]> git.proxmox.com Git - mirror_qemu.git/blob - tests/test-crypto-tlscredsx509.c
projects / mirror_qemu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge remote-tracking branch 'remotes/berrange/tags/pull-io-next-2016-02-16-1' into...
[mirror_qemu.git] / tests / test-crypto-tlscredsx509.c
1 /*
2 * Copyright (C) 2015 Red Hat, Inc.
3 *
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
8 *
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library. If not, see
16 * <http://www.gnu.org/licenses/>.
17 *
18 * Author: Daniel P. Berrange <berrange@redhat.com>
19 */
20
21 #include "qemu/osdep.h"
22
23 #include "crypto-tls-x509-helpers.h"
24 #include "crypto/tlscredsx509.h"
25
26 #ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
27
28 #define WORKDIR "tests/test-crypto-tlscredsx509-work/"
29 #define KEYFILE WORKDIR "key-ctx.pem"
30
31 struct QCryptoTLSCredsTestData {
32 bool isServer;
33 const char *cacrt;
34 const char *crt;
35 bool expectFail;
36 };
37
38
39 static QCryptoTLSCreds *test_tls_creds_create(QCryptoTLSCredsEndpoint endpoint,
40 const char *certdir,
41 Error **errp)
42 {
43 Object *parent = object_get_objects_root();
44 Object *creds = object_new_with_props(
45 TYPE_QCRYPTO_TLS_CREDS_X509,
46 parent,
47 "testtlscreds",
48 errp,
49 "endpoint", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?
50 "server" : "client"),
51 "dir", certdir,
52 "verify-peer", "yes",
53 "sanity-check", "yes",
54 NULL);
55
56 if (*errp) {
57 return NULL;
58 }
59 return QCRYPTO_TLS_CREDS(creds);
60 }
61
62 /*
63 * This tests sanity checking of our own certificates
64 *
65 * The code being tested is used when TLS creds are created,
66 * and aim to ensure QMEU has been configured with sane
67 * certificates. This allows us to give much much much
68 * clearer error messages to the admin when they misconfigure
69 * things.
70 */
71 static void test_tls_creds(const void *opaque)
72 {
73 struct QCryptoTLSCredsTestData *data =
74 (struct QCryptoTLSCredsTestData *)opaque;
75 QCryptoTLSCreds *creds;
76 Error *err = NULL;
77
78 #define CERT_DIR "tests/test-crypto-tlscredsx509-certs/"
79 mkdir(CERT_DIR, 0700);
80
81 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
82 if (data->isServer) {
83 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
84 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
85 } else {
86 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
87 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
88 }
89
90 if (access(data->cacrt, R_OK) == 0) {
91 g_assert(link(data->cacrt,
92 CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT) == 0);
93 }
94 if (data->isServer) {
95 if (access(data->crt, R_OK) == 0) {
96 g_assert(link(data->crt,
97 CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) == 0);
98 }
99 g_assert(link(KEYFILE,
100 CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) == 0);
101 } else {
102 if (access(data->crt, R_OK) == 0) {
103 g_assert(link(data->crt,
104 CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) == 0);
105 }
106 g_assert(link(KEYFILE,
107 CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) == 0);
108 }
109
110 creds = test_tls_creds_create(
111 (data->isServer ?
112 QCRYPTO_TLS_CREDS_ENDPOINT_SERVER :
113 QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT),
114 CERT_DIR,
115 &err);
116
117 if (data->expectFail) {
118 error_free(err);
119 g_assert(creds == NULL);
120 } else {
121 if (err) {
122 g_printerr("Failed to generate creds: %s\n",
123 error_get_pretty(err));
124 error_free(err);
125 }
126 g_assert(creds != NULL);
127 }
128
129 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CA_CERT);
130 if (data->isServer) {
131 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT);
132 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY);
133 } else {
134 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT);
135 unlink(CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY);
136 }
137 rmdir(CERT_DIR);
138 if (creds) {
139 object_unparent(OBJECT(creds));
140 }
141 }
142
143 int main(int argc, char **argv)
144 {
145 int ret;
146
147 module_call_init(MODULE_INIT_QOM);
148 g_test_init(&argc, &argv, NULL);
149 setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);
150
151 mkdir(WORKDIR, 0700);
152
153 test_tls_init(KEYFILE);
154
155 # define TLS_TEST_REG(name, isServer, caCrt, crt, expectFail) \
156 struct QCryptoTLSCredsTestData name = { \
157 isServer, caCrt, crt, expectFail \
158 }; \
159 g_test_add_data_func("/qcrypto/tlscredsx509/" # name, \
160 &name, test_tls_creds); \
161
162 /* A perfect CA, perfect client & perfect server */
163
164 /* Basic:CA:critical */
165 TLS_ROOT_REQ(cacertreq,
166 "UK", "qemu CA", NULL, NULL, NULL, NULL,
167 true, true, true,
168 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
169 false, false, NULL, NULL,
170 0, 0);
171
172 TLS_CERT_REQ(servercertreq, cacertreq,
173 "UK", "qemu.org", NULL, NULL, NULL, NULL,
174 true, true, false,
175 true, true,
176 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
177 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
178 0, 0);
179 TLS_CERT_REQ(clientcertreq, cacertreq,
180 "UK", "qemu", NULL, NULL, NULL, NULL,
181 true, true, false,
182 true, true,
183 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
184 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
185 0, 0);
186
187 TLS_TEST_REG(perfectserver, true,
188 cacertreq.filename, servercertreq.filename, false);
189 TLS_TEST_REG(perfectclient, false,
190 cacertreq.filename, clientcertreq.filename, false);
191
192
193 /* Some other CAs which are good */
194
195 /* Basic:CA:critical */
196 TLS_ROOT_REQ(cacert1req,
197 "UK", "qemu CA 1", NULL, NULL, NULL, NULL,
198 true, true, true,
199 false, false, 0,
200 false, false, NULL, NULL,
201 0, 0);
202 TLS_CERT_REQ(servercert1req, cacert1req,
203 "UK", "qemu.org", NULL, NULL, NULL, NULL,
204 true, true, false,
205 true, true,
206 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
207 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
208 0, 0);
209
210 /* Basic:CA:not-critical */
211 TLS_ROOT_REQ(cacert2req,
212 "UK", "qemu CA 2", NULL, NULL, NULL, NULL,
213 true, false, true,
214 false, false, 0,
215 false, false, NULL, NULL,
216 0, 0);
217 TLS_CERT_REQ(servercert2req, cacert2req,
218 "UK", "qemu.org", NULL, NULL, NULL, NULL,
219 true, true, false,
220 true, true,
221 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
222 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
223 0, 0);
224
225 /* Key usage:cert-sign:critical */
226 TLS_ROOT_REQ(cacert3req,
227 "UK", "qemu CA 3", NULL, NULL, NULL, NULL,
228 true, true, true,
229 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
230 false, false, NULL, NULL,
231 0, 0);
232 TLS_CERT_REQ(servercert3req, cacert3req,
233 "UK", "qemu.org", NULL, NULL, NULL, NULL,
234 true, true, false,
235 true, true,
236 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
237 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
238 0, 0);
239
240 TLS_TEST_REG(goodca1, true,
241 cacert1req.filename, servercert1req.filename, false);
242 TLS_TEST_REG(goodca2, true,
243 cacert2req.filename, servercert2req.filename, false);
244 TLS_TEST_REG(goodca3, true,
245 cacert3req.filename, servercert3req.filename, false);
246
247 /* Now some bad certs */
248
249 /* Key usage:dig-sig:not-critical */
250 TLS_ROOT_REQ(cacert4req,
251 "UK", "qemu CA 4", NULL, NULL, NULL, NULL,
252 true, true, true,
253 true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
254 false, false, NULL, NULL,
255 0, 0);
256 TLS_CERT_REQ(servercert4req, cacert4req,
257 "UK", "qemu.org", NULL, NULL, NULL, NULL,
258 true, true, false,
259 true, true,
260 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
261 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
262 0, 0);
263 /* no-basic */
264 TLS_ROOT_REQ(cacert5req,
265 "UK", "qemu CA 5", NULL, NULL, NULL, NULL,
266 false, false, false,
267 false, false, 0,
268 false, false, NULL, NULL,
269 0, 0);
270 TLS_CERT_REQ(servercert5req, cacert5req,
271 "UK", "qemu.org", NULL, NULL, NULL, NULL,
272 true, true, false,
273 true, true,
274 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
275 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
276 0, 0);
277 /* Key usage:dig-sig:critical */
278 TLS_ROOT_REQ(cacert6req,
279 "UK", "qemu CA 6", NULL, NULL, NULL, NULL,
280 true, true, true,
281 true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
282 false, false, NULL, NULL,
283 0, 0);
284 TLS_CERT_REQ(servercert6req, cacert6req,
285 "UK", "qemu.org", NULL, NULL, NULL, NULL,
286 true, true, false,
287 true, true,
288 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
289 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
290 0, 0);
291
292 /* Technically a CA cert with basic constraints
293 * key purpose == key signing + non-critical should
294 * be rejected. GNUTLS < 3.1 does not reject it and
295 * we don't anticipate them changing this behaviour
296 */
297 TLS_TEST_REG(badca1, true, cacert4req.filename, servercert4req.filename,
298 (GNUTLS_VERSION_MAJOR == 3 && GNUTLS_VERSION_MINOR >= 1) ||
299 GNUTLS_VERSION_MAJOR > 3);
300 TLS_TEST_REG(badca2, true,
301 cacert5req.filename, servercert5req.filename, true);
302 TLS_TEST_REG(badca3, true,
303 cacert6req.filename, servercert6req.filename, true);
304
305
306 /* Various good servers */
307 /* no usage or purpose */
308 TLS_CERT_REQ(servercert7req, cacertreq,
309 "UK", "qemu", NULL, NULL, NULL, NULL,
310 true, true, false,
311 false, false, 0,
312 false, false, NULL, NULL,
313 0, 0);
314 /* usage:cert-sign+dig-sig+encipher:critical */
315 TLS_CERT_REQ(servercert8req, cacertreq,
316 "UK", "qemu", NULL, NULL, NULL, NULL,
317 true, true, false,
318 true, true,
319 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT |
320 GNUTLS_KEY_KEY_CERT_SIGN,
321 false, false, NULL, NULL,
322 0, 0);
323 /* usage:cert-sign:not-critical */
324 TLS_CERT_REQ(servercert9req, cacertreq,
325 "UK", "qemu", NULL, NULL, NULL, NULL,
326 true, true, false,
327 true, false, GNUTLS_KEY_KEY_CERT_SIGN,
328 false, false, NULL, NULL,
329 0, 0);
330 /* purpose:server:critical */
331 TLS_CERT_REQ(servercert10req, cacertreq,
332 "UK", "qemu", NULL, NULL, NULL, NULL,
333 true, true, false,
334 false, false, 0,
335 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
336 0, 0);
337 /* purpose:server:not-critical */
338 TLS_CERT_REQ(servercert11req, cacertreq,
339 "UK", "qemu", NULL, NULL, NULL, NULL,
340 true, true, false,
341 false, false, 0,
342 true, false, GNUTLS_KP_TLS_WWW_SERVER, NULL,
343 0, 0);
344 /* purpose:client+server:critical */
345 TLS_CERT_REQ(servercert12req, cacertreq,
346 "UK", "qemu", NULL, NULL, NULL, NULL,
347 true, true, false,
348 false, false, 0,
349 true, true,
350 GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
351 0, 0);
352 /* purpose:client+server:not-critical */
353 TLS_CERT_REQ(servercert13req, cacertreq,
354 "UK", "qemu", NULL, NULL, NULL, NULL,
355 true, true, false,
356 false, false, 0,
357 true, false,
358 GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
359 0, 0);
360
361 TLS_TEST_REG(goodserver1, true,
362 cacertreq.filename, servercert7req.filename, false);
363 TLS_TEST_REG(goodserver2, true,
364 cacertreq.filename, servercert8req.filename, false);
365 TLS_TEST_REG(goodserver3, true,
366 cacertreq.filename, servercert9req.filename, false);
367 TLS_TEST_REG(goodserver4, true,
368 cacertreq.filename, servercert10req.filename, false);
369 TLS_TEST_REG(goodserver5, true,
370 cacertreq.filename, servercert11req.filename, false);
371 TLS_TEST_REG(goodserver6, true,
372 cacertreq.filename, servercert12req.filename, false);
373 TLS_TEST_REG(goodserver7, true,
374 cacertreq.filename, servercert13req.filename, false);
375
376 /* Bad servers */
377
378 /* usage:cert-sign:critical */
379 TLS_CERT_REQ(servercert14req, cacertreq,
380 "UK", "qemu", NULL, NULL, NULL, NULL,
381 true, true, false,
382 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
383 false, false, NULL, NULL,
384 0, 0);
385 /* purpose:client:critical */
386 TLS_CERT_REQ(servercert15req, cacertreq,
387 "UK", "qemu", NULL, NULL, NULL, NULL,
388 true, true, false,
389 false, false, 0,
390 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
391 0, 0);
392 /* usage: none:critical */
393 TLS_CERT_REQ(servercert16req, cacertreq,
394 "UK", "qemu", NULL, NULL, NULL, NULL,
395 true, true, false,
396 true, true, 0,
397 false, false, NULL, NULL,
398 0, 0);
399
400 TLS_TEST_REG(badserver1, true,
401 cacertreq.filename, servercert14req.filename, true);
402 TLS_TEST_REG(badserver2, true,
403 cacertreq.filename, servercert15req.filename, true);
404 TLS_TEST_REG(badserver3, true,
405 cacertreq.filename, servercert16req.filename, true);
406
407
408
409 /* Various good clients */
410 /* no usage or purpose */
411 TLS_CERT_REQ(clientcert1req, cacertreq,
412 "UK", "qemu", NULL, NULL, NULL, NULL,
413 true, true, false,
414 false, false, 0,
415 false, false, NULL, NULL,
416 0, 0);
417 /* usage:cert-sign+dig-sig+encipher:critical */
418 TLS_CERT_REQ(clientcert2req, cacertreq,
419 "UK", "qemu", NULL, NULL, NULL, NULL,
420 true, true, false,
421 true, true,
422 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT |
423 GNUTLS_KEY_KEY_CERT_SIGN,
424 false, false, NULL, NULL,
425 0, 0);
426 /* usage:cert-sign:not-critical */
427 TLS_CERT_REQ(clientcert3req, cacertreq,
428 "UK", "qemu", NULL, NULL, NULL, NULL,
429 true, true, false,
430 true, false, GNUTLS_KEY_KEY_CERT_SIGN,
431 false, false, NULL, NULL,
432 0, 0);
433 /* purpose:client:critical */
434 TLS_CERT_REQ(clientcert4req, cacertreq,
435 "UK", "qemu", NULL, NULL, NULL, NULL,
436 true, true, false,
437 false, false, 0,
438 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
439 0, 0);
440 /* purpose:client:not-critical */
441 TLS_CERT_REQ(clientcert5req, cacertreq,
442 "UK", "qemu", NULL, NULL, NULL, NULL,
443 true, true, false,
444 false, false, 0,
445 true, false, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
446 0, 0);
447 /* purpose:client+client:critical */
448 TLS_CERT_REQ(clientcert6req, cacertreq,
449 "UK", "qemu", NULL, NULL, NULL, NULL,
450 true, true, false,
451 false, false, 0,
452 true, true,
453 GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
454 0, 0);
455 /* purpose:client+client:not-critical */
456 TLS_CERT_REQ(clientcert7req, cacertreq,
457 "UK", "qemu", NULL, NULL, NULL, NULL,
458 true, true, false,
459 false, false, 0,
460 true, false,
461 GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
462 0, 0);
463
464 TLS_TEST_REG(goodclient1, false,
465 cacertreq.filename, clientcert1req.filename, false);
466 TLS_TEST_REG(goodclient2, false,
467 cacertreq.filename, clientcert2req.filename, false);
468 TLS_TEST_REG(goodclient3, false,
469 cacertreq.filename, clientcert3req.filename, false);
470 TLS_TEST_REG(goodclient4, false,
471 cacertreq.filename, clientcert4req.filename, false);
472 TLS_TEST_REG(goodclient5, false,
473 cacertreq.filename, clientcert5req.filename, false);
474 TLS_TEST_REG(goodclient6, false,
475 cacertreq.filename, clientcert6req.filename, false);
476 TLS_TEST_REG(goodclient7, false,
477 cacertreq.filename, clientcert7req.filename, false);
478
479 /* Bad clients */
480
481 /* usage:cert-sign:critical */
482 TLS_CERT_REQ(clientcert8req, cacertreq,
483 "UK", "qemu", NULL, NULL, NULL, NULL,
484 true, true, false,
485 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
486 false, false, NULL, NULL,
487 0, 0);
488 /* purpose:client:critical */
489 TLS_CERT_REQ(clientcert9req, cacertreq,
490 "UK", "qemu", NULL, NULL, NULL, NULL,
491 true, true, false,
492 false, false, 0,
493 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
494 0, 0);
495 /* usage: none:critical */
496 TLS_CERT_REQ(clientcert10req, cacertreq,
497 "UK", "qemu", NULL, NULL, NULL, NULL,
498 true, true, false,
499 true, true, 0,
500 false, false, NULL, NULL,
501 0, 0);
502
503 TLS_TEST_REG(badclient1, false,
504 cacertreq.filename, clientcert8req.filename, true);
505 TLS_TEST_REG(badclient2, false,
506 cacertreq.filename, clientcert9req.filename, true);
507 TLS_TEST_REG(badclient3, false,
508 cacertreq.filename, clientcert10req.filename, true);
509
510
511
512 /* Expired stuff */
513
514 TLS_ROOT_REQ(cacertexpreq,
515 "UK", "qemu", NULL, NULL, NULL, NULL,
516 true, true, true,
517 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
518 false, false, NULL, NULL,
519 0, -1);
520 TLS_CERT_REQ(servercertexpreq, cacertexpreq,
521 "UK", "qemu.org", NULL, NULL, NULL, NULL,
522 true, true, false,
523 true, true,
524 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
525 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
526 0, 0);
527 TLS_CERT_REQ(servercertexp1req, cacertreq,
528 "UK", "qemu", NULL, NULL, NULL, NULL,
529 true, true, false,
530 true, true,
531 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
532 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
533 0, -1);
534 TLS_CERT_REQ(clientcertexp1req, cacertreq,
535 "UK", "qemu", NULL, NULL, NULL, NULL,
536 true, true, false,
537 true, true,
538 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
539 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
540 0, -1);
541
542 TLS_TEST_REG(expired1, true,
543 cacertexpreq.filename, servercertexpreq.filename, true);
544 TLS_TEST_REG(expired2, true,
545 cacertreq.filename, servercertexp1req.filename, true);
546 TLS_TEST_REG(expired3, false,
547 cacertreq.filename, clientcertexp1req.filename, true);
548
549
550 /* Not activated stuff */
551
552 TLS_ROOT_REQ(cacertnewreq,
553 "UK", "qemu", NULL, NULL, NULL, NULL,
554 true, true, true,
555 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
556 false, false, NULL, NULL,
557 1, 2);
558 TLS_CERT_REQ(servercertnewreq, cacertnewreq,
559 "UK", "qemu", NULL, NULL, NULL, NULL,
560 true, true, false,
561 true, true,
562 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
563 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
564 0, 0);
565 TLS_CERT_REQ(servercertnew1req, cacertreq,
566 "UK", "qemu", NULL, NULL, NULL, NULL,
567 true, true, false,
568 true, true,
569 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
570 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
571 1, 2);
572 TLS_CERT_REQ(clientcertnew1req, cacertreq,
573 "UK", "qemu", NULL, NULL, NULL, NULL,
574 true, true, false,
575 true, true,
576 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
577 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
578 1, 2);
579
580 TLS_TEST_REG(inactive1, true,
581 cacertnewreq.filename, servercertnewreq.filename, true);
582 TLS_TEST_REG(inactive2, true,
583 cacertreq.filename, servercertnew1req.filename, true);
584 TLS_TEST_REG(inactive3, false,
585 cacertreq.filename, clientcertnew1req.filename, true);
586
587 TLS_ROOT_REQ(cacertrootreq,
588 "UK", "qemu root", NULL, NULL, NULL, NULL,
589 true, true, true,
590 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
591 false, false, NULL, NULL,
592 0, 0);
593 TLS_CERT_REQ(cacertlevel1areq, cacertrootreq,
594 "UK", "qemu level 1a", NULL, NULL, NULL, NULL,
595 true, true, true,
596 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
597 false, false, NULL, NULL,
598 0, 0);
599 TLS_CERT_REQ(cacertlevel1breq, cacertrootreq,
600 "UK", "qemu level 1b", NULL, NULL, NULL, NULL,
601 true, true, true,
602 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
603 false, false, NULL, NULL,
604 0, 0);
605 TLS_CERT_REQ(cacertlevel2areq, cacertlevel1areq,
606 "UK", "qemu level 2a", NULL, NULL, NULL, NULL,
607 true, true, true,
608 true, true, GNUTLS_KEY_KEY_CERT_SIGN,
609 false, false, NULL, NULL,
610 0, 0);
611 TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq,
612 "UK", "qemu.org", NULL, NULL, NULL, NULL,
613 true, true, false,
614 true, true,
615 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
616 true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
617 0, 0);
618 TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq,
619 "UK", "qemu client level 2b", NULL, NULL, NULL, NULL,
620 true, true, false,
621 true, true,
622 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
623 true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
624 0, 0);
625
626 gnutls_x509_crt_t certchain[] = {
627 cacertrootreq.crt,
628 cacertlevel1areq.crt,
629 cacertlevel1breq.crt,
630 cacertlevel2areq.crt,
631 };
632
633 test_tls_write_cert_chain(WORKDIR "cacertchain-ctx.pem",
634 certchain,
635 G_N_ELEMENTS(certchain));
636
637 TLS_TEST_REG(chain1, true,
638 WORKDIR "cacertchain-ctx.pem",
639 servercertlevel3areq.filename, false);
640 TLS_TEST_REG(chain2, false,
641 WORKDIR "cacertchain-ctx.pem",
642 clientcertlevel2breq.filename, false);
643
644 /* Some missing certs - first two are fatal, the last
645 * is ok
646 */
647 TLS_TEST_REG(missingca, true,
648 "cacertdoesnotexist.pem",
649 servercert1req.filename, true);
650 TLS_TEST_REG(missingserver, true,
651 cacert1req.filename,
652 "servercertdoesnotexist.pem", true);
653 TLS_TEST_REG(missingclient, false,
654 cacert1req.filename,
655 "clientcertdoesnotexist.pem", false);
656
657 ret = g_test_run();
658
659 test_tls_discard_cert(&cacertreq);
660 test_tls_discard_cert(&cacert1req);
661 test_tls_discard_cert(&cacert2req);
662 test_tls_discard_cert(&cacert3req);
663 test_tls_discard_cert(&cacert4req);
664 test_tls_discard_cert(&cacert5req);
665 test_tls_discard_cert(&cacert6req);
666
667 test_tls_discard_cert(&servercertreq);
668 test_tls_discard_cert(&servercert1req);
669 test_tls_discard_cert(&servercert2req);
670 test_tls_discard_cert(&servercert3req);
671 test_tls_discard_cert(&servercert4req);
672 test_tls_discard_cert(&servercert5req);
673 test_tls_discard_cert(&servercert6req);
674 test_tls_discard_cert(&servercert7req);
675 test_tls_discard_cert(&servercert8req);
676 test_tls_discard_cert(&servercert9req);
677 test_tls_discard_cert(&servercert10req);
678 test_tls_discard_cert(&servercert11req);
679 test_tls_discard_cert(&servercert12req);
680 test_tls_discard_cert(&servercert13req);
681 test_tls_discard_cert(&servercert14req);
682 test_tls_discard_cert(&servercert15req);
683 test_tls_discard_cert(&servercert16req);
684
685 test_tls_discard_cert(&clientcertreq);
686 test_tls_discard_cert(&clientcert1req);
687 test_tls_discard_cert(&clientcert2req);
688 test_tls_discard_cert(&clientcert3req);
689 test_tls_discard_cert(&clientcert4req);
690 test_tls_discard_cert(&clientcert5req);
691 test_tls_discard_cert(&clientcert6req);
692 test_tls_discard_cert(&clientcert7req);
693 test_tls_discard_cert(&clientcert8req);
694 test_tls_discard_cert(&clientcert9req);
695 test_tls_discard_cert(&clientcert10req);
696
697 test_tls_discard_cert(&cacertexpreq);
698 test_tls_discard_cert(&servercertexpreq);
699 test_tls_discard_cert(&servercertexp1req);
700 test_tls_discard_cert(&clientcertexp1req);
701
702 test_tls_discard_cert(&cacertnewreq);
703 test_tls_discard_cert(&servercertnewreq);
704 test_tls_discard_cert(&servercertnew1req);
705 test_tls_discard_cert(&clientcertnew1req);
706
707 test_tls_discard_cert(&cacertrootreq);
708 test_tls_discard_cert(&cacertlevel1areq);
709 test_tls_discard_cert(&cacertlevel1breq);
710 test_tls_discard_cert(&cacertlevel2areq);
711 test_tls_discard_cert(&servercertlevel3areq);
712 test_tls_discard_cert(&clientcertlevel2breq);
713 unlink(WORKDIR "cacertchain-ctx.pem");
714
715 test_tls_cleanup(KEYFILE);
716 rmdir(WORKDIR);
717
718 return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
719 }
720
721 #else /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
722
723 int
724 main(void)
725 {
726 return EXIT_SUCCESS;
727 }
728
729 #endif /* ! QCRYPTO_HAVE_TLS_TEST_SUPPORT */
QEMU mirror