1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21#ifndef TESTS_CRYPTO_TLS_X509_HELPERS_H
22#define TESTS_CRYPTO_TLS_X509_HELPERS_H
23
24#include <gnutls/gnutls.h>
25#include <gnutls/x509.h>
26#include <libtasn1.h>
27
28
29#define QCRYPTO_TLS_TEST_CLIENT_NAME "ACME QEMU Client"
30#define QCRYPTO_TLS_TEST_CLIENT_HOSTILE_NAME "ACME Hostile Client"
31
32
33
34
35
36typedef struct QCryptoTLSTestCertReq QCryptoTLSTestCertReq;
37struct QCryptoTLSTestCertReq {
38 gnutls_x509_crt_t crt;
39
40 const char *filename;
41
42
43 const char *country;
44 const char *cn;
45 const char *altname1;
46 const char *altname2;
47 const char *ipaddr1;
48 const char *ipaddr2;
49
50
51 bool basicConstraintsEnable;
52 bool basicConstraintsCritical;
53 bool basicConstraintsIsCA;
54
55
56 bool keyUsageEnable;
57 bool keyUsageCritical;
58 int keyUsageValue;
59
60
61 bool keyPurposeEnable;
62 bool keyPurposeCritical;
63 const char *keyPurposeOID1;
64 const char *keyPurposeOID2;
65
66
67 int start_offset;
68
69 int expire_offset;
70};
71
72void test_tls_generate_cert(QCryptoTLSTestCertReq *req,
73 gnutls_x509_crt_t ca);
74void test_tls_write_cert_chain(const char *filename,
75 gnutls_x509_crt_t *certs,
76 size_t ncerts);
77void test_tls_discard_cert(QCryptoTLSTestCertReq *req);
78
79void test_tls_init(const char *keyfile);
80void test_tls_cleanup(const char *keyfile);
81
82# define TLS_CERT_REQ(varname, cavarname, \
83 country, commonname, \
84 altname1, altname2, \
85 ipaddr1, ipaddr2, \
86 basicconsenable, basicconscritical, basicconsca, \
87 keyusageenable, keyusagecritical, keyusagevalue, \
88 keypurposeenable, keypurposecritical, \
89 keypurposeoid1, keypurposeoid2, \
90 startoffset, endoffset) \
91 static QCryptoTLSTestCertReq varname = { \
92 NULL, WORKDIR #varname "-ctx.pem", \
93 country, commonname, altname1, altname2, \
94 ipaddr1, ipaddr2, \
95 basicconsenable, basicconscritical, basicconsca, \
96 keyusageenable, keyusagecritical, keyusagevalue, \
97 keypurposeenable, keypurposecritical, \
98 keypurposeoid1, keypurposeoid2, \
99 startoffset, endoffset \
100 }; \
101 test_tls_generate_cert(&varname, cavarname.crt)
102
103# define TLS_ROOT_REQ(varname, \
104 country, commonname, \
105 altname1, altname2, \
106 ipaddr1, ipaddr2, \
107 basicconsenable, basicconscritical, basicconsca, \
108 keyusageenable, keyusagecritical, keyusagevalue, \
109 keypurposeenable, keypurposecritical, \
110 keypurposeoid1, keypurposeoid2, \
111 startoffset, endoffset) \
112 static QCryptoTLSTestCertReq varname = { \
113 NULL, WORKDIR #varname "-ctx.pem", \
114 country, commonname, altname1, altname2, \
115 ipaddr1, ipaddr2, \
116 basicconsenable, basicconscritical, basicconsca, \
117 keyusageenable, keyusagecritical, keyusagevalue, \
118 keypurposeenable, keypurposecritical, \
119 keypurposeoid1, keypurposeoid2, \
120 startoffset, endoffset \
121 }; \
122 test_tls_generate_cert(&varname, NULL)
123
124# define TLS_ROOT_REQ_SIMPLE(varname, fname) \
125 QCryptoTLSTestCertReq varname = { \
126 .filename = fname, \
127 .cn = "qemu-CA", \
128 .basicConstraintsEnable = true, \
129 .basicConstraintsCritical = true, \
130 .basicConstraintsIsCA = true, \
131 .keyUsageEnable = true, \
132 .keyUsageCritical = true, \
133 .keyUsageValue = GNUTLS_KEY_KEY_CERT_SIGN, \
134 }; \
135 test_tls_generate_cert(&varname, NULL)
136
137# define TLS_CERT_REQ_SIMPLE_CLIENT(varname, cavarname, cname, fname) \
138 QCryptoTLSTestCertReq varname = { \
139 .filename = fname, \
140 .cn = cname, \
141 .basicConstraintsEnable = true, \
142 .basicConstraintsCritical = true, \
143 .basicConstraintsIsCA = false, \
144 .keyUsageEnable = true, \
145 .keyUsageCritical = true, \
146 .keyUsageValue = \
147 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \
148 .keyPurposeEnable = true, \
149 .keyPurposeCritical = true, \
150 .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_CLIENT, \
151 }; \
152 test_tls_generate_cert(&varname, cavarname.crt)
153
154# define TLS_CERT_REQ_SIMPLE_SERVER(varname, cavarname, fname, \
155 hostname, ipaddr) \
156 QCryptoTLSTestCertReq varname = { \
157 .filename = fname, \
158 .cn = hostname ? hostname : ipaddr, \
159 .altname1 = hostname, \
160 .ipaddr1 = ipaddr, \
161 .basicConstraintsEnable = true, \
162 .basicConstraintsCritical = true, \
163 .basicConstraintsIsCA = false, \
164 .keyUsageEnable = true, \
165 .keyUsageCritical = true, \
166 .keyUsageValue = \
167 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \
168 .keyPurposeEnable = true, \
169 .keyPurposeCritical = true, \
170 .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_SERVER, \
171 }; \
172 test_tls_generate_cert(&varname, cavarname.crt)
173
174extern const asn1_static_node pkix_asn1_tab[];
175
176#endif
177