", "qemu", NULL, NULL, NULL, NULL,
 182                 true, true, false,
 183                 true, true,
 184                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 185                 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
 186                 0, 0);
 187
 188    TLS_TEST_REG(perfectserver, true,
 189                 cacertreq.filename, servercertreq.filename, false);
 190    TLS_TEST_REG(perfectclient, false,
 191                 cacertreq.filename, clientcertreq.filename, false);
 192
 193
 194    /* Some other CAs which are good */
 195
 196    /* Basic:CA:critical */
 197    TLS_ROOT_REQ(cacert1req,
 198                 "UK", "qemu CA 1", NULL, NULL, NULL, NULL,
 199                 true, true, true,
 200                 false, false, 0,
 201                 false, false, NULL, NULL,
 202                 0, 0);
 203    TLS_CERT_REQ(servercert1req, cacert1req,
 204                 "UK", "qemu.org", NULL, NULL, NULL, NULL,
 205                 true, true, false,
 206                 true, true,
 207                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 208                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 209                 0, 0);
 210
 211    /* Basic:CA:not-critical */
 212    TLS_ROOT_REQ(cacert2req,
 213                 "UK", "qemu CA 2", NULL, NULL, NULL, NULL,
 214                 true, false, true,
 215                 false, false, 0,
 216                 false, false, NULL, NULL,
 217                 0, 0);
 218    TLS_CERT_REQ(servercert2req, cacert2req,
 219                 "UK", "qemu.org", NULL, NULL, NULL, NULL,
 220                 true, true, false,
 221                 true, true,
 222                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 223                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 224                 0, 0);
 225
 226    /* Key usage:cert-sign:critical */
 227    TLS_ROOT_REQ(cacert3req,
 228                 "UK", "qemu CA 3", NULL, NULL, NULL, NULL,
 229                 true, true, true,
 230                 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
 231                 false, false, NULL, NULL,
 232                 0, 0);
 233    TLS_CERT_REQ(servercert3req, cacert3req,
 234                 "UK", "qemu.org", NULL, NULL, NULL, NULL,
 235                 true, true, false,
 236                 true, true,
 237                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 238                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 239                 0, 0);
 240
 241    TLS_TEST_REG(goodca1, true,
 242                 cacert1req.filename, servercert1req.filename, false);
 243    TLS_TEST_REG(goodca2, true,
 244                 cacert2req.filename, servercert2req.filename, false);
 245    TLS_TEST_REG(goodca3, true,
 246                 cacert3req.filename, servercert3req.filename, false);
 247
 248    /* Now some bad certs */
 249
 250    /* Key usage:dig-sig:not-critical */
 251    TLS_ROOT_REQ(cacert4req,
 252                 "UK", "qemu CA 4", NULL, NULL, NULL, NULL,
 253                 true, true, true,
 254                 true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
 255                 false, false, NULL, NULL,
 256                 0, 0);
 257    TLS_CERT_REQ(servercert4req, cacert4req,
 258                 "UK", "qemu.org", NULL, NULL, NULL, NULL,
 259                 true, true, false,
 260                 true, true,
 261                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 262                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 263                 0, 0);
 264    /* no-basic */
 265    TLS_ROOT_REQ(cacert5req,
 266                 "UK", "qemu CA 5", NULL, NULL, NULL, NULL,
 267                 false, false, false,
 268                 false, false, 0,
 269                 false, false, NULL, NULL,
 270                 0, 0);
 271    TLS_CERT_REQ(servercert5req, cacert5req,
 272                 "UK", "qemu.org", NULL, NULL, NULL, NULL,
 273                 true, true, false,
 274                 true, true,
 275                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 276                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 277                 0, 0);
 278    /* Key usage:dig-sig:critical */
 279    TLS_ROOT_REQ(cacert6req,
 280                 "UK", "qemu CA 6", NULL, NULL, NULL, NULL,
 281                 true, true, true,
 282                 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
 283                 false, false, NULL, NULL,
 284                 0, 0);
 285    TLS_CERT_REQ(servercert6req, cacert6req,
 286                 "UK", "qemu.org", NULL, NULL, NULL, NULL,
 287                 true, true, false,
 288                 true, true,
 289                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 290                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 291                 0, 0);
 292
 293    /* Technically a CA cert with basic constraints
 294     * key purpose == key signing + non-critical should
 295     * be rejected. GNUTLS < 3.1 does not reject it and
 296     * we don't anticipate them changing this behaviour
 297     */
 298    TLS_TEST_REG(badca1, true, cacert4req.filename, servercert4req.filename,
 299                (GNUTLS_VERSION_MAJOR == 3 && GNUTLS_VERSION_MINOR >= 1) ||
 300                GNUTLS_VERSION_MAJOR > 3);
 301    TLS_TEST_REG(badca2, true,
 302                 cacert5req.filename, servercert5req.filename, true);
 303    TLS_TEST_REG(badca3, true,
 304                 cacert6req.filename, servercert6req.filename, true);
 305
 306
 307    /* Various good servers */
 308    /* no usage or purpose */
 309    TLS_CERT_REQ(servercert7req, cacertreq,
 310                 "UK", "qemu", NULL, NULL, NULL, NULL,
 311                 true, true, false,
 312                 false, false, 0,
 313                 false, false, NULL, NULL,
 314                 0, 0);
 315    /* usage:cert-sign+dig-sig+encipher:critical */
 316    TLS_CERT_REQ(servercert8req, cacertreq,
 317                 "UK", "qemu", NULL, NULL, NULL, NULL,
 318                 true, true, false,
 319                 true, true,
 320                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT |
 321                 GNUTLS_KEY_KEY_CERT_SIGN,
 322                 false, false, NULL, NULL,
 323                 0, 0);
 324    /* usage:cert-sign:not-critical */
 325    TLS_CERT_REQ(servercert9req, cacertreq,
 326                 "UK", "qemu", NULL, NULL, NULL, NULL,
 327                 true, true, false,
 328                 true, false, GNUTLS_KEY_KEY_CERT_SIGN,
 329                 false, false, NULL, NULL,
 330                 0, 0);
 331    /* purpose:server:critical */
 332    TLS_CERT_REQ(servercert10req, cacertreq,
 333                 "UK", "qemu", NULL, NULL, NULL, NULL,
 334                 true, true, false,
 335                 false, false, 0,
 336                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 337                 0, 0);
 338    /* purpose:server:not-critical */
 339    TLS_CERT_REQ(servercert11req, cacertreq,
 340                 "UK", "qemu", NULL, NULL, NULL, NULL,
 341                 true, true, false,
 342                 false, false, 0,
 343                 true, false, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 344                 0, 0);
 345    /* purpose:client+server:critical */
 346    TLS_CERT_REQ(servercert12req, cacertreq,
 347                 "UK", "qemu", NULL, NULL, NULL, NULL,
 348                 true, true, false,
 349                 false, false, 0,
 350                 true, true,
 351                 GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
 352                 0, 0);
 353    /* purpose:client+server:not-critical */
 354    TLS_CERT_REQ(servercert13req, cacertreq,
 355                 "UK", "qemu", NULL, NULL, NULL, NULL,
 356                 true, true, false,
 357                 false, false, 0,
 358                 true, false,
 359                 GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
 360                 0, 0);
 361
 362    TLS_TEST_REG(goodserver1, true,
 363                 cacertreq.filename, servercert7req.filename, false);
 364    TLS_TEST_REG(goodserver2, true,
 365                 cacertreq.filename, servercert8req.filename, false);
 366    TLS_TEST_REG(goodserver3, true,
 367                 cacertreq.filename, servercert9req.filename, false);
 368    TLS_TEST_REG(goodserver4, true,
 369                 cacertreq.filename, servercert10req.filename, false);
 370    TLS_TEST_REG(goodserver5, true,
 371                 cacertreq.filename, servercert11req.filename, false);
 372    TLS_TEST_REG(goodserver6, true,
 373                 cacertreq.filename, servercert12req.filename, false);
 374    TLS_TEST_REG(goodserver7, true,
 375                 cacertreq.filename, servercert13req.filename, false);
 376
 377    /* Bad servers */
 378
 379    /* usage:cert-sign:critical */
 380    TLS_CERT_REQ(servercert14req, cacertreq,
 381                 "UK", "qemu", NULL, NULL, NULL, NULL,
 382                 true, true, false,
 383                 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
 384                 false, false, NULL, NULL,
 385                 0, 0);
 386    /* purpose:client:critical */
 387    TLS_CERT_REQ(servercert15req, cacertreq,
 388                 "UK", "qemu", NULL, NULL, NULL, NULL,
 389                 true, true, false,
 390                 false, false, 0,
 391                 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
 392                 0, 0);
 393    /* usage: none:critical */
 394    TLS_CERT_REQ(servercert16req, cacertreq,
 395                 "UK", "qemu", NULL, NULL, NULL, NULL,
 396                 true, true, false,
 397                 true, true, 0,
 398                 false, false, NULL, NULL,
 399                 0, 0);
 400
 401    TLS_TEST_REG(badserver1, true,
 402                 cacertreq.filename, servercert14req.filename, true);
 403    TLS_TEST_REG(badserver2, true,
 404                 cacertreq.filename, servercert15req.filename, true);
 405    TLS_TEST_REG(badserver3, true,
 406                 cacertreq.filename, servercert16req.filename, true);
 407
 408
 409
 410    /* Various good clients */
 411    /* no usage or purpose */
 412    TLS_CERT_REQ(clientcert1req, cacertreq,
 413                 "UK", "qemu", NULL, NULL, NULL, NULL,
 414                 true, true, false,
 415                 false, false, 0,
 416                 false, false, NULL, NULL,
 417                 0, 0);
 418    /* usage:cert-sign+dig-sig+encipher:critical */
 419    TLS_CERT_REQ(clientcert2req, cacertreq,
 420                 "UK", "qemu", NULL, NULL, NULL, NULL,
 421                 true, true, false,
 422                 true, true,
 423                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT |
 424                 GNUTLS_KEY_KEY_CERT_SIGN,
 425                 false, false, NULL, NULL,
 426                 0, 0);
 427    /* usage:cert-sign:not-critical */
 428    TLS_CERT_REQ(clientcert3req, cacertreq,
 429                 "UK", "qemu", NULL, NULL, NULL, NULL,
 430                 true, true, false,
 431                 true, false, GNUTLS_KEY_KEY_CERT_SIGN,
 432                 false, false, NULL, NULL,
 433                 0, 0);
 434    /* purpose:client:critical */
 435    TLS_CERT_REQ(clientcert4req, cacertreq,
 436                 "UK", "qemu", NULL, NULL, NULL, NULL,
 437                 true, true, false,
 438                 false, false, 0,
 439                 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
 440                 0, 0);
 441    /* purpose:client:not-critical */
 442    TLS_CERT_REQ(clientcert5req, cacertreq,
 443                 "UK", "qemu", NULL, NULL, NULL, NULL,
 444                 true, true, false,
 445                 false, false, 0,
 446                 true, false, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
 447                 0, 0);
 448    /* purpose:client+client:critical */
 449    TLS_CERT_REQ(clientcert6req, cacertreq,
 450                 "UK", "qemu", NULL, NULL, NULL, NULL,
 451                 true, true, false,
 452                 false, false, 0,
 453                 true, true,
 454                 GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
 455                 0, 0);
 456    /* purpose:client+client:not-critical */
 457    TLS_CERT_REQ(clientcert7req, cacertreq,
 458                 "UK", "qemu", NULL, NULL, NULL, NULL,
 459                 true, true, false,
 460                 false, false, 0,
 461                 true, false,
 462                 GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
 463                 0, 0);
 464
 465    TLS_TEST_REG(goodclient1, false,
 466                 cacertreq.filename, clientcert1req.filename, false);
 467    TLS_TEST_REG(goodclient2, false,
 468                 cacertreq.filename, clientcert2req.filename, false);
 469    TLS_TEST_REG(goodclient3, false,
 470                 cacertreq.filename, clientcert3req.filename, false);
 471    TLS_TEST_REG(goodclient4, false,
 472                 cacertreq.filename, clientcert4req.filename, false);
 473    TLS_TEST_REG(goodclient5, false,
 474                 cacertreq.filename, clientcert5req.filename, false);
 475    TLS_TEST_REG(goodclient6, false,
 476                 cacertreq.filename, clientcert6req.filename, false);
 477    TLS_TEST_REG(goodclient7, false,
 478                 cacertreq.filename, clientcert7req.filename, false);
 479
 480    /* Bad clients */
 481
 482    /* usage:cert-sign:critical */
 483    TLS_CERT_REQ(clientcert8req, cacertreq,
 484                 "UK", "qemu", NULL, NULL, NULL, NULL,
 485                 true, true, false,
 486                 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
 487                 false, false, NULL, NULL,
 488                 0, 0);
 489    /* purpose:client:critical */
 490    TLS_CERT_REQ(clientcert9req, cacertreq,
 491                 "UK", "qemu", NULL, NULL, NULL, NULL,
 492                 true, true, false,
 493                 false, false, 0,
 494                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 495                 0, 0);
 496    /* usage: none:critical */
 497    TLS_CERT_REQ(clientcert10req, cacertreq,
 498                 "UK", "qemu", NULL, NULL, NULL, NULL,
 499                 true, true, false,
 500                 true, true, 0,
 501                 false, false, NULL, NULL,
 502                 0, 0);
 503
 504    TLS_TEST_REG(badclient1, false,
 505                 cacertreq.filename, clientcert8req.filename, true);
 506    TLS_TEST_REG(badclient2, false,
 507                 cacertreq.filename, clientcert9req.filename, true);
 508    TLS_TEST_REG(badclient3, false,
 509                 cacertreq.filename, clientcert10req.filename, true);
 510
 511
 512
 513    /* Expired stuff */
 514
 515    TLS_ROOT_REQ(cacertexpreq,
 516                 "UK", "qemu", NULL, NULL, NULL, NULL,
 517                 true, true, true,
 518                 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
 519                 false, false, NULL, NULL,
 520                 0, -1);
 521    TLS_CERT_REQ(servercertexpreq, cacertexpreq,
 522                 "UK", "qemu.org", NULL, NULL, NULL, NULL,
 523                 true, true, false,
 524                 true, true,
 525                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 526                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 527                 0, 0);
 528    TLS_CERT_REQ(servercertexp1req, cacertreq,
 529                 "UK", "qemu", NULL, NULL, NULL, NULL,
 530                 true, true, false,
 531                 true, true,
 532                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 533                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 534                 0, -1);
 535    TLS_CERT_REQ(clientcertexp1req, cacertreq,
 536                 "UK", "qemu", NULL, NULL, NULL, NULL,
 537                 true, true, false,
 538                 true, true,
 539                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 540                 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
 541                 0, -1);
 542
 543    TLS_TEST_REG(expired1, true,
 544                 cacertexpreq.filename, servercertexpreq.filename, true);
 545    TLS_TEST_REG(expired2, true,
 546                 cacertreq.filename, servercertexp1req.filename, true);
 547    TLS_TEST_REG(expired3, false,
 548                 cacertreq.filename, clientcertexp1req.filename, true);
 549
 550
 551    /* Not activated stuff */
 552
 553    TLS_ROOT_REQ(cacertnewreq,
 554                 "UK", "qemu", NULL, NULL, NULL, NULL,
 555                 true, true, true,
 556                 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
 557                 false, false, NULL, NULL,
 558                 1, 2);
 559    TLS_CERT_REQ(servercertnewreq, cacertnewreq,
 560                 "UK", "qemu", NULL, NULL, NULL, NULL,
 561                 true, true, false,
 562                 true, true,
 563                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 564                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 565                 0, 0);
 566    TLS_CERT_REQ(servercertnew1req, cacertreq,
 567                 "UK", "qemu", NULL, NULL, NULL, NULL,
 568                 true, true, false,
 569                 true, true,
 570                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 571                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 572                 1, 2);
 573    TLS_CERT_REQ(clientcertnew1req, cacertreq,
 574                 "UK", "qemu", NULL, NULL, NULL, NULL,
 575                 true, true, false,
 576                 true, true,
 577                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 578                 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
 579                 1, 2);
 580
 581    TLS_TEST_REG(inactive1, true,
 582                 cacertnewreq.filename, servercertnewreq.filename, true);
 583    TLS_TEST_REG(inactive2, true,
 584                 cacertreq.filename, servercertnew1req.filename, true);
 585    TLS_TEST_REG(inactive3, false,
 586                 cacertreq.filename, clientcertnew1req.filename, true);
 587
 588    TLS_ROOT_REQ(cacertrootreq,
 589                 "UK", "qemu root", NULL, NULL, NULL, NULL,
 590                 true, true, true,
 591                 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
 592                 false, false, NULL, NULL,
 593                 0, 0);
 594    TLS_CERT_REQ(cacertlevel1areq, cacertrootreq,
 595                 "UK", "qemu level 1a", NULL, NULL, NULL, NULL,
 596                 true, true, true,
 597                 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
 598                 false, false, NULL, NULL,
 599                 0, 0);
 600    TLS_CERT_REQ(cacertlevel1breq, cacertrootreq,
 601                 "UK", "qemu level 1b", NULL, NULL, NULL, NULL,
 602                 true, true, true,
 603                 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
 604                 false, false, NULL, NULL,
 605                 0, 0);
 606    TLS_CERT_REQ(cacertlevel2areq, cacertlevel1areq,
 607                 "UK", "qemu level 2a", NULL, NULL, NULL, NULL,
 608                 true, true, true,
 609                 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
 610                 false, false, NULL, NULL,
 611                 0, 0);
 612    TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
 613                 "UK", "qemu.org", NULL, NULL, NULL, NULL,
 614                 true, true, false,
 615                 true, true,
 616                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 617                 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
 618                 0, 0);
 619    TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
 620                 "UK", "qemu client level 2b", NULL, NULL, NULL, NULL,
 621                 true, true, false,
 622                 true, true,
 623                 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
 624                 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
 625                 0, 0);
 626
 627    gnutls_x509_crt_t certchain[] = {
 628        cacertrootreq.crt,
 629        cacertlevel1areq.crt,
 630        cacertlevel1breq.crt,
 631        cacertlevel2areq.crt,
 632    };
 633
 634    test_tls_write_cert_chain(WORKDIR "cacertchain-ctx.pem",
 635                              certchain,
 636                              G_N_ELEMENTS(certchain));
 637
 638    TLS_TEST_REG(chain1, true,
 639                 WORKDIR "cacertchain-ctx.pem",
 640                 servercertlevel3areq.filename, false);
 641    TLS_TEST_REG(chain2, false,
 642                 WORKDIR "cacertchain-ctx.pem",
 643                 clientcertlevel2breq.filename, false);
 644
 645    /* Some missing certs - first two are fatal, the last
 646     * is ok
 647     */
 648    TLS_TEST_REG(missingca, true,
 649                 "cacertdoesnotexist.pem",
 650                 servercert1req.filename, true);
 651    TLS_TEST_REG(missingserver, true,
 652                 cacert1req.filename,
 653                 "servercertdoesnotexist.pem", true);
 654    TLS_TEST_REG(missingclient, false,
 655                 cacert1req.filename,
 656                 "clientcertdoesnotexist.pem", false);
 657
 658    ret = g_test_run();
 659
 660    test_tls_discard_cert(&cacertreq);
 661    test_tls_discard_cert(&cacert1req);
 662    test_tls_discard_cert(&cacert2req);
 663    test_tls_discard_cert(&cacert3req);
 664    test_tls_discard_cert(&cacert4req);
 665    test_tls_discard_cert(&cacert5req);
 666    test_tls_discard_cert(&cacert6req);
 667
 668    test_tls_discard_cert(&servercertreq);
 669    test_tls_discard_cert(&servercert1req);
 670    test_tls_discard_cert(&servercert2req);
 671    test_tls_discard_cert(&servercert3req);
 672    test_tls_discard_cert(&servercert4req);
 673    test_tls_discard_cert(&servercert5req);
 674    test_tls_discard_cert(&servercert6req);
 675    test_tls_discard_cert(&servercert7req);
 676    test_tls_discard_cert(&servercert8req);
 677    test_tls_discard_cert(&servercert9req);
 678    test_tls_discard_cert(&servercert10req);
 679    test_tls_discard_cert(&servercert11req);
 680    test_tls_discard_cert(&servercert12req);
 681    test_tls_discard_cert(&servercert13req);
 682    test_tls_discard_cert(&servercert14req);
 683    test_tls_discard_cert(&servercert15req);
 684    test_tls_discard_cert(&servercert16req);
 685
 686    test_tls_discard_cert(&clientcertreq);
 687    test_tls_discard_cert(&clientcert1req);
 688    test_tls_discard_cert(&clientcert2req);
 689    test_tls_discard_cert(&clientcert3req);
 690    test_tls_discard_cert(&clientcert4req);
 691    test_tls_discard_cert(&clientcert5req);
 692    test_tls_discard_cert(&clientcert6req);
 693    test_tls_discard_cert(&clientcert7req);
 694    test_tls_discard_cert(&clientcert8req);
 695    test_tls_discard_cert(&clientcert9req);
 696    test_tls_discard_cert(&clientcert10req);
 697
 698    test_tls_discard_cert(&cacertexpreq);
 699    test_tls_discard_cert(&servercertexpreq);
 700    test_tls_discard_cert(&servercertexp1req);
 701    test_tls_discard_cert(&clientcertexp1req);
 702
 703    test_tls_discard_cert(&cacertnewreq);
 704    test_tls_discard_cert(&servercertnewreq);
 705    test_tls_discard_cert(&servercertnew1req);
 706    test_tls_discard_cert(&clientcertnew1req);
 707
 708    test_tls_discard_cert(&cacertrootreq);
 709    test_tls_discard_cert(&cacertlevel1areq);
 710    test_tls_discard_cert(&cacertlevel1breq);
 711    test_tls_discard_cert(&cacertlevel2areq);
 712    test_tls_discard_cert(&servercertlevel3areq);
 713    test_tls_discard_cert(&clientcertlevel2breq);
 714    unlink(WORKDIR "cacertchain-ctx.pem");
 715
 716    test_tls_cleanup(KEYFILE);
 717    rmdir(WORKDIR);
 718
 719    return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
 720}
 721
 722#else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
 723
 724int
 725main(void)
 726{
 727    return EXIT_SUCCESS;
 728}
 729
 730#endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
 731