LXR qemu/tests/unit/crypto-tls-x509-helpers.h

   1/*
   2 * Copyright (C) 2015 Red Hat, Inc.
   3 *
   4 * This library is free software; you can redistribute it and/or
   5 * modify it under the terms of the GNU Lesser General Public
   6 * License as published by the Free Software Foundation; either
   7 * version 2.1 of the License, or (at your option) any later version.
   8 *
   9 * This library is distributed in the hope that it will be useful,
  10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  12 * Lesser General Public License for more details.
  13 *
  14 * You should have received a copy of the GNU Lesser General Public
  15 * License along with this library.  If not, see
  16 * <http://www.gnu.org/licenses/>.
  17 *
  18 * Author: Daniel P. Berrange <berrange@redhat.com>
  19 */
  20
  21#ifndef TESTS_CRYPTO_TLS_X509_HELPERS_H
  22#define TESTS_CRYPTO_TLS_X509_HELPERS_H
  23
  24#include <gnutls/gnutls.h>
  25#include <gnutls/x509.h>
  26#include <libtasn1.h>
  27
  28
  29#define QCRYPTO_TLS_TEST_CLIENT_NAME "ACME QEMU Client"
  30#define QCRYPTO_TLS_TEST_CLIENT_HOSTILE_NAME "ACME Hostile Client"
  31
  32/*
  33 * This contains parameter about how to generate
  34 * certificates.
  35 */
  36typedef struct QCryptoTLSTestCertReq QCryptoTLSTestCertReq;
  37struct QCryptoTLSTestCertReq {
  38    gnutls_x509_crt_t crt;
  39
  40    const char *filename;
  41
  42    /* Identifying information */
  43    const char *country;
  44    const char *cn;
  45    const char *altname1;
  46    const char *altname2;
  47    const char *ipaddr1;
  48    const char *ipaddr2;
  49
  50    /* Basic constraints */
  51    bool basicConstraintsEnable;
  52    bool basicConstraintsCritical;
  53    bool basicConstraintsIsCA;
  54
  55    /* Key usage */
  56    bool keyUsageEnable;
  57    bool keyUsageCritical;
  58    int keyUsageValue;
  59
  60    /* Key purpose (aka Extended key usage) */
  61    bool keyPurposeEnable;
  62    bool keyPurposeCritical;
  63    const char *keyPurposeOID1;
  64    const char *keyPurposeOID2;
  65
  66    /* zero for current time, or non-zero for hours from now */
  67    int start_offset;
  68    /* zero for 24 hours from now, or non-zero for hours from now */
  69    int expire_offset;
  70};
  71
  72void test_tls_generate_cert(QCryptoTLSTestCertReq *req,
  73                            gnutls_x509_crt_t ca);
  74void test_tls_write_cert_chain(const char *filename,
  75                               gnutls_x509_crt_t *certs,
  76                               size_t ncerts);
  77void test_tls_discard_cert(QCryptoTLSTestCertReq *req);
  78
  79void test_tls_init(const char *keyfile);
  80void test_tls_cleanup(const char *keyfile);
  81
  82# define TLS_CERT_REQ(varname, cavarname,                               \
  83                      country, commonname,                              \
  84                      altname1, altname2,                               \
  85                      ipaddr1, ipaddr2,                                 \
  86                      basicconsenable, basicconscritical, basicconsca,  \
  87                      keyusageenable, keyusagecritical, keyusagevalue,  \
  88                      keypurposeenable, keypurposecritical,             \
  89                      keypurposeoid1, keypurposeoid2,                   \
  90                      startoffset, endoffset)                           \
  91    static QCryptoTLSTestCertReq varname = {                            \
  92        NULL, WORKDIR #varname "-ctx.pem",                              \
  93        country, commonname, altname1, altname2,                        \
  94        ipaddr1, ipaddr2,                                               \
  95        basicconsenable, basicconscritical, basicconsca,                \
  96        keyusageenable, keyusagecritical, keyusagevalue,                \
  97        keypurposeenable, keypurposecritical,                           \
  98        keypurposeoid1, keypurposeoid2,                                 \
  99        startoffset, endoffset                                          \
 100    };                                                                  \
 101    test_tls_generate_cert(&varname, cavarname.crt)
 102
 103# define TLS_ROOT_REQ(varname,                                          \
 104                      country, commonname,                              \
 105                      altname1, altname2,                               \
 106                      ipaddr1, ipaddr2,                                 \
 107                      basicconsenable, basicconscritical, basicconsca,  \
 108                      keyusageenable, keyusagecritical, keyusagevalue,  \
 109                      keypurposeenable, keypurposecritical,             \
 110                      keypurposeoid1, keypurposeoid2,                   \
 111                      startoffset, endoffset)                           \
 112    static QCryptoTLSTestCertReq varname = {                            \
 113        NULL, WORKDIR #varname "-ctx.pem",                              \
 114        country, commonname, altname1, altname2,                        \
 115        ipaddr1, ipaddr2,                                               \
 116        basicconsenable, basicconscritical, basicconsca,                \
 117        keyusageenable, keyusagecritical, keyusagevalue,                \
 118        keypurposeenable, keypurposecritical,                           \
 119        keypurposeoid1, keypurposeoid2,                                 \
 120        startoffset, endoffset                                          \
 121    };                                                                  \
 122    test_tls_generate_cert(&varname, NULL)
 123
 124# define TLS_ROOT_REQ_SIMPLE(varname, fname)                            \
 125    QCryptoTLSTestCertReq varname = {                                   \
 126        .filename = fname,                                              \
 127        .cn = "qemu-CA",                                                \
 128        .basicConstraintsEnable = true,                                 \
 129        .basicConstraintsCritical = true,                               \
 130        .basicConstraintsIsCA = true,                                   \
 131        .keyUsageEnable = true,                                         \
 132        .keyUsageCritical = true,                                       \
 133        .keyUsageValue = GNUTLS_KEY_KEY_CERT_SIGN,                      \
 134    };                                                                  \
 135    test_tls_generate_cert(&varname, NULL)
 136
 137# define TLS_CERT_REQ_SIMPLE_CLIENT(varname, cavarname, cname, fname)   \
 138    QCryptoTLSTestCertReq varname = {                                   \
 139        .filename = fname,                                              \
 140        .cn = cname,                                                    \
 141        .basicConstraintsEnable = true,                                 \
 142        .basicConstraintsCritical = true,                               \
 143        .basicConstraintsIsCA = false,                                  \
 144        .keyUsageEnable = true,                                         \
 145        .keyUsageCritical = true,                                       \
 146        .keyUsageValue =                                                \
 147        GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,     \
 148        .keyPurposeEnable = true,                                       \
 149        .keyPurposeCritical = true,                                     \
 150        .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_CLIENT,                     \
 151    };                                                                  \
 152    test_tls_generate_cert(&varname, cavarname.crt)
 153
 154# define TLS_CERT_REQ_SIMPLE_SERVER(varname, cavarname, fname,          \
 155                                    hostname, ipaddr)                   \
 156    QCryptoTLSTestCertReq varname = {                                   \
 157        .filename = fname,                                              \
 158        .cn = hostname ? hostname : ipaddr,                             \
 159        .altname1 = hostname,                                           \
 160        .ipaddr1 = ipaddr,                                              \
 161        .basicConstraintsEnable = true,                                 \
 162        .basicConstraintsCritical = true,                               \
 163        .basicConstraintsIsCA = false,                                  \
 164        .keyUsageEnable = true,                                         \
 165        .keyUsageCritical = true,                                       \
 166        .keyUsageValue =                                                \
 167        GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,     \
 168        .keyPurposeEnable = true,                                       \
 169        .keyPurposeCritical = true,                                     \
 170        .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_SERVER,                     \
 171    };                                                                  \
 172    test_tls_generate_cert(&varname, cavarname.crt)
 173
 174extern const asn1_static_node pkix_asn1_tab[];
 175
 176#endif
 177