tests/qemu-iotests/common.tls - qemu - Git at Google

 #!/usr/bin/env bash
 #
 # Helpers for TLS related config
 #
 # Copyright (C) 2018 Red Hat, Inc.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #

 tls_dir="${TEST_DIR}/tls"

 tls_x509_cleanup()
 {
     rm -f "${tls_dir}"/*.pem
     rm -f "${tls_dir}"/*/*.pem
     rmdir "${tls_dir}"/*
     rmdir "${tls_dir}"
 }


 tls_certtool()
 {
     certtool "$@" 1>"${tls_dir}"/certtool.log 2>&1
     if test "$?" = 0; then
       head -1 "${tls_dir}"/certtool.log
     else
       cat "${tls_dir}"/certtool.log
     fi
     rm -f "${tls_dir}"/certtool.log
 }

 tls_x509_init()
 {
     (certtool --help) >/dev/null 2>&1 || \
 	_notrun "certtool utility not found, skipping test"

     mkdir -p "${tls_dir}"

     # use a fixed key so we don't waste system entropy on
     # each test run
     cat > "${tls_dir}/key.pem" <<EOF
 -----BEGIN PRIVATE KEY-----
 MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr
 BL40Tm6yq88FBhJNw1aaoCjmtg0l4dWQZ/e9Fimx4ARxFpT+ji4FE
 Cgl9s/SGqC+1nvlkm9ViSo0j7MKDbnDB+VRHDvMAzQhA2X7e8M0n9
 rPolUY2lIVC83q0BBaOBkCj2RSmT2xTEbbC2xLukSrg2WP/ihVOxc
 kXRuyFtzAgMBAAECgYB7slBexDwXrtItAMIH6m/U+LUpNe0Xx48OL
 IOn4a4whNgO/o84uIwygUK27ZGFZT0kAGAk8CdF9hA6ArcbQ62s1H
 myxrUbF9/mrLsQw1NEqpuUk9Ay2Tx5U/wPx35S3W/X2AvR/ZpTnCn
 2q/7ym9fyiSoj86drD7BTvmKXlOnOwQJBAPOFMp4mMa9NGpGuEssO
 m3Uwbp6lhcP0cA9MK+iOmeANpoKWfBdk5O34VbmeXnGYWEkrnX+9J
 bM4wVhnnBWtgBMCQQC+qAEmvwcfhauERKYznMVUVksyeuhxhCe7EK
 mPh+U2+g0WwdKvGDgO0PPt1gq0ILEjspMDeMHVdTwkaVBo/uMhAkA
 Z5SsZyCP2aTOPFDypXRdI4eqRcjaEPOUBq27r3uYb/jeboVb2weLa
 L1MmVuHiIHoa5clswPdWVI2y0em2IGoDAkBPSp/v9VKJEZabk9Frd
 a+7u4fanrM9QrEjY3KhduslSilXZZSxrWjjAJPyPiqFb3M8XXA26W
 nz1KYGnqYKhLcBAkB7dt57n9xfrhDpuyVEv+Uv1D3VVAhZlsaZ5Pp
 dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci
 -----END PRIVATE KEY-----
 EOF
 }


 tls_x509_create_root_ca()
 {
     name=${1:-ca-cert}

     cat > "${tls_dir}/ca.info" <<EOF
 cn = Cthulhu Dark Lord Enterprises $name
 ca
 cert_signing_key
 EOF

     tls_certtool \
         --generate-self-signed \
         --load-privkey "${tls_dir}/key.pem" \
         --template "${tls_dir}/ca.info" \
         --outfile "${tls_dir}/$name-cert.pem"

     rm -f "${tls_dir}/ca.info"
 }


 tls_x509_create_server()
 {
     caname=$1
     name=$2

     mkdir -p "${tls_dir}/$name"
     cat > "${tls_dir}/cert.info" <<EOF
 organization = Cthulhu Dark Lord Enterprises $name
 cn = localhost
 dns_name = localhost
 dns_name = localhost.localdomain
 ip_address = 127.0.0.1
 ip_address = ::1
 tls_www_server
 encryption_key
 signing_key
 EOF

     tls_certtool \
         --generate-certificate \
         --load-ca-privkey "${tls_dir}/key.pem" \
         --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
         --load-privkey "${tls_dir}/key.pem" \
         --template "${tls_dir}/cert.info" \
         --outfile "${tls_dir}/$name/server-cert.pem"

     ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
     ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem"

     rm -f "${tls_dir}/cert.info"
 }


 tls_x509_create_client()
 {
     caname=$1
     name=$2

     mkdir -p "${tls_dir}/$name"
     cat > "${tls_dir}/cert.info" <<EOF
 country = South Pacific
 locality =  R'lyeh
 organization = Cthulhu Dark Lord Enterprises $name
 cn = localhost
 tls_www_client
 encryption_key
 signing_key
 EOF

     tls_certtool \
         --generate-certificate \
         --load-ca-privkey "${tls_dir}/key.pem" \
         --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
         --load-privkey "${tls_dir}/key.pem" \
         --template "${tls_dir}/cert.info" \
         --outfile "${tls_dir}/$name/client-cert.pem"

     ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
     ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem"

     rm -f "${tls_dir}/cert.info"
 }
	#!/usr/bin/env bash
	#
	# Helpers for TLS related config
	#
	# Copyright (C) 2018 Red Hat, Inc.
	#
	# This program is free software; you can redistribute it and/or modify
	# it under the terms of the GNU General Public License as published by
	# the Free Software Foundation; either version 2 of the License, or
	# (at your option) any later version.
	#
	# This program is distributed in the hope that it will be useful,
	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	# GNU General Public License for more details.
	#
	# You should have received a copy of the GNU General Public License
	# along with this program. If not, see <http://www.gnu.org/licenses/>.
	#

	tls_dir="${TEST_DIR}/tls"

	tls_x509_cleanup()
	{
	rm -f "${tls_dir}"/*.pem
	rm -f "${tls_dir}"//.pem
	rmdir "${tls_dir}"/*
	rmdir "${tls_dir}"
	}


	tls_certtool()
	{
	certtool "$@" 1>"${tls_dir}"/certtool.log 2>&1
	if test "$?" = 0; then
	head -1 "${tls_dir}"/certtool.log
	else
	cat "${tls_dir}"/certtool.log
	fi
	rm -f "${tls_dir}"/certtool.log
	}

	tls_x509_init()
	{
	(certtool --help) >/dev/null 2>&1 \|\| \
	_notrun "certtool utility not found, skipping test"

	mkdir -p "${tls_dir}"

	# use a fixed key so we don't waste system entropy on
	# each test run
	cat > "${tls_dir}/key.pem" <<EOF
	-----BEGIN PRIVATE KEY-----
	MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr
	BL40Tm6yq88FBhJNw1aaoCjmtg0l4dWQZ/e9Fimx4ARxFpT+ji4FE
	Cgl9s/SGqC+1nvlkm9ViSo0j7MKDbnDB+VRHDvMAzQhA2X7e8M0n9
	rPolUY2lIVC83q0BBaOBkCj2RSmT2xTEbbC2xLukSrg2WP/ihVOxc
	kXRuyFtzAgMBAAECgYB7slBexDwXrtItAMIH6m/U+LUpNe0Xx48OL
	IOn4a4whNgO/o84uIwygUK27ZGFZT0kAGAk8CdF9hA6ArcbQ62s1H
	myxrUbF9/mrLsQw1NEqpuUk9Ay2Tx5U/wPx35S3W/X2AvR/ZpTnCn
	2q/7ym9fyiSoj86drD7BTvmKXlOnOwQJBAPOFMp4mMa9NGpGuEssO
	m3Uwbp6lhcP0cA9MK+iOmeANpoKWfBdk5O34VbmeXnGYWEkrnX+9J
	bM4wVhnnBWtgBMCQQC+qAEmvwcfhauERKYznMVUVksyeuhxhCe7EK
	mPh+U2+g0WwdKvGDgO0PPt1gq0ILEjspMDeMHVdTwkaVBo/uMhAkA
	Z5SsZyCP2aTOPFDypXRdI4eqRcjaEPOUBq27r3uYb/jeboVb2weLa
	L1MmVuHiIHoa5clswPdWVI2y0em2IGoDAkBPSp/v9VKJEZabk9Frd
	a+7u4fanrM9QrEjY3KhduslSilXZZSxrWjjAJPyPiqFb3M8XXA26W
	nz1KYGnqYKhLcBAkB7dt57n9xfrhDpuyVEv+Uv1D3VVAhZlsaZ5Pp
	dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci
	-----END PRIVATE KEY-----
	EOF
	}


	tls_x509_create_root_ca()
	{
	name=${1:-ca-cert}

	cat > "${tls_dir}/ca.info" <<EOF
	cn = Cthulhu Dark Lord Enterprises $name
	ca
	cert_signing_key
	EOF

	tls_certtool \
	--generate-self-signed \
	--load-privkey "${tls_dir}/key.pem" \
	--template "${tls_dir}/ca.info" \
	--outfile "${tls_dir}/$name-cert.pem"

	rm -f "${tls_dir}/ca.info"
	}


	tls_x509_create_server()
	{
	caname=$1
	name=$2

	mkdir -p "${tls_dir}/$name"
	cat > "${tls_dir}/cert.info" <<EOF
	organization = Cthulhu Dark Lord Enterprises $name
	cn = localhost
	dns_name = localhost
	dns_name = localhost.localdomain
	ip_address = 127.0.0.1
	ip_address = ::1
	tls_www_server
	encryption_key
	signing_key
	EOF

	tls_certtool \
	--generate-certificate \
	--load-ca-privkey "${tls_dir}/key.pem" \
	--load-ca-certificate "${tls_dir}/$caname-cert.pem" \
	--load-privkey "${tls_dir}/key.pem" \
	--template "${tls_dir}/cert.info" \
	--outfile "${tls_dir}/$name/server-cert.pem"

	ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
	ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem"

	rm -f "${tls_dir}/cert.info"
	}


	tls_x509_create_client()
	{
	caname=$1
	name=$2

	mkdir -p "${tls_dir}/$name"
	cat > "${tls_dir}/cert.info" <<EOF
	country = South Pacific
	locality = R'lyeh
	organization = Cthulhu Dark Lord Enterprises $name
	cn = localhost
	tls_www_client
	encryption_key
	signing_key
	EOF

	tls_certtool \
	--generate-certificate \
	--load-ca-privkey "${tls_dir}/key.pem" \
	--load-ca-certificate "${tls_dir}/$caname-cert.pem" \
	--load-privkey "${tls_dir}/key.pem" \
	--template "${tls_dir}/cert.info" \
	--outfile "${tls_dir}/$name/client-cert.pem"

	ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
	ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem"

	rm -f "${tls_dir}/cert.info"
	}