]>
Commit | Line | Data |
---|---|---|
11a82d14 | 1 | #!/usr/bin/env bash |
a46b6841 DB |
2 | # |
3 | # Helpers for TLS related config | |
4 | # | |
5 | # Copyright (C) 2018 Red Hat, Inc. | |
6 | # | |
7 | # This program is free software; you can redistribute it and/or modify | |
8 | # it under the terms of the GNU General Public License as published by | |
9 | # the Free Software Foundation; either version 2 of the License, or | |
10 | # (at your option) any later version. | |
11 | # | |
12 | # This program is distributed in the hope that it will be useful, | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
15 | # GNU General Public License for more details. | |
16 | # | |
17 | # You should have received a copy of the GNU General Public License | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. | |
19 | # | |
20 | ||
21 | tls_dir="${TEST_DIR}/tls" | |
22 | ||
8cedcffd | 23 | tls_x509_cleanup() |
a46b6841 DB |
24 | { |
25 | rm -f "${tls_dir}"/*.pem | |
26 | rm -f "${tls_dir}"/*/*.pem | |
10cc95c3 | 27 | rm -f "${tls_dir}"/*/*.psk |
a46b6841 DB |
28 | rmdir "${tls_dir}"/* |
29 | rmdir "${tls_dir}" | |
30 | } | |
31 | ||
32 | ||
3e6f4544 DB |
33 | tls_certtool() |
34 | { | |
35 | certtool "$@" 1>"${tls_dir}"/certtool.log 2>&1 | |
36 | if test "$?" = 0; then | |
37 | head -1 "${tls_dir}"/certtool.log | |
38 | else | |
39 | cat "${tls_dir}"/certtool.log | |
40 | fi | |
41 | rm -f "${tls_dir}"/certtool.log | |
42 | } | |
43 | ||
10cc95c3 DB |
44 | tls_psktool() |
45 | { | |
46 | psktool "$@" 1>"${tls_dir}"/psktool.log 2>&1 | |
47 | if test "$?" = 0; then | |
48 | head -1 "${tls_dir}"/psktool.log | |
49 | else | |
50 | cat "${tls_dir}"/psktool.log | |
51 | fi | |
52 | rm -f "${tls_dir}"/psktool.log | |
53 | } | |
54 | ||
55 | ||
8cedcffd | 56 | tls_x509_init() |
a46b6841 | 57 | { |
155af09d EB |
58 | (certtool --help) >/dev/null 2>&1 || \ |
59 | _notrun "certtool utility not found, skipping test" | |
60 | ||
a46b6841 DB |
61 | mkdir -p "${tls_dir}" |
62 | ||
63 | # use a fixed key so we don't waste system entropy on | |
64 | # each test run | |
65 | cat > "${tls_dir}/key.pem" <<EOF | |
3e018afb DB |
66 | -----BEGIN RSA PRIVATE KEY----- |
67 | MIIG5AIBAAKCAYEAyjWyLSNm5PZvYUKUcDWGqbLX10b2ood+YaFjWSnJrqx/q3qh | |
68 | rVGBJglD25AJENJsmZF3zPP1oMhfIxsXu63Hdkb6Rdlc2RUoUP34x9VC1izH25mR | |
69 | 6c8DPDp1d6IraZ/llDMI1HsBFz0qGWtvOHgm815XG4PAr/N8rDsuqfv/cJ01KlnO | |
70 | 0OdO5QRXCJf9g/dYd41MPu7wOXk9FqjQlmRoP59HgtJ+zUpE4z+Keruw9cMT9VJj | |
71 | 0oT+pQ9ysenqeZ3gbT224T1khrEhT5kifhtFLNyDssRchUUWH0hiqoOO1vgb+850 | |
72 | W6/1VdxvuPam48py4diSPi1Vip8NITCOBaX9FIpVp4Ruw4rTPVMNMjq9Cpx/DwMP | |
73 | 9MbfXfnaVaZaMrmq67/zPhl0eVbUrecH2hQ3ZB9oIF4GkNskzlWF5+yPy6zqk304 | |
74 | AKaiFR6jRyh3YfHo2XFqV8x/hxdsIEXOtEUGhSIcpynsW+ckUCartzu7xbhXjd4b | |
75 | kxJT89+riPFYij09AgMBAAECggGBAKyFkaZXXROeejrmHlV6JZGlp+fhgM38gkRz | |
76 | +Jp7P7rLLAY3E7gXIPQ91WqAAmwazFNdvHPd9USfkCQYmnAi/VoZhrCPmlsQZRxt | |
77 | A5QjjOnEvSPMa6SrXZxGWDCg6R8uMCb4P+FhrPWR1thnRDZOtRTQ+crc50p3mHgt | |
78 | 6ktXWIJRbqnag8zSfQqCYGtRmhe8sfsWT+Yl4El4+jjaAVU/B364u7+PLmaiphGp | |
79 | BdJfTsTwEpgtGkPj+osDmhzXcZkfq3V+fz5JLkemsCiQKmn4VJRpg8c3ZmE8NPNt | |
80 | gRtGWZ4W3WKDvhotT65WpQx4+6R8Duux/blNPBmH1Upmwd7kj7GYFBArbCjgd9PT | |
81 | xgfCSUZpgOZHHkcgSB+022a8XncXna7WYYij28SLtwImFyu0nNtqECFQHH5u+k6C | |
82 | LRYBSN+3t3At8dQuk01NVrJBndmjmXRfxpqUtTdeaNgVpdUYRY98s30G68NYGSra | |
83 | aEvhhRSghkcLNetkobpY9pUgeqW/tQKBwQDZHHK9nDMt/zk1TxtILeUSitPXcv1/ | |
84 | 8ufXqO0miHdH23XuXhIEA6Ef26RRVGDGgpjkveDJK/1w5feJ4H/ni4Vclil/cm38 | |
85 | OwRqjjd7ElHJX6JQbsxEx/gNTk5/QW1iAL9TXUalgepsSXYT6AJ0/CJv0jmJSJ36 | |
86 | YoKMOM8uqzb2KhN6i+RlJRi5iY53kUhWTJq5ArWvNhUzQNSYODI4bNxlsKSBL2Ik | |
87 | LZ5QKHuaEjQet0IlPlfIb4PzMm8CHa/urOcCgcEA7m3zW/lL5bIFoKPjWig5Lbn1 | |
88 | aHfrG2ngqzWtgWtfZqMH8OkZc1Mdhhmvd46titjiLjeI+UP/uHXR0068PnrNngzl | |
89 | tTgwlakzu+bWzqhBm1F+3/341st/FEk07r0P/3/PhezVjwfO8c8Exj7pLxH4wrH0 | |
90 | ROHgDbClmlJRu6OO78wk1+Vapf5DWa8YfA+q+fdvr7KvgGyytheKMT/b/dsqOq7y | |
91 | qZPjmaJKWAvV3RWG8lWHFSdHx2IAHMHfGr17Y/w7AoHBALzwZeYebeekiVucGSjq | |
92 | T8SgLhT7zCIx+JMUPjVfYzaUhP/Iu7Lkma6IzWm9nW6Drpy5pUpMzwUWDCLfzU9q | |
93 | eseFIl337kEn9wLn+t5OpgAyCqYmlftxbqvdrrBN9uvnrJjWvqk/8wsDrw9JxAGc | |
94 | fjeD4nBXUqvYWLXApoR9mZoGKedmoH9pFig4zlO9ig8YITnKYuQ0k6SD0b8agJHc | |
95 | Ir0YSUDnRGgpjvFBGbeOCe+FGbohk/EpItJc3IAh5740lwKBwAdXd2DjokSmYKn7 | |
96 | oeqKxofz6+yVlLW5YuOiuX78sWlVp87xPolgi84vSEnkKM/Xsc8+goc6YstpRVa+ | |
97 | W+mImoA9YW1dF5HkLeWhTAf9AlgoAEIhbeIfTgBv6KNZSv7RDrDPBBxtXx/vAfSg | |
98 | x0ldwk0scZsVYXLKd67yzfV7KdGUdaX4N/xYgfZm/9gCG3+q8NN2KxVHQ5F71BOE | |
99 | JeABOaGo9WvnU+DNMIDZjHJMUWVw4MHz/a/UArDf/2CxaPVBNQKBwASg6j4ohSTk | |
100 | J7aE6RQ3OBmmDDpixcoCJt9u9SjHVYMlbs5CEJGVSczk0SG3y8P1lOWNDSRnMksZ | |
101 | xWnHdP/ogcuYMuvK7UACNAF0zNddtzOhzcpNmejFj+WCHYY/UmPr2/Kf6t7Cxk2K | |
102 | 3cZ4tqWsiTmBT8Bknmah7L5DrhS+ZBJliDeFAA8fZHdMH0Xjr4UBp9kF90EMTdW1 | |
103 | Xr5uz7ZrMsYpYQI7mmyqV9SSjUg4iBXwVSoag1iDJ1K8Qg/L7Semgg== | |
104 | -----END RSA PRIVATE KEY----- | |
a46b6841 DB |
105 | EOF |
106 | } | |
107 | ||
108 | ||
8cedcffd | 109 | tls_x509_create_root_ca() |
a46b6841 DB |
110 | { |
111 | name=${1:-ca-cert} | |
112 | ||
113 | cat > "${tls_dir}/ca.info" <<EOF | |
114 | cn = Cthulhu Dark Lord Enterprises $name | |
115 | ca | |
116 | cert_signing_key | |
117 | EOF | |
118 | ||
3e6f4544 DB |
119 | tls_certtool \ |
120 | --generate-self-signed \ | |
121 | --load-privkey "${tls_dir}/key.pem" \ | |
122 | --template "${tls_dir}/ca.info" \ | |
123 | --outfile "${tls_dir}/$name-cert.pem" | |
a46b6841 DB |
124 | |
125 | rm -f "${tls_dir}/ca.info" | |
126 | } | |
127 | ||
128 | ||
8cedcffd | 129 | tls_x509_create_server() |
a46b6841 DB |
130 | { |
131 | caname=$1 | |
132 | name=$2 | |
133 | ||
3da93d4b DB |
134 | # We don't include 'localhost' in the cert, as |
135 | # we want to keep it unlisted to let tests | |
136 | # validate hostname override | |
a46b6841 DB |
137 | mkdir -p "${tls_dir}/$name" |
138 | cat > "${tls_dir}/cert.info" <<EOF | |
139 | organization = Cthulhu Dark Lord Enterprises $name | |
3da93d4b | 140 | cn = iotests.qemu.org |
a46b6841 DB |
141 | ip_address = 127.0.0.1 |
142 | ip_address = ::1 | |
143 | tls_www_server | |
144 | encryption_key | |
145 | signing_key | |
146 | EOF | |
147 | ||
3e6f4544 DB |
148 | tls_certtool \ |
149 | --generate-certificate \ | |
150 | --load-ca-privkey "${tls_dir}/key.pem" \ | |
151 | --load-ca-certificate "${tls_dir}/$caname-cert.pem" \ | |
152 | --load-privkey "${tls_dir}/key.pem" \ | |
153 | --template "${tls_dir}/cert.info" \ | |
154 | --outfile "${tls_dir}/$name/server-cert.pem" | |
155 | ||
a46b6841 DB |
156 | ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem" |
157 | ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem" | |
158 | ||
159 | rm -f "${tls_dir}/cert.info" | |
160 | } | |
161 | ||
162 | ||
8cedcffd | 163 | tls_x509_create_client() |
a46b6841 DB |
164 | { |
165 | caname=$1 | |
166 | name=$2 | |
167 | ||
168 | mkdir -p "${tls_dir}/$name" | |
169 | cat > "${tls_dir}/cert.info" <<EOF | |
170 | country = South Pacific | |
171 | locality = R'lyeh | |
172 | organization = Cthulhu Dark Lord Enterprises $name | |
173 | cn = localhost | |
174 | tls_www_client | |
175 | encryption_key | |
176 | signing_key | |
177 | EOF | |
178 | ||
3e6f4544 DB |
179 | tls_certtool \ |
180 | --generate-certificate \ | |
181 | --load-ca-privkey "${tls_dir}/key.pem" \ | |
182 | --load-ca-certificate "${tls_dir}/$caname-cert.pem" \ | |
183 | --load-privkey "${tls_dir}/key.pem" \ | |
184 | --template "${tls_dir}/cert.info" \ | |
185 | --outfile "${tls_dir}/$name/client-cert.pem" | |
186 | ||
a46b6841 DB |
187 | ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem" |
188 | ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem" | |
189 | ||
190 | rm -f "${tls_dir}/cert.info" | |
191 | } | |
10cc95c3 DB |
192 | |
193 | tls_psk_create_creds() | |
194 | { | |
195 | name=$1 | |
196 | ||
197 | mkdir -p "${tls_dir}/$name" | |
198 | ||
199 | tls_psktool \ | |
200 | --pskfile "${tls_dir}/$name/keys.psk" \ | |
201 | --username "$name" | |
202 | } |