Daniel P. Berrange | 9a2fd43 | 2015-04-13 14:01:39 +0100 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2015 Red Hat, Inc. |
| 3 | * |
| 4 | * This library is free software; you can redistribute it and/or |
| 5 | * modify it under the terms of the GNU Lesser General Public |
| 6 | * License as published by the Free Software Foundation; either |
| 7 | * version 2.1 of the License, or (at your option) any later version. |
| 8 | * |
| 9 | * This library is distributed in the hope that it will be useful, |
| 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| 12 | * Lesser General Public License for more details. |
| 13 | * |
| 14 | * You should have received a copy of the GNU Lesser General Public |
| 15 | * License along with this library. If not, see |
| 16 | * <http://www.gnu.org/licenses/>. |
| 17 | * |
| 18 | * Author: Daniel P. Berrange <berrange@redhat.com> |
| 19 | */ |
| 20 | |
Peter Maydell | 681c28a | 2016-02-08 18:08:51 +0000 | [diff] [blame] | 21 | #include "qemu/osdep.h" |
Daniel P. Berrange | 9a2fd43 | 2015-04-13 14:01:39 +0100 | [diff] [blame] | 22 | |
Daniel P. Berrange | 9a2fd43 | 2015-04-13 14:01:39 +0100 | [diff] [blame] | 23 | #include "crypto-tls-x509-helpers.h" |
| 24 | #include "crypto/tlscredsx509.h" |
| 25 | |
| 26 | #ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT |
| 27 | |
| 28 | #define WORKDIR "tests/test-crypto-tlscredsx509-work/" |
| 29 | #define KEYFILE WORKDIR "key-ctx.pem" |
| 30 | |
| 31 | struct QCryptoTLSCredsTestData { |
| 32 | bool isServer; |
| 33 | const char *cacrt; |
| 34 | const char *crt; |
| 35 | bool expectFail; |
| 36 | }; |
| 37 | |
| 38 | |
| 39 | static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint, |
| 40 | const char *certdir, |
| 41 | Error **errp) |
| 42 | { |
| 43 | Object *parent = object_get_objects_root(); |
| 44 | Object *creds = object_new_with_props( |
| 45 | TYPE_QCRYPTO_TLS_CREDS_X509, |
| 46 | parent, |
| 47 | "testtlscreds", |
| 48 | errp, |
| 49 | "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ? |
| 50 | "server" : "client"), |
| 51 | "dir", certdir, |
| 52 | "verify-peer", "yes", |
| 53 | "sanity-check", "yes", |
| 54 | NULL); |
| 55 | |
| 56 | if (*errp) { |
| 57 | return NULL; |
| 58 | } |
| 59 | return QCRYPTO_TLS_CREDS(creds); |
| 60 | } |
| 61 | |
| 62 | /* |
| 63 | * This tests sanity checking of our own certificates |
| 64 | * |
| 65 | * The code being tested is used when TLS creds are created, |
| 66 | * and aim to ensure QMEU has been configured with sane |
| 67 | * certificates. This allows us to give much much much |
| 68 | * clearer error messages to the admin when they misconfigure |
| 69 | * things. |
| 70 | */ |
| 71 | static void test_tls_creds(const void *opaque) |
| 72 | { |
| 73 | struct QCryptoTLSCredsTestData *data = |
| 74 | (struct QCryptoTLSCredsTestData *)opaque; |
| 75 | QCryptoTLSCreds *creds; |
| 76 | Error *err = NULL; |
| 77 | |
| 78 | #define CERT_DIR "tests/test-crypto-tlscredsx509-certs/" |
| 79 | mkdir(CERT_DIR, 0700); |
| 80 | |
| 81 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT); |
| 82 | if (data->isServer) { |
| 83 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT); |
| 84 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY); |
| 85 | } else { |
| 86 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT); |
| 87 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY); |
| 88 | } |
| 89 | |
| 90 | if (access(data->cacrt, R_OK) == 0) { |
| 91 | g_assert(link(data->cacrt, |
| 92 | CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0); |
| 93 | } |
| 94 | if (data->isServer) { |
| 95 | if (access(data->crt, R_OK) == 0) { |
| 96 | g_assert(link(data->crt, |
| 97 | CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0); |
| 98 | } |
| 99 | g_assert(link(KEYFILE, |
| 100 | CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0); |
| 101 | } else { |
| 102 | if (access(data->crt, R_OK) == 0) { |
| 103 | g_assert(link(data->crt, |
| 104 | CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0); |
| 105 | } |
| 106 | g_assert(link(KEYFILE, |
| 107 | CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0); |
| 108 | } |
| 109 | |
| 110 | creds = test_tls_creds_create( |
| 111 | (data->isServer ? |
| 112 | QCRYPTO_TLS_CREDS_ENDPOINT_SERVER : |
| 113 | QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT), |
| 114 | CERT_DIR, |
| 115 | &err); |
| 116 | |
| 117 | if (data->expectFail) { |
| 118 | error_free(err); |
| 119 | g_assert(creds == NULL); |
| 120 | } else { |
| 121 | if (err) { |
| 122 | g_printerr("Failed to generate creds: %s\n", |
| 123 | error_get_pretty(err)); |
| 124 | error_free(err); |
| 125 | } |
| 126 | g_assert(creds != NULL); |
| 127 | } |
| 128 | |
| 129 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT); |
| 130 | if (data->isServer) { |
| 131 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT); |
| 132 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY); |
| 133 | } else { |
| 134 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT); |
| 135 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY); |
| 136 | } |
| 137 | rmdir(CERT_DIR); |
| 138 | if (creds) { |
| 139 | object_unparent(OBJECT(creds)); |
| 140 | } |
| 141 | } |
| 142 | |
| 143 | int main(int argc, char **argv) |
| 144 | { |
| 145 | int ret; |
| 146 | |
| 147 | module_call_init(MODULE_INIT_QOM); |
| 148 | g_test_init(&argc, &argv, NULL); |
| 149 | setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1); |
| 150 | |
| 151 | mkdir(WORKDIR, 0700); |
| 152 | |
| 153 | test_tls_init(KEYFILE); |
| 154 | |
| 155 | # define TLS_TEST_REG(name, isServer, caCrt, crt, expectFail) \ |
| 156 | struct QCryptoTLSCredsTestData name = { \ |
| 157 | isServer, caCrt, crt, expectFail \ |
| 158 | }; \ |
| 159 | g_test_add_data_func("/qcrypto/tlscredsx509/" # name, \ |
| 160 | &name, test_tls_creds); \ |
| 161 | |
| 162 | /* A perfect CA, perfect client & perfect server */ |
| 163 | |
| 164 | /* Basic:CA:critical */ |
| 165 | TLS_ROOT_REQ(cacertreq, |
| 166 | "UK", "qemu CA", NULL, NULL, NULL, NULL, |
| 167 | true, true, true, |
| 168 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 169 | false, false, NULL, NULL, |
| 170 | 0, 0); |
| 171 | |
| 172 | TLS_CERT_REQ(servercertreq, cacertreq, |
| 173 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 174 | true, true, false, |
| 175 | true, true, |
| 176 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 177 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 178 | 0, 0); |
| 179 | TLS_CERT_REQ(clientcertreq, cacertreq, |
| 180 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 181 | true, true, false, |
| 182 | true, true, |
| 183 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 184 | true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, |
| 185 | 0, 0); |
| 186 | |
| 187 | TLS_TEST_REG(perfectserver, true, |
| 188 | cacertreq.filename, servercertreq.filename, false); |
| 189 | TLS_TEST_REG(perfectclient, false, |
| 190 | cacertreq.filename, clientcertreq.filename, false); |
| 191 | |
| 192 | |
| 193 | /* Some other CAs which are good */ |
| 194 | |
| 195 | /* Basic:CA:critical */ |
| 196 | TLS_ROOT_REQ(cacert1req, |
| 197 | "UK", "qemu CA 1", NULL, NULL, NULL, NULL, |
| 198 | true, true, true, |
| 199 | false, false, 0, |
| 200 | false, false, NULL, NULL, |
| 201 | 0, 0); |
| 202 | TLS_CERT_REQ(servercert1req, cacert1req, |
| 203 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 204 | true, true, false, |
| 205 | true, true, |
| 206 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 207 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 208 | 0, 0); |
| 209 | |
| 210 | /* Basic:CA:not-critical */ |
| 211 | TLS_ROOT_REQ(cacert2req, |
| 212 | "UK", "qemu CA 2", NULL, NULL, NULL, NULL, |
| 213 | true, false, true, |
| 214 | false, false, 0, |
| 215 | false, false, NULL, NULL, |
| 216 | 0, 0); |
| 217 | TLS_CERT_REQ(servercert2req, cacert2req, |
| 218 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 219 | true, true, false, |
| 220 | true, true, |
| 221 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 222 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 223 | 0, 0); |
| 224 | |
| 225 | /* Key usage:cert-sign:critical */ |
| 226 | TLS_ROOT_REQ(cacert3req, |
| 227 | "UK", "qemu CA 3", NULL, NULL, NULL, NULL, |
| 228 | true, true, true, |
| 229 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 230 | false, false, NULL, NULL, |
| 231 | 0, 0); |
| 232 | TLS_CERT_REQ(servercert3req, cacert3req, |
| 233 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 234 | true, true, false, |
| 235 | true, true, |
| 236 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 237 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 238 | 0, 0); |
| 239 | |
| 240 | TLS_TEST_REG(goodca1, true, |
| 241 | cacert1req.filename, servercert1req.filename, false); |
| 242 | TLS_TEST_REG(goodca2, true, |
| 243 | cacert2req.filename, servercert2req.filename, false); |
| 244 | TLS_TEST_REG(goodca3, true, |
| 245 | cacert3req.filename, servercert3req.filename, false); |
| 246 | |
| 247 | /* Now some bad certs */ |
| 248 | |
| 249 | /* Key usage:dig-sig:not-critical */ |
| 250 | TLS_ROOT_REQ(cacert4req, |
| 251 | "UK", "qemu CA 4", NULL, NULL, NULL, NULL, |
| 252 | true, true, true, |
| 253 | true, false, GNUTLS_KEY_DIGITAL_SIGNATURE, |
| 254 | false, false, NULL, NULL, |
| 255 | 0, 0); |
| 256 | TLS_CERT_REQ(servercert4req, cacert4req, |
| 257 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 258 | true, true, false, |
| 259 | true, true, |
| 260 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 261 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 262 | 0, 0); |
| 263 | /* no-basic */ |
| 264 | TLS_ROOT_REQ(cacert5req, |
| 265 | "UK", "qemu CA 5", NULL, NULL, NULL, NULL, |
| 266 | false, false, false, |
| 267 | false, false, 0, |
| 268 | false, false, NULL, NULL, |
| 269 | 0, 0); |
| 270 | TLS_CERT_REQ(servercert5req, cacert5req, |
| 271 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 272 | true, true, false, |
| 273 | true, true, |
| 274 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 275 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 276 | 0, 0); |
| 277 | /* Key usage:dig-sig:critical */ |
| 278 | TLS_ROOT_REQ(cacert6req, |
| 279 | "UK", "qemu CA 6", NULL, NULL, NULL, NULL, |
| 280 | true, true, true, |
| 281 | true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, |
| 282 | false, false, NULL, NULL, |
| 283 | 0, 0); |
| 284 | TLS_CERT_REQ(servercert6req, cacert6req, |
| 285 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 286 | true, true, false, |
| 287 | true, true, |
| 288 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 289 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 290 | 0, 0); |
| 291 | |
| 292 | /* Technically a CA cert with basic constraints |
| 293 | * key purpose == key signing + non-critical should |
| 294 | * be rejected. GNUTLS < 3.1 does not reject it and |
| 295 | * we don't anticipate them changing this behaviour |
| 296 | */ |
| 297 | TLS_TEST_REG(badca1, true, cacert4req.filename, servercert4req.filename, |
| 298 | (GNUTLS_VERSION_MAJOR == 3 && GNUTLS_VERSION_MINOR >= 1) || |
| 299 | GNUTLS_VERSION_MAJOR > 3); |
| 300 | TLS_TEST_REG(badca2, true, |
| 301 | cacert5req.filename, servercert5req.filename, true); |
| 302 | TLS_TEST_REG(badca3, true, |
| 303 | cacert6req.filename, servercert6req.filename, true); |
| 304 | |
| 305 | |
| 306 | /* Various good servers */ |
| 307 | /* no usage or purpose */ |
| 308 | TLS_CERT_REQ(servercert7req, cacertreq, |
| 309 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 310 | true, true, false, |
| 311 | false, false, 0, |
| 312 | false, false, NULL, NULL, |
| 313 | 0, 0); |
| 314 | /* usage:cert-sign+dig-sig+encipher:critical */ |
| 315 | TLS_CERT_REQ(servercert8req, cacertreq, |
| 316 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 317 | true, true, false, |
| 318 | true, true, |
| 319 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | |
| 320 | GNUTLS_KEY_KEY_CERT_SIGN, |
| 321 | false, false, NULL, NULL, |
| 322 | 0, 0); |
| 323 | /* usage:cert-sign:not-critical */ |
| 324 | TLS_CERT_REQ(servercert9req, cacertreq, |
| 325 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 326 | true, true, false, |
| 327 | true, false, GNUTLS_KEY_KEY_CERT_SIGN, |
| 328 | false, false, NULL, NULL, |
| 329 | 0, 0); |
| 330 | /* purpose:server:critical */ |
| 331 | TLS_CERT_REQ(servercert10req, cacertreq, |
| 332 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 333 | true, true, false, |
| 334 | false, false, 0, |
| 335 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 336 | 0, 0); |
| 337 | /* purpose:server:not-critical */ |
| 338 | TLS_CERT_REQ(servercert11req, cacertreq, |
| 339 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 340 | true, true, false, |
| 341 | false, false, 0, |
| 342 | true, false, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 343 | 0, 0); |
| 344 | /* purpose:client+server:critical */ |
| 345 | TLS_CERT_REQ(servercert12req, cacertreq, |
| 346 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 347 | true, true, false, |
| 348 | false, false, 0, |
| 349 | true, true, |
| 350 | GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER, |
| 351 | 0, 0); |
| 352 | /* purpose:client+server:not-critical */ |
| 353 | TLS_CERT_REQ(servercert13req, cacertreq, |
| 354 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 355 | true, true, false, |
| 356 | false, false, 0, |
| 357 | true, false, |
| 358 | GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER, |
| 359 | 0, 0); |
| 360 | |
| 361 | TLS_TEST_REG(goodserver1, true, |
| 362 | cacertreq.filename, servercert7req.filename, false); |
| 363 | TLS_TEST_REG(goodserver2, true, |
| 364 | cacertreq.filename, servercert8req.filename, false); |
| 365 | TLS_TEST_REG(goodserver3, true, |
| 366 | cacertreq.filename, servercert9req.filename, false); |
| 367 | TLS_TEST_REG(goodserver4, true, |
| 368 | cacertreq.filename, servercert10req.filename, false); |
| 369 | TLS_TEST_REG(goodserver5, true, |
| 370 | cacertreq.filename, servercert11req.filename, false); |
| 371 | TLS_TEST_REG(goodserver6, true, |
| 372 | cacertreq.filename, servercert12req.filename, false); |
| 373 | TLS_TEST_REG(goodserver7, true, |
| 374 | cacertreq.filename, servercert13req.filename, false); |
| 375 | |
| 376 | /* Bad servers */ |
| 377 | |
| 378 | /* usage:cert-sign:critical */ |
| 379 | TLS_CERT_REQ(servercert14req, cacertreq, |
| 380 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 381 | true, true, false, |
| 382 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 383 | false, false, NULL, NULL, |
| 384 | 0, 0); |
| 385 | /* purpose:client:critical */ |
| 386 | TLS_CERT_REQ(servercert15req, cacertreq, |
| 387 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 388 | true, true, false, |
| 389 | false, false, 0, |
| 390 | true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, |
| 391 | 0, 0); |
| 392 | /* usage: none:critical */ |
| 393 | TLS_CERT_REQ(servercert16req, cacertreq, |
| 394 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 395 | true, true, false, |
| 396 | true, true, 0, |
| 397 | false, false, NULL, NULL, |
| 398 | 0, 0); |
| 399 | |
| 400 | TLS_TEST_REG(badserver1, true, |
| 401 | cacertreq.filename, servercert14req.filename, true); |
| 402 | TLS_TEST_REG(badserver2, true, |
| 403 | cacertreq.filename, servercert15req.filename, true); |
| 404 | TLS_TEST_REG(badserver3, true, |
| 405 | cacertreq.filename, servercert16req.filename, true); |
| 406 | |
| 407 | |
| 408 | |
| 409 | /* Various good clients */ |
| 410 | /* no usage or purpose */ |
| 411 | TLS_CERT_REQ(clientcert1req, cacertreq, |
| 412 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 413 | true, true, false, |
| 414 | false, false, 0, |
| 415 | false, false, NULL, NULL, |
| 416 | 0, 0); |
| 417 | /* usage:cert-sign+dig-sig+encipher:critical */ |
| 418 | TLS_CERT_REQ(clientcert2req, cacertreq, |
| 419 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 420 | true, true, false, |
| 421 | true, true, |
| 422 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | |
| 423 | GNUTLS_KEY_KEY_CERT_SIGN, |
| 424 | false, false, NULL, NULL, |
| 425 | 0, 0); |
| 426 | /* usage:cert-sign:not-critical */ |
| 427 | TLS_CERT_REQ(clientcert3req, cacertreq, |
| 428 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 429 | true, true, false, |
| 430 | true, false, GNUTLS_KEY_KEY_CERT_SIGN, |
| 431 | false, false, NULL, NULL, |
| 432 | 0, 0); |
| 433 | /* purpose:client:critical */ |
| 434 | TLS_CERT_REQ(clientcert4req, cacertreq, |
| 435 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 436 | true, true, false, |
| 437 | false, false, 0, |
| 438 | true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, |
| 439 | 0, 0); |
| 440 | /* purpose:client:not-critical */ |
| 441 | TLS_CERT_REQ(clientcert5req, cacertreq, |
| 442 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 443 | true, true, false, |
| 444 | false, false, 0, |
| 445 | true, false, GNUTLS_KP_TLS_WWW_CLIENT, NULL, |
| 446 | 0, 0); |
| 447 | /* purpose:client+client:critical */ |
| 448 | TLS_CERT_REQ(clientcert6req, cacertreq, |
| 449 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 450 | true, true, false, |
| 451 | false, false, 0, |
| 452 | true, true, |
| 453 | GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER, |
| 454 | 0, 0); |
| 455 | /* purpose:client+client:not-critical */ |
| 456 | TLS_CERT_REQ(clientcert7req, cacertreq, |
| 457 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 458 | true, true, false, |
| 459 | false, false, 0, |
| 460 | true, false, |
| 461 | GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER, |
| 462 | 0, 0); |
| 463 | |
| 464 | TLS_TEST_REG(goodclient1, false, |
| 465 | cacertreq.filename, clientcert1req.filename, false); |
| 466 | TLS_TEST_REG(goodclient2, false, |
| 467 | cacertreq.filename, clientcert2req.filename, false); |
| 468 | TLS_TEST_REG(goodclient3, false, |
| 469 | cacertreq.filename, clientcert3req.filename, false); |
| 470 | TLS_TEST_REG(goodclient4, false, |
| 471 | cacertreq.filename, clientcert4req.filename, false); |
| 472 | TLS_TEST_REG(goodclient5, false, |
| 473 | cacertreq.filename, clientcert5req.filename, false); |
| 474 | TLS_TEST_REG(goodclient6, false, |
| 475 | cacertreq.filename, clientcert6req.filename, false); |
| 476 | TLS_TEST_REG(goodclient7, false, |
| 477 | cacertreq.filename, clientcert7req.filename, false); |
| 478 | |
| 479 | /* Bad clients */ |
| 480 | |
| 481 | /* usage:cert-sign:critical */ |
| 482 | TLS_CERT_REQ(clientcert8req, cacertreq, |
| 483 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 484 | true, true, false, |
| 485 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 486 | false, false, NULL, NULL, |
| 487 | 0, 0); |
| 488 | /* purpose:client:critical */ |
| 489 | TLS_CERT_REQ(clientcert9req, cacertreq, |
| 490 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 491 | true, true, false, |
| 492 | false, false, 0, |
| 493 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 494 | 0, 0); |
| 495 | /* usage: none:critical */ |
| 496 | TLS_CERT_REQ(clientcert10req, cacertreq, |
| 497 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 498 | true, true, false, |
| 499 | true, true, 0, |
| 500 | false, false, NULL, NULL, |
| 501 | 0, 0); |
| 502 | |
| 503 | TLS_TEST_REG(badclient1, false, |
| 504 | cacertreq.filename, clientcert8req.filename, true); |
| 505 | TLS_TEST_REG(badclient2, false, |
| 506 | cacertreq.filename, clientcert9req.filename, true); |
| 507 | TLS_TEST_REG(badclient3, false, |
| 508 | cacertreq.filename, clientcert10req.filename, true); |
| 509 | |
| 510 | |
| 511 | |
| 512 | /* Expired stuff */ |
| 513 | |
| 514 | TLS_ROOT_REQ(cacertexpreq, |
| 515 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 516 | true, true, true, |
| 517 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 518 | false, false, NULL, NULL, |
| 519 | 0, -1); |
| 520 | TLS_CERT_REQ(servercertexpreq, cacertexpreq, |
| 521 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 522 | true, true, false, |
| 523 | true, true, |
| 524 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 525 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 526 | 0, 0); |
| 527 | TLS_CERT_REQ(servercertexp1req, cacertreq, |
| 528 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 529 | true, true, false, |
| 530 | true, true, |
| 531 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 532 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 533 | 0, -1); |
| 534 | TLS_CERT_REQ(clientcertexp1req, cacertreq, |
| 535 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 536 | true, true, false, |
| 537 | true, true, |
| 538 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 539 | true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, |
| 540 | 0, -1); |
| 541 | |
| 542 | TLS_TEST_REG(expired1, true, |
| 543 | cacertexpreq.filename, servercertexpreq.filename, true); |
| 544 | TLS_TEST_REG(expired2, true, |
| 545 | cacertreq.filename, servercertexp1req.filename, true); |
| 546 | TLS_TEST_REG(expired3, false, |
| 547 | cacertreq.filename, clientcertexp1req.filename, true); |
| 548 | |
| 549 | |
| 550 | /* Not activated stuff */ |
| 551 | |
| 552 | TLS_ROOT_REQ(cacertnewreq, |
| 553 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 554 | true, true, true, |
| 555 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 556 | false, false, NULL, NULL, |
| 557 | 1, 2); |
| 558 | TLS_CERT_REQ(servercertnewreq, cacertnewreq, |
| 559 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 560 | true, true, false, |
| 561 | true, true, |
| 562 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 563 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 564 | 0, 0); |
| 565 | TLS_CERT_REQ(servercertnew1req, cacertreq, |
| 566 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 567 | true, true, false, |
| 568 | true, true, |
| 569 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 570 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 571 | 1, 2); |
| 572 | TLS_CERT_REQ(clientcertnew1req, cacertreq, |
| 573 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 574 | true, true, false, |
| 575 | true, true, |
| 576 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 577 | true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, |
| 578 | 1, 2); |
| 579 | |
| 580 | TLS_TEST_REG(inactive1, true, |
| 581 | cacertnewreq.filename, servercertnewreq.filename, true); |
| 582 | TLS_TEST_REG(inactive2, true, |
| 583 | cacertreq.filename, servercertnew1req.filename, true); |
| 584 | TLS_TEST_REG(inactive3, false, |
| 585 | cacertreq.filename, clientcertnew1req.filename, true); |
| 586 | |
| 587 | TLS_ROOT_REQ(cacertrootreq, |
| 588 | "UK", "qemu root", NULL, NULL, NULL, NULL, |
| 589 | true, true, true, |
| 590 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 591 | false, false, NULL, NULL, |
| 592 | 0, 0); |
| 593 | TLS_CERT_REQ(cacertlevel1areq, cacertrootreq, |
| 594 | "UK", "qemu level 1a", NULL, NULL, NULL, NULL, |
| 595 | true, true, true, |
| 596 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 597 | false, false, NULL, NULL, |
| 598 | 0, 0); |
| 599 | TLS_CERT_REQ(cacertlevel1breq, cacertrootreq, |
| 600 | "UK", "qemu level 1b", NULL, NULL, NULL, NULL, |
| 601 | true, true, true, |
| 602 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 603 | false, false, NULL, NULL, |
| 604 | 0, 0); |
| 605 | TLS_CERT_REQ(cacertlevel2areq, cacertlevel1areq, |
| 606 | "UK", "qemu level 2a", NULL, NULL, NULL, NULL, |
| 607 | true, true, true, |
| 608 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 609 | false, false, NULL, NULL, |
| 610 | 0, 0); |
| 611 | TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq, |
| 612 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 613 | true, true, false, |
| 614 | true, true, |
| 615 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 616 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 617 | 0, 0); |
| 618 | TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq, |
| 619 | "UK", "qemu client level 2b", NULL, NULL, NULL, NULL, |
| 620 | true, true, false, |
| 621 | true, true, |
| 622 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 623 | true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, |
| 624 | 0, 0); |
| 625 | |
| 626 | gnutls_x509_crt_t certchain[] = { |
| 627 | cacertrootreq.crt, |
| 628 | cacertlevel1areq.crt, |
| 629 | cacertlevel1breq.crt, |
| 630 | cacertlevel2areq.crt, |
| 631 | }; |
| 632 | |
| 633 | test_tls_write_cert_chain(WORKDIR "cacertchain-ctx.pem", |
| 634 | certchain, |
| 635 | G_N_ELEMENTS(certchain)); |
| 636 | |
| 637 | TLS_TEST_REG(chain1, true, |
| 638 | WORKDIR "cacertchain-ctx.pem", |
| 639 | servercertlevel3areq.filename, false); |
| 640 | TLS_TEST_REG(chain2, false, |
| 641 | WORKDIR "cacertchain-ctx.pem", |
| 642 | clientcertlevel2breq.filename, false); |
| 643 | |
| 644 | /* Some missing certs - first two are fatal, the last |
| 645 | * is ok |
| 646 | */ |
| 647 | TLS_TEST_REG(missingca, true, |
| 648 | "cacertdoesnotexist.pem", |
| 649 | servercert1req.filename, true); |
| 650 | TLS_TEST_REG(missingserver, true, |
| 651 | cacert1req.filename, |
| 652 | "servercertdoesnotexist.pem", true); |
| 653 | TLS_TEST_REG(missingclient, false, |
| 654 | cacert1req.filename, |
| 655 | "clientcertdoesnotexist.pem", false); |
| 656 | |
| 657 | ret = g_test_run(); |
| 658 | |
| 659 | test_tls_discard_cert(&cacertreq); |
| 660 | test_tls_discard_cert(&cacert1req); |
| 661 | test_tls_discard_cert(&cacert2req); |
| 662 | test_tls_discard_cert(&cacert3req); |
| 663 | test_tls_discard_cert(&cacert4req); |
| 664 | test_tls_discard_cert(&cacert5req); |
| 665 | test_tls_discard_cert(&cacert6req); |
| 666 | |
| 667 | test_tls_discard_cert(&servercertreq); |
| 668 | test_tls_discard_cert(&servercert1req); |
| 669 | test_tls_discard_cert(&servercert2req); |
| 670 | test_tls_discard_cert(&servercert3req); |
| 671 | test_tls_discard_cert(&servercert4req); |
| 672 | test_tls_discard_cert(&servercert5req); |
| 673 | test_tls_discard_cert(&servercert6req); |
| 674 | test_tls_discard_cert(&servercert7req); |
| 675 | test_tls_discard_cert(&servercert8req); |
| 676 | test_tls_discard_cert(&servercert9req); |
| 677 | test_tls_discard_cert(&servercert10req); |
| 678 | test_tls_discard_cert(&servercert11req); |
| 679 | test_tls_discard_cert(&servercert12req); |
| 680 | test_tls_discard_cert(&servercert13req); |
| 681 | test_tls_discard_cert(&servercert14req); |
| 682 | test_tls_discard_cert(&servercert15req); |
| 683 | test_tls_discard_cert(&servercert16req); |
| 684 | |
| 685 | test_tls_discard_cert(&clientcertreq); |
| 686 | test_tls_discard_cert(&clientcert1req); |
| 687 | test_tls_discard_cert(&clientcert2req); |
| 688 | test_tls_discard_cert(&clientcert3req); |
| 689 | test_tls_discard_cert(&clientcert4req); |
| 690 | test_tls_discard_cert(&clientcert5req); |
| 691 | test_tls_discard_cert(&clientcert6req); |
| 692 | test_tls_discard_cert(&clientcert7req); |
| 693 | test_tls_discard_cert(&clientcert8req); |
| 694 | test_tls_discard_cert(&clientcert9req); |
| 695 | test_tls_discard_cert(&clientcert10req); |
| 696 | |
| 697 | test_tls_discard_cert(&cacertexpreq); |
| 698 | test_tls_discard_cert(&servercertexpreq); |
| 699 | test_tls_discard_cert(&servercertexp1req); |
| 700 | test_tls_discard_cert(&clientcertexp1req); |
| 701 | |
| 702 | test_tls_discard_cert(&cacertnewreq); |
| 703 | test_tls_discard_cert(&servercertnewreq); |
| 704 | test_tls_discard_cert(&servercertnew1req); |
| 705 | test_tls_discard_cert(&clientcertnew1req); |
| 706 | |
| 707 | test_tls_discard_cert(&cacertrootreq); |
| 708 | test_tls_discard_cert(&cacertlevel1areq); |
| 709 | test_tls_discard_cert(&cacertlevel1breq); |
| 710 | test_tls_discard_cert(&cacertlevel2areq); |
| 711 | test_tls_discard_cert(&servercertlevel3areq); |
| 712 | test_tls_discard_cert(&clientcertlevel2breq); |
| 713 | unlink(WORKDIR "cacertchain-ctx.pem"); |
| 714 | |
| 715 | test_tls_cleanup(KEYFILE); |
| 716 | rmdir(WORKDIR); |
| 717 | |
| 718 | return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; |
| 719 | } |
| 720 | |
| 721 | #else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */ |
| 722 | |
| 723 | int |
| 724 | main(void) |
| 725 | { |
| 726 | return EXIT_SUCCESS; |
| 727 | } |
| 728 | |
| 729 | #endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */ |