Daniel P. Berrange | 9a2fd43 | 2015-04-13 14:01:39 +0100 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2015 Red Hat, Inc. |
| 3 | * |
| 4 | * This library is free software; you can redistribute it and/or |
| 5 | * modify it under the terms of the GNU Lesser General Public |
| 6 | * License as published by the Free Software Foundation; either |
| 7 | * version 2.1 of the License, or (at your option) any later version. |
| 8 | * |
| 9 | * This library is distributed in the hope that it will be useful, |
| 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| 12 | * Lesser General Public License for more details. |
| 13 | * |
| 14 | * You should have received a copy of the GNU Lesser General Public |
| 15 | * License along with this library. If not, see |
| 16 | * <http://www.gnu.org/licenses/>. |
| 17 | * |
| 18 | * Author: Daniel P. Berrange <berrange@redhat.com> |
| 19 | */ |
| 20 | |
Peter Maydell | 681c28a | 2016-02-08 18:08:51 +0000 | [diff] [blame] | 21 | #include "qemu/osdep.h" |
Daniel P. Berrange | 9a2fd43 | 2015-04-13 14:01:39 +0100 | [diff] [blame] | 22 | |
Daniel P. Berrange | 9a2fd43 | 2015-04-13 14:01:39 +0100 | [diff] [blame] | 23 | #include "crypto-tls-x509-helpers.h" |
| 24 | #include "crypto/tlscredsx509.h" |
Markus Armbruster | da34e65 | 2016-03-14 09:01:28 +0100 | [diff] [blame] | 25 | #include "qapi/error.h" |
Markus Armbruster | 0b8fa32 | 2019-05-23 16:35:07 +0200 | [diff] [blame] | 26 | #include "qemu/module.h" |
Daniel P. Berrange | 9a2fd43 | 2015-04-13 14:01:39 +0100 | [diff] [blame] | 27 | |
| 28 | #ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT |
| 29 | |
| 30 | #define WORKDIR "tests/test-crypto-tlscredsx509-work/" |
| 31 | #define KEYFILE WORKDIR "key-ctx.pem" |
| 32 | |
| 33 | struct QCryptoTLSCredsTestData { |
| 34 | bool isServer; |
| 35 | const char *cacrt; |
| 36 | const char *crt; |
| 37 | bool expectFail; |
| 38 | }; |
| 39 | |
| 40 | |
| 41 | static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint, |
| 42 | const char *certdir, |
| 43 | Error **errp) |
| 44 | { |
| 45 | Object *parent = object_get_objects_root(); |
| 46 | Object *creds = object_new_with_props( |
| 47 | TYPE_QCRYPTO_TLS_CREDS_X509, |
| 48 | parent, |
| 49 | "testtlscreds", |
| 50 | errp, |
| 51 | "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ? |
| 52 | "server" : "client"), |
| 53 | "dir", certdir, |
| 54 | "verify-peer", "yes", |
| 55 | "sanity-check", "yes", |
| 56 | NULL); |
| 57 | |
Daniel P. Berrangé | 68db131 | 2018-07-18 10:06:43 +0100 | [diff] [blame] | 58 | if (!creds) { |
Daniel P. Berrange | 9a2fd43 | 2015-04-13 14:01:39 +0100 | [diff] [blame] | 59 | return NULL; |
| 60 | } |
| 61 | return QCRYPTO_TLS_CREDS(creds); |
| 62 | } |
| 63 | |
| 64 | /* |
| 65 | * This tests sanity checking of our own certificates |
| 66 | * |
| 67 | * The code being tested is used when TLS creds are created, |
| 68 | * and aim to ensure QMEU has been configured with sane |
| 69 | * certificates. This allows us to give much much much |
| 70 | * clearer error messages to the admin when they misconfigure |
| 71 | * things. |
| 72 | */ |
| 73 | static void test_tls_creds(const void *opaque) |
| 74 | { |
| 75 | struct QCryptoTLSCredsTestData *data = |
| 76 | (struct QCryptoTLSCredsTestData *)opaque; |
| 77 | QCryptoTLSCreds *creds; |
Daniel P. Berrange | 9a2fd43 | 2015-04-13 14:01:39 +0100 | [diff] [blame] | 78 | |
| 79 | #define CERT_DIR "tests/test-crypto-tlscredsx509-certs/" |
| 80 | mkdir(CERT_DIR, 0700); |
| 81 | |
| 82 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT); |
| 83 | if (data->isServer) { |
| 84 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT); |
| 85 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY); |
| 86 | } else { |
| 87 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT); |
| 88 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY); |
| 89 | } |
| 90 | |
| 91 | if (access(data->cacrt, R_OK) == 0) { |
| 92 | g_assert(link(data->cacrt, |
| 93 | CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0); |
| 94 | } |
| 95 | if (data->isServer) { |
| 96 | if (access(data->crt, R_OK) == 0) { |
| 97 | g_assert(link(data->crt, |
| 98 | CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0); |
| 99 | } |
| 100 | g_assert(link(KEYFILE, |
| 101 | CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0); |
| 102 | } else { |
| 103 | if (access(data->crt, R_OK) == 0) { |
| 104 | g_assert(link(data->crt, |
| 105 | CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0); |
| 106 | } |
| 107 | g_assert(link(KEYFILE, |
| 108 | CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0); |
| 109 | } |
| 110 | |
| 111 | creds = test_tls_creds_create( |
| 112 | (data->isServer ? |
| 113 | QCRYPTO_TLS_CREDS_ENDPOINT_SERVER : |
| 114 | QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT), |
| 115 | CERT_DIR, |
Daniel P. Berrangé | 68db131 | 2018-07-18 10:06:43 +0100 | [diff] [blame] | 116 | data->expectFail ? NULL : &error_abort); |
Daniel P. Berrange | 9a2fd43 | 2015-04-13 14:01:39 +0100 | [diff] [blame] | 117 | |
| 118 | if (data->expectFail) { |
Daniel P. Berrange | 9a2fd43 | 2015-04-13 14:01:39 +0100 | [diff] [blame] | 119 | g_assert(creds == NULL); |
| 120 | } else { |
Daniel P. Berrange | 9a2fd43 | 2015-04-13 14:01:39 +0100 | [diff] [blame] | 121 | g_assert(creds != NULL); |
| 122 | } |
| 123 | |
| 124 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT); |
| 125 | if (data->isServer) { |
| 126 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT); |
| 127 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY); |
| 128 | } else { |
| 129 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT); |
| 130 | unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY); |
| 131 | } |
| 132 | rmdir(CERT_DIR); |
| 133 | if (creds) { |
| 134 | object_unparent(OBJECT(creds)); |
| 135 | } |
| 136 | } |
| 137 | |
| 138 | int main(int argc, char **argv) |
| 139 | { |
| 140 | int ret; |
| 141 | |
| 142 | module_call_init(MODULE_INIT_QOM); |
| 143 | g_test_init(&argc, &argv, NULL); |
Marc-André Lureau | e468ffd | 2019-12-11 15:23:28 +0100 | [diff] [blame] | 144 | g_setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1); |
Daniel P. Berrange | 9a2fd43 | 2015-04-13 14:01:39 +0100 | [diff] [blame] | 145 | |
| 146 | mkdir(WORKDIR, 0700); |
| 147 | |
| 148 | test_tls_init(KEYFILE); |
| 149 | |
| 150 | # define TLS_TEST_REG(name, isServer, caCrt, crt, expectFail) \ |
| 151 | struct QCryptoTLSCredsTestData name = { \ |
| 152 | isServer, caCrt, crt, expectFail \ |
| 153 | }; \ |
| 154 | g_test_add_data_func("/qcrypto/tlscredsx509/" # name, \ |
| 155 | &name, test_tls_creds); \ |
| 156 | |
| 157 | /* A perfect CA, perfect client & perfect server */ |
| 158 | |
| 159 | /* Basic:CA:critical */ |
| 160 | TLS_ROOT_REQ(cacertreq, |
| 161 | "UK", "qemu CA", NULL, NULL, NULL, NULL, |
| 162 | true, true, true, |
| 163 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 164 | false, false, NULL, NULL, |
| 165 | 0, 0); |
| 166 | |
| 167 | TLS_CERT_REQ(servercertreq, cacertreq, |
| 168 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 169 | true, true, false, |
| 170 | true, true, |
| 171 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 172 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 173 | 0, 0); |
| 174 | TLS_CERT_REQ(clientcertreq, cacertreq, |
| 175 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 176 | true, true, false, |
| 177 | true, true, |
| 178 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 179 | true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, |
| 180 | 0, 0); |
| 181 | |
| 182 | TLS_TEST_REG(perfectserver, true, |
| 183 | cacertreq.filename, servercertreq.filename, false); |
| 184 | TLS_TEST_REG(perfectclient, false, |
| 185 | cacertreq.filename, clientcertreq.filename, false); |
| 186 | |
| 187 | |
| 188 | /* Some other CAs which are good */ |
| 189 | |
| 190 | /* Basic:CA:critical */ |
| 191 | TLS_ROOT_REQ(cacert1req, |
| 192 | "UK", "qemu CA 1", NULL, NULL, NULL, NULL, |
| 193 | true, true, true, |
| 194 | false, false, 0, |
| 195 | false, false, NULL, NULL, |
| 196 | 0, 0); |
| 197 | TLS_CERT_REQ(servercert1req, cacert1req, |
| 198 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 199 | true, true, false, |
| 200 | true, true, |
| 201 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 202 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 203 | 0, 0); |
| 204 | |
| 205 | /* Basic:CA:not-critical */ |
| 206 | TLS_ROOT_REQ(cacert2req, |
| 207 | "UK", "qemu CA 2", NULL, NULL, NULL, NULL, |
| 208 | true, false, true, |
| 209 | false, false, 0, |
| 210 | false, false, NULL, NULL, |
| 211 | 0, 0); |
| 212 | TLS_CERT_REQ(servercert2req, cacert2req, |
| 213 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 214 | true, true, false, |
| 215 | true, true, |
| 216 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 217 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 218 | 0, 0); |
| 219 | |
| 220 | /* Key usage:cert-sign:critical */ |
| 221 | TLS_ROOT_REQ(cacert3req, |
| 222 | "UK", "qemu CA 3", NULL, NULL, NULL, NULL, |
| 223 | true, true, true, |
| 224 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 225 | false, false, NULL, NULL, |
| 226 | 0, 0); |
| 227 | TLS_CERT_REQ(servercert3req, cacert3req, |
| 228 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 229 | true, true, false, |
| 230 | true, true, |
| 231 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 232 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 233 | 0, 0); |
| 234 | |
| 235 | TLS_TEST_REG(goodca1, true, |
| 236 | cacert1req.filename, servercert1req.filename, false); |
| 237 | TLS_TEST_REG(goodca2, true, |
| 238 | cacert2req.filename, servercert2req.filename, false); |
| 239 | TLS_TEST_REG(goodca3, true, |
| 240 | cacert3req.filename, servercert3req.filename, false); |
| 241 | |
| 242 | /* Now some bad certs */ |
| 243 | |
| 244 | /* Key usage:dig-sig:not-critical */ |
| 245 | TLS_ROOT_REQ(cacert4req, |
| 246 | "UK", "qemu CA 4", NULL, NULL, NULL, NULL, |
| 247 | true, true, true, |
| 248 | true, false, GNUTLS_KEY_DIGITAL_SIGNATURE, |
| 249 | false, false, NULL, NULL, |
| 250 | 0, 0); |
| 251 | TLS_CERT_REQ(servercert4req, cacert4req, |
| 252 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 253 | true, true, false, |
| 254 | true, true, |
| 255 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 256 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 257 | 0, 0); |
| 258 | /* no-basic */ |
| 259 | TLS_ROOT_REQ(cacert5req, |
| 260 | "UK", "qemu CA 5", NULL, NULL, NULL, NULL, |
| 261 | false, false, false, |
| 262 | false, false, 0, |
| 263 | false, false, NULL, NULL, |
| 264 | 0, 0); |
| 265 | TLS_CERT_REQ(servercert5req, cacert5req, |
| 266 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 267 | true, true, false, |
| 268 | true, true, |
| 269 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 270 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 271 | 0, 0); |
| 272 | /* Key usage:dig-sig:critical */ |
| 273 | TLS_ROOT_REQ(cacert6req, |
| 274 | "UK", "qemu CA 6", NULL, NULL, NULL, NULL, |
| 275 | true, true, true, |
| 276 | true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, |
| 277 | false, false, NULL, NULL, |
| 278 | 0, 0); |
| 279 | TLS_CERT_REQ(servercert6req, cacert6req, |
| 280 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 281 | true, true, false, |
| 282 | true, true, |
| 283 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 284 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 285 | 0, 0); |
| 286 | |
Daniel P. Berrange | 9a2fd43 | 2015-04-13 14:01:39 +0100 | [diff] [blame] | 287 | TLS_TEST_REG(badca1, true, cacert4req.filename, servercert4req.filename, |
Daniel P. Berrangé | a072240 | 2018-07-18 11:55:05 +0100 | [diff] [blame] | 288 | true); |
Daniel P. Berrange | 9a2fd43 | 2015-04-13 14:01:39 +0100 | [diff] [blame] | 289 | TLS_TEST_REG(badca2, true, |
| 290 | cacert5req.filename, servercert5req.filename, true); |
| 291 | TLS_TEST_REG(badca3, true, |
| 292 | cacert6req.filename, servercert6req.filename, true); |
| 293 | |
| 294 | |
| 295 | /* Various good servers */ |
| 296 | /* no usage or purpose */ |
| 297 | TLS_CERT_REQ(servercert7req, cacertreq, |
| 298 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 299 | true, true, false, |
| 300 | false, false, 0, |
| 301 | false, false, NULL, NULL, |
| 302 | 0, 0); |
| 303 | /* usage:cert-sign+dig-sig+encipher:critical */ |
| 304 | TLS_CERT_REQ(servercert8req, cacertreq, |
| 305 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 306 | true, true, false, |
| 307 | true, true, |
| 308 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | |
| 309 | GNUTLS_KEY_KEY_CERT_SIGN, |
| 310 | false, false, NULL, NULL, |
| 311 | 0, 0); |
| 312 | /* usage:cert-sign:not-critical */ |
| 313 | TLS_CERT_REQ(servercert9req, cacertreq, |
| 314 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 315 | true, true, false, |
| 316 | true, false, GNUTLS_KEY_KEY_CERT_SIGN, |
| 317 | false, false, NULL, NULL, |
| 318 | 0, 0); |
| 319 | /* purpose:server:critical */ |
| 320 | TLS_CERT_REQ(servercert10req, cacertreq, |
| 321 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 322 | true, true, false, |
| 323 | false, false, 0, |
| 324 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 325 | 0, 0); |
| 326 | /* purpose:server:not-critical */ |
| 327 | TLS_CERT_REQ(servercert11req, cacertreq, |
| 328 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 329 | true, true, false, |
| 330 | false, false, 0, |
| 331 | true, false, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 332 | 0, 0); |
| 333 | /* purpose:client+server:critical */ |
| 334 | TLS_CERT_REQ(servercert12req, cacertreq, |
| 335 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 336 | true, true, false, |
| 337 | false, false, 0, |
| 338 | true, true, |
| 339 | GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER, |
| 340 | 0, 0); |
| 341 | /* purpose:client+server:not-critical */ |
| 342 | TLS_CERT_REQ(servercert13req, cacertreq, |
| 343 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 344 | true, true, false, |
| 345 | false, false, 0, |
| 346 | true, false, |
| 347 | GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER, |
| 348 | 0, 0); |
| 349 | |
| 350 | TLS_TEST_REG(goodserver1, true, |
| 351 | cacertreq.filename, servercert7req.filename, false); |
| 352 | TLS_TEST_REG(goodserver2, true, |
| 353 | cacertreq.filename, servercert8req.filename, false); |
| 354 | TLS_TEST_REG(goodserver3, true, |
| 355 | cacertreq.filename, servercert9req.filename, false); |
| 356 | TLS_TEST_REG(goodserver4, true, |
| 357 | cacertreq.filename, servercert10req.filename, false); |
| 358 | TLS_TEST_REG(goodserver5, true, |
| 359 | cacertreq.filename, servercert11req.filename, false); |
| 360 | TLS_TEST_REG(goodserver6, true, |
| 361 | cacertreq.filename, servercert12req.filename, false); |
| 362 | TLS_TEST_REG(goodserver7, true, |
| 363 | cacertreq.filename, servercert13req.filename, false); |
| 364 | |
| 365 | /* Bad servers */ |
| 366 | |
| 367 | /* usage:cert-sign:critical */ |
| 368 | TLS_CERT_REQ(servercert14req, cacertreq, |
| 369 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 370 | true, true, false, |
| 371 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 372 | false, false, NULL, NULL, |
| 373 | 0, 0); |
| 374 | /* purpose:client:critical */ |
| 375 | TLS_CERT_REQ(servercert15req, cacertreq, |
| 376 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 377 | true, true, false, |
| 378 | false, false, 0, |
| 379 | true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, |
| 380 | 0, 0); |
| 381 | /* usage: none:critical */ |
| 382 | TLS_CERT_REQ(servercert16req, cacertreq, |
| 383 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 384 | true, true, false, |
| 385 | true, true, 0, |
| 386 | false, false, NULL, NULL, |
| 387 | 0, 0); |
| 388 | |
| 389 | TLS_TEST_REG(badserver1, true, |
| 390 | cacertreq.filename, servercert14req.filename, true); |
| 391 | TLS_TEST_REG(badserver2, true, |
| 392 | cacertreq.filename, servercert15req.filename, true); |
| 393 | TLS_TEST_REG(badserver3, true, |
| 394 | cacertreq.filename, servercert16req.filename, true); |
| 395 | |
| 396 | |
| 397 | |
| 398 | /* Various good clients */ |
| 399 | /* no usage or purpose */ |
| 400 | TLS_CERT_REQ(clientcert1req, cacertreq, |
| 401 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 402 | true, true, false, |
| 403 | false, false, 0, |
| 404 | false, false, NULL, NULL, |
| 405 | 0, 0); |
| 406 | /* usage:cert-sign+dig-sig+encipher:critical */ |
| 407 | TLS_CERT_REQ(clientcert2req, cacertreq, |
| 408 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 409 | true, true, false, |
| 410 | true, true, |
| 411 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | |
| 412 | GNUTLS_KEY_KEY_CERT_SIGN, |
| 413 | false, false, NULL, NULL, |
| 414 | 0, 0); |
| 415 | /* usage:cert-sign:not-critical */ |
| 416 | TLS_CERT_REQ(clientcert3req, cacertreq, |
| 417 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 418 | true, true, false, |
| 419 | true, false, GNUTLS_KEY_KEY_CERT_SIGN, |
| 420 | false, false, NULL, NULL, |
| 421 | 0, 0); |
| 422 | /* purpose:client:critical */ |
| 423 | TLS_CERT_REQ(clientcert4req, cacertreq, |
| 424 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 425 | true, true, false, |
| 426 | false, false, 0, |
| 427 | true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, |
| 428 | 0, 0); |
| 429 | /* purpose:client:not-critical */ |
| 430 | TLS_CERT_REQ(clientcert5req, cacertreq, |
| 431 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 432 | true, true, false, |
| 433 | false, false, 0, |
| 434 | true, false, GNUTLS_KP_TLS_WWW_CLIENT, NULL, |
| 435 | 0, 0); |
| 436 | /* purpose:client+client:critical */ |
| 437 | TLS_CERT_REQ(clientcert6req, cacertreq, |
| 438 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 439 | true, true, false, |
| 440 | false, false, 0, |
| 441 | true, true, |
| 442 | GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER, |
| 443 | 0, 0); |
| 444 | /* purpose:client+client:not-critical */ |
| 445 | TLS_CERT_REQ(clientcert7req, cacertreq, |
| 446 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 447 | true, true, false, |
| 448 | false, false, 0, |
| 449 | true, false, |
| 450 | GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER, |
| 451 | 0, 0); |
| 452 | |
| 453 | TLS_TEST_REG(goodclient1, false, |
| 454 | cacertreq.filename, clientcert1req.filename, false); |
| 455 | TLS_TEST_REG(goodclient2, false, |
| 456 | cacertreq.filename, clientcert2req.filename, false); |
| 457 | TLS_TEST_REG(goodclient3, false, |
| 458 | cacertreq.filename, clientcert3req.filename, false); |
| 459 | TLS_TEST_REG(goodclient4, false, |
| 460 | cacertreq.filename, clientcert4req.filename, false); |
| 461 | TLS_TEST_REG(goodclient5, false, |
| 462 | cacertreq.filename, clientcert5req.filename, false); |
| 463 | TLS_TEST_REG(goodclient6, false, |
| 464 | cacertreq.filename, clientcert6req.filename, false); |
| 465 | TLS_TEST_REG(goodclient7, false, |
| 466 | cacertreq.filename, clientcert7req.filename, false); |
| 467 | |
| 468 | /* Bad clients */ |
| 469 | |
| 470 | /* usage:cert-sign:critical */ |
| 471 | TLS_CERT_REQ(clientcert8req, cacertreq, |
| 472 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 473 | true, true, false, |
| 474 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 475 | false, false, NULL, NULL, |
| 476 | 0, 0); |
| 477 | /* purpose:client:critical */ |
| 478 | TLS_CERT_REQ(clientcert9req, cacertreq, |
| 479 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 480 | true, true, false, |
| 481 | false, false, 0, |
| 482 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 483 | 0, 0); |
| 484 | /* usage: none:critical */ |
| 485 | TLS_CERT_REQ(clientcert10req, cacertreq, |
| 486 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 487 | true, true, false, |
| 488 | true, true, 0, |
| 489 | false, false, NULL, NULL, |
| 490 | 0, 0); |
| 491 | |
| 492 | TLS_TEST_REG(badclient1, false, |
| 493 | cacertreq.filename, clientcert8req.filename, true); |
| 494 | TLS_TEST_REG(badclient2, false, |
| 495 | cacertreq.filename, clientcert9req.filename, true); |
| 496 | TLS_TEST_REG(badclient3, false, |
| 497 | cacertreq.filename, clientcert10req.filename, true); |
| 498 | |
| 499 | |
| 500 | |
| 501 | /* Expired stuff */ |
| 502 | |
| 503 | TLS_ROOT_REQ(cacertexpreq, |
| 504 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 505 | true, true, true, |
| 506 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 507 | false, false, NULL, NULL, |
| 508 | 0, -1); |
| 509 | TLS_CERT_REQ(servercertexpreq, cacertexpreq, |
| 510 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 511 | true, true, false, |
| 512 | true, true, |
| 513 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 514 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 515 | 0, 0); |
| 516 | TLS_CERT_REQ(servercertexp1req, cacertreq, |
| 517 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 518 | true, true, false, |
| 519 | true, true, |
| 520 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 521 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 522 | 0, -1); |
| 523 | TLS_CERT_REQ(clientcertexp1req, cacertreq, |
| 524 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 525 | true, true, false, |
| 526 | true, true, |
| 527 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 528 | true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, |
| 529 | 0, -1); |
| 530 | |
| 531 | TLS_TEST_REG(expired1, true, |
| 532 | cacertexpreq.filename, servercertexpreq.filename, true); |
| 533 | TLS_TEST_REG(expired2, true, |
| 534 | cacertreq.filename, servercertexp1req.filename, true); |
| 535 | TLS_TEST_REG(expired3, false, |
| 536 | cacertreq.filename, clientcertexp1req.filename, true); |
| 537 | |
| 538 | |
| 539 | /* Not activated stuff */ |
| 540 | |
| 541 | TLS_ROOT_REQ(cacertnewreq, |
| 542 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 543 | true, true, true, |
| 544 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 545 | false, false, NULL, NULL, |
| 546 | 1, 2); |
| 547 | TLS_CERT_REQ(servercertnewreq, cacertnewreq, |
| 548 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 549 | true, true, false, |
| 550 | true, true, |
| 551 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 552 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 553 | 0, 0); |
| 554 | TLS_CERT_REQ(servercertnew1req, cacertreq, |
| 555 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 556 | true, true, false, |
| 557 | true, true, |
| 558 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 559 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 560 | 1, 2); |
| 561 | TLS_CERT_REQ(clientcertnew1req, cacertreq, |
| 562 | "UK", "qemu", NULL, NULL, NULL, NULL, |
| 563 | true, true, false, |
| 564 | true, true, |
| 565 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 566 | true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, |
| 567 | 1, 2); |
| 568 | |
| 569 | TLS_TEST_REG(inactive1, true, |
| 570 | cacertnewreq.filename, servercertnewreq.filename, true); |
| 571 | TLS_TEST_REG(inactive2, true, |
| 572 | cacertreq.filename, servercertnew1req.filename, true); |
| 573 | TLS_TEST_REG(inactive3, false, |
| 574 | cacertreq.filename, clientcertnew1req.filename, true); |
| 575 | |
| 576 | TLS_ROOT_REQ(cacertrootreq, |
| 577 | "UK", "qemu root", NULL, NULL, NULL, NULL, |
| 578 | true, true, true, |
| 579 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 580 | false, false, NULL, NULL, |
| 581 | 0, 0); |
| 582 | TLS_CERT_REQ(cacertlevel1areq, cacertrootreq, |
| 583 | "UK", "qemu level 1a", NULL, NULL, NULL, NULL, |
| 584 | true, true, true, |
| 585 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 586 | false, false, NULL, NULL, |
| 587 | 0, 0); |
| 588 | TLS_CERT_REQ(cacertlevel1breq, cacertrootreq, |
| 589 | "UK", "qemu level 1b", NULL, NULL, NULL, NULL, |
| 590 | true, true, true, |
| 591 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 592 | false, false, NULL, NULL, |
| 593 | 0, 0); |
| 594 | TLS_CERT_REQ(cacertlevel2areq, cacertlevel1areq, |
| 595 | "UK", "qemu level 2a", NULL, NULL, NULL, NULL, |
| 596 | true, true, true, |
| 597 | true, true, GNUTLS_KEY_KEY_CERT_SIGN, |
| 598 | false, false, NULL, NULL, |
| 599 | 0, 0); |
| 600 | TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq, |
| 601 | "UK", "qemu.org", NULL, NULL, NULL, NULL, |
| 602 | true, true, false, |
| 603 | true, true, |
| 604 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 605 | true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, |
| 606 | 0, 0); |
| 607 | TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq, |
| 608 | "UK", "qemu client level 2b", NULL, NULL, NULL, NULL, |
| 609 | true, true, false, |
| 610 | true, true, |
| 611 | GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, |
| 612 | true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, |
| 613 | 0, 0); |
| 614 | |
| 615 | gnutls_x509_crt_t certchain[] = { |
| 616 | cacertrootreq.crt, |
| 617 | cacertlevel1areq.crt, |
| 618 | cacertlevel1breq.crt, |
| 619 | cacertlevel2areq.crt, |
| 620 | }; |
| 621 | |
| 622 | test_tls_write_cert_chain(WORKDIR "cacertchain-ctx.pem", |
| 623 | certchain, |
| 624 | G_N_ELEMENTS(certchain)); |
| 625 | |
| 626 | TLS_TEST_REG(chain1, true, |
| 627 | WORKDIR "cacertchain-ctx.pem", |
| 628 | servercertlevel3areq.filename, false); |
| 629 | TLS_TEST_REG(chain2, false, |
| 630 | WORKDIR "cacertchain-ctx.pem", |
| 631 | clientcertlevel2breq.filename, false); |
| 632 | |
| 633 | /* Some missing certs - first two are fatal, the last |
| 634 | * is ok |
| 635 | */ |
| 636 | TLS_TEST_REG(missingca, true, |
| 637 | "cacertdoesnotexist.pem", |
| 638 | servercert1req.filename, true); |
| 639 | TLS_TEST_REG(missingserver, true, |
| 640 | cacert1req.filename, |
| 641 | "servercertdoesnotexist.pem", true); |
| 642 | TLS_TEST_REG(missingclient, false, |
| 643 | cacert1req.filename, |
| 644 | "clientcertdoesnotexist.pem", false); |
| 645 | |
| 646 | ret = g_test_run(); |
| 647 | |
| 648 | test_tls_discard_cert(&cacertreq); |
| 649 | test_tls_discard_cert(&cacert1req); |
| 650 | test_tls_discard_cert(&cacert2req); |
| 651 | test_tls_discard_cert(&cacert3req); |
| 652 | test_tls_discard_cert(&cacert4req); |
| 653 | test_tls_discard_cert(&cacert5req); |
| 654 | test_tls_discard_cert(&cacert6req); |
| 655 | |
| 656 | test_tls_discard_cert(&servercertreq); |
| 657 | test_tls_discard_cert(&servercert1req); |
| 658 | test_tls_discard_cert(&servercert2req); |
| 659 | test_tls_discard_cert(&servercert3req); |
| 660 | test_tls_discard_cert(&servercert4req); |
| 661 | test_tls_discard_cert(&servercert5req); |
| 662 | test_tls_discard_cert(&servercert6req); |
| 663 | test_tls_discard_cert(&servercert7req); |
| 664 | test_tls_discard_cert(&servercert8req); |
| 665 | test_tls_discard_cert(&servercert9req); |
| 666 | test_tls_discard_cert(&servercert10req); |
| 667 | test_tls_discard_cert(&servercert11req); |
| 668 | test_tls_discard_cert(&servercert12req); |
| 669 | test_tls_discard_cert(&servercert13req); |
| 670 | test_tls_discard_cert(&servercert14req); |
| 671 | test_tls_discard_cert(&servercert15req); |
| 672 | test_tls_discard_cert(&servercert16req); |
| 673 | |
| 674 | test_tls_discard_cert(&clientcertreq); |
| 675 | test_tls_discard_cert(&clientcert1req); |
| 676 | test_tls_discard_cert(&clientcert2req); |
| 677 | test_tls_discard_cert(&clientcert3req); |
| 678 | test_tls_discard_cert(&clientcert4req); |
| 679 | test_tls_discard_cert(&clientcert5req); |
| 680 | test_tls_discard_cert(&clientcert6req); |
| 681 | test_tls_discard_cert(&clientcert7req); |
| 682 | test_tls_discard_cert(&clientcert8req); |
| 683 | test_tls_discard_cert(&clientcert9req); |
| 684 | test_tls_discard_cert(&clientcert10req); |
| 685 | |
| 686 | test_tls_discard_cert(&cacertexpreq); |
| 687 | test_tls_discard_cert(&servercertexpreq); |
| 688 | test_tls_discard_cert(&servercertexp1req); |
| 689 | test_tls_discard_cert(&clientcertexp1req); |
| 690 | |
| 691 | test_tls_discard_cert(&cacertnewreq); |
| 692 | test_tls_discard_cert(&servercertnewreq); |
| 693 | test_tls_discard_cert(&servercertnew1req); |
| 694 | test_tls_discard_cert(&clientcertnew1req); |
| 695 | |
| 696 | test_tls_discard_cert(&cacertrootreq); |
| 697 | test_tls_discard_cert(&cacertlevel1areq); |
| 698 | test_tls_discard_cert(&cacertlevel1breq); |
| 699 | test_tls_discard_cert(&cacertlevel2areq); |
| 700 | test_tls_discard_cert(&servercertlevel3areq); |
| 701 | test_tls_discard_cert(&clientcertlevel2breq); |
| 702 | unlink(WORKDIR "cacertchain-ctx.pem"); |
| 703 | |
| 704 | test_tls_cleanup(KEYFILE); |
| 705 | rmdir(WORKDIR); |
| 706 | |
| 707 | return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; |
| 708 | } |
| 709 | |
| 710 | #else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */ |
| 711 | |
| 712 | int |
| 713 | main(void) |
| 714 | { |
| 715 | return EXIT_SUCCESS; |
| 716 | } |
| 717 | |
| 718 | #endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */ |