2011-07-20 19:04:18 +01:00
/*
2014-03-17 10:38:38 +01:00
* Copyright ( C ) 2011 - 2014 Red Hat , Inc .
2011-07-20 19:04:18 +01:00
*
* This library is free software ; you can redistribute it and / or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation ; either
* version 2.1 of the License , or ( at your option ) any later version .
*
* This library is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the GNU
* Lesser General Public License for more details .
*
* You should have received a copy of the GNU Lesser General Public
2012-09-20 16:30:55 -06:00
* License along with this library . If not , see
2012-07-21 18:06:23 +08:00
* < http : //www.gnu.org/licenses/>.
2011-07-20 19:04:18 +01:00
*/
# include <config.h>
# include <fcntl.h>
2020-02-23 22:02:26 +01:00
# include <unistd.h>
2011-07-20 19:04:18 +01:00
# include "testutils.h"
2013-08-05 16:49:24 +01:00
# include "virnettlshelpers.h"
2012-12-12 17:59:27 +00:00
# include "virlog.h"
2011-07-20 19:04:18 +01:00
2020-09-01 13:27:44 +02:00
# if !defined WIN32 && WITH_LIBTASN1_H && LIBGNUTLS_VERSION_NUMBER >= 0x020600
2011-07-20 19:04:18 +01:00
# include "rpc / virnettlscontext.h"
# define VIR_FROM_THIS VIR_FROM_RPC
2014-02-28 12:16:17 +00:00
VIR_LOG_INIT ( " tests.nettlscontexttest " ) ;
2013-08-08 23:08:25 +01:00
# define KEYFILE "key-ctx.pem"
2011-07-20 19:04:18 +01:00
struct testTLSContextData {
bool isServer ;
2013-08-06 11:35:49 +01:00
const char * cacrt ;
const char * crt ;
2011-07-20 19:04:18 +01:00
bool expectFail ;
} ;
/*
* This tests sanity checking of our own certificates
*
* This code is done when libvirtd starts up , or before
* a libvirt client connects . The test is ensuring that
2021-03-11 08:16:13 +01:00
* the creation of virNetTLSContext * fails if we
2012-10-11 18:31:20 +02:00
* give bogus certs , or succeeds for good certs
2011-07-20 19:04:18 +01:00
*/
static int testTLSContextInit ( const void * opaque )
{
struct testTLSContextData * data = ( struct testTLSContextData * ) opaque ;
2021-03-11 08:16:13 +01:00
virNetTLSContext * ctxt = NULL ;
2011-07-20 19:04:18 +01:00
int ret = - 1 ;
if ( data - > isServer ) {
2013-08-06 11:35:49 +01:00
ctxt = virNetTLSContextNewServer ( data - > cacrt ,
2011-07-20 19:04:18 +01:00
NULL ,
2013-08-06 11:35:49 +01:00
data - > crt ,
2013-08-08 23:08:25 +01:00
KEYFILE ,
2011-07-20 19:04:18 +01:00
NULL ,
2018-03-05 12:46:16 +00:00
" NORMAL " ,
2011-07-20 19:04:18 +01:00
true ,
true ) ;
} else {
2013-08-06 11:35:49 +01:00
ctxt = virNetTLSContextNewClient ( data - > cacrt ,
2011-07-20 19:04:18 +01:00
NULL ,
2013-08-06 11:35:49 +01:00
data - > crt ,
2013-08-08 23:08:25 +01:00
KEYFILE ,
2018-03-05 12:46:16 +00:00
" NORMAL " ,
2011-07-20 19:04:18 +01:00
true ,
true ) ;
}
if ( ctxt ) {
if ( data - > expectFail ) {
VIR_WARN ( " Expected failure %s against %s " ,
2013-08-06 11:35:49 +01:00
data - > cacrt , data - > crt ) ;
2011-07-20 19:04:18 +01:00
goto cleanup ;
}
} else {
if ( ! data - > expectFail ) {
VIR_WARN ( " Unexpected failure %s against %s " ,
2013-08-06 11:35:49 +01:00
data - > cacrt , data - > crt ) ;
2011-07-20 19:04:18 +01:00
goto cleanup ;
}
2016-03-18 16:58:02 -04:00
VIR_DEBUG ( " Got error %s " , virGetLastErrorMessage ( ) ) ;
2011-07-20 19:04:18 +01:00
}
ret = 0 ;
2014-03-25 07:53:44 +01:00
cleanup :
2012-07-11 14:35:48 +01:00
virObjectUnref ( ctxt ) ;
2011-07-20 19:04:18 +01:00
return ret ;
}
static int
mymain ( void )
{
int ret = 0 ;
2019-12-18 17:16:19 +00:00
g_setenv ( " GNUTLS_FORCE_FIPS_MODE " , " 2 " , TRUE ) ;
2014-09-04 11:23:16 +02:00
2013-08-08 23:08:25 +01:00
testTLSInit ( KEYFILE ) ;
2011-07-20 19:04:18 +01:00
2017-11-03 13:09:47 +01:00
# define DO_CTX_TEST(_isServer, _caCrt, _crt, _expectFail) \
do { \
static struct testTLSContextData data ; \
data . isServer = _isServer ; \
data . cacrt = _caCrt ; \
data . crt = _crt ; \
data . expectFail = _expectFail ; \
if ( virTestRun ( " TLS Context " # _caCrt " + " # _crt , \
testTLSContextInit , & data ) < 0 ) \
ret = - 1 ; \
2011-07-20 19:04:18 +01:00
} while ( 0 )
2017-11-03 13:09:47 +01:00
# define TLS_CERT_REQ(varname, cavarname, \
co , cn , an1 , an2 , ia1 , ia2 , bce , bcc , bci , \
kue , kuc , kuv , kpe , kpc , kpo1 , kpo2 , so , eo ) \
static struct testTLSCertReq varname = { \
NULL , # varname " -ctx.pem " , \
co , cn , an1 , an2 , ia1 , ia2 , bce , bcc , bci , \
kue , kuc , kuv , kpe , kpc , kpo1 , kpo2 , so , eo \
} ; \
2013-08-05 17:08:17 +01:00
testTLSGenerateCert ( & varname , cavarname . crt )
2020-08-03 17:32:22 +02:00
VIR_WARNINGS_NO_DECLARATION_AFTER_STATEMENT
2017-11-03 13:09:47 +01:00
# define TLS_ROOT_REQ(varname, \
co , cn , an1 , an2 , ia1 , ia2 , bce , bcc , bci , \
kue , kuc , kuv , kpe , kpc , kpo1 , kpo2 , so , eo ) \
static struct testTLSCertReq varname = { \
NULL , # varname " -ctx.pem " , \
co , cn , an1 , an2 , ia1 , ia2 , bce , bcc , bci , \
kue , kuc , kuv , kpe , kpc , kpo1 , kpo2 , so , eo \
} ; \
2013-08-05 17:08:17 +01:00
testTLSGenerateCert ( & varname , NULL )
2011-07-20 19:04:18 +01:00
/* A perfect CA, perfect client & perfect server */
/* Basic:CA:critical */
2013-08-05 17:08:17 +01:00
TLS_ROOT_REQ ( cacertreq ,
" UK " , " libvirt CA " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercertreq , cacertreq ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( clientcertreq , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
2013-08-06 11:35:49 +01:00
DO_CTX_TEST ( true , cacertreq . filename , servercertreq . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcertreq . filename , false ) ;
2011-07-20 19:04:18 +01:00
/* Some other CAs which are good */
/* Basic:CA:critical */
2013-08-05 17:08:17 +01:00
TLS_ROOT_REQ ( cacert1req ,
" UK " , " libvirt CA 1 " , NULL , NULL , NULL , NULL ,
true , true , true ,
false , false , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert1req , cacert1req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* Basic:CA:not-critical */
2013-08-05 17:08:17 +01:00
TLS_ROOT_REQ ( cacert2req ,
" UK " , " libvirt CA 2 " , NULL , NULL , NULL , NULL ,
true , false , true ,
false , false , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert2req , cacert2req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2013-08-05 16:49:24 +01:00
/* Key usage:cert-sign:critical */
2013-08-05 17:08:17 +01:00
TLS_ROOT_REQ ( cacert3req ,
" UK " , " libvirt CA 3 " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert3req , cacert3req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2013-08-06 11:35:49 +01:00
DO_CTX_TEST ( true , cacert1req . filename , servercert1req . filename , false ) ;
DO_CTX_TEST ( true , cacert2req . filename , servercert2req . filename , false ) ;
DO_CTX_TEST ( true , cacert3req . filename , servercert3req . filename , false ) ;
2011-07-20 19:04:18 +01:00
/* Now some bad certs */
2013-03-04 17:27:38 +00:00
/* Key usage:dig-sig:not-critical */
2013-08-05 17:08:17 +01:00
TLS_ROOT_REQ ( cacert4req ,
" UK " , " libvirt CA 4 " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , false , GNUTLS_KEY_DIGITAL_SIGNATURE ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert4req , cacert4req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* no-basic */
2013-08-05 17:08:17 +01:00
TLS_ROOT_REQ ( cacert5req ,
" UK " , " libvirt CA 5 " , NULL , NULL , NULL , NULL ,
false , false , false ,
false , false , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert5req , cacert5req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* Key usage:dig-sig:critical */
2013-08-05 17:08:17 +01:00
TLS_ROOT_REQ ( cacert6req ,
" UK " , " libvirt CA 6 " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercert6req , cacert6req ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
2013-03-04 17:27:38 +00:00
/* Technically a CA cert with basic constraints
* key purpose = = key signing + non - critical should
2013-12-23 09:01:42 +01:00
* be rejected . GNUTLS < 3.1 does not reject it and
2013-03-04 17:27:38 +00:00
* we don ' t anticipate them changing this behaviour
*/
2013-12-23 09:01:42 +01:00
DO_CTX_TEST ( true , cacert4req . filename , servercert4req . filename ,
( GNUTLS_VERSION_MAJOR = = 3 & & GNUTLS_VERSION_MINOR > = 1 ) | |
GNUTLS_VERSION_MAJOR > 3 ) ;
2013-08-06 11:35:49 +01:00
DO_CTX_TEST ( true , cacert5req . filename , servercert5req . filename , true ) ;
DO_CTX_TEST ( true , cacert6req . filename , servercert6req . filename , true ) ;
2011-07-20 19:04:18 +01:00
/* Various good servers */
/* no usage or purpose */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( servercert7req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* usage:cert-sign+dig-sig+encipher:critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( servercert8req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* usage:cert-sign:not-critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( servercert9req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , false , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* purpose:server:critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( servercert10req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* purpose:server:not-critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( servercert11req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , false , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* purpose:client+server:critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( servercert12req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , GNUTLS_KP_TLS_WWW_SERVER ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* purpose:client+server:not-critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( servercert13req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , false , GNUTLS_KP_TLS_WWW_CLIENT , GNUTLS_KP_TLS_WWW_SERVER ,
0 , 0 ) ;
2013-08-06 11:35:49 +01:00
DO_CTX_TEST ( true , cacertreq . filename , servercert7req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert8req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert9req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert10req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert11req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert12req . filename , false ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert13req . filename , false ) ;
2011-07-20 19:04:18 +01:00
/* Bad servers */
/* usage:cert-sign:critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( servercert14req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* purpose:client:critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( servercert15req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* usage: none:critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( servercert16req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
2013-08-06 11:35:49 +01:00
DO_CTX_TEST ( true , cacertreq . filename , servercert14req . filename , true ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert15req . filename , true ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercert16req . filename , true ) ;
2011-07-20 19:04:18 +01:00
/* Various good clients */
/* no usage or purpose */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( clientcert1req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* usage:cert-sign+dig-sig+encipher:critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( clientcert2req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* usage:cert-sign:not-critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( clientcert3req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , false , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* purpose:client:critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( clientcert4req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* purpose:client:not-critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( clientcert5req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , false , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* purpose:client+client:critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( clientcert6req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , GNUTLS_KP_TLS_WWW_SERVER ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* purpose:client+client:not-critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( clientcert7req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , false , GNUTLS_KP_TLS_WWW_CLIENT , GNUTLS_KP_TLS_WWW_SERVER ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
2013-08-06 11:35:49 +01:00
DO_CTX_TEST ( false , cacertreq . filename , clientcert1req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert2req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert3req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert4req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert5req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert6req . filename , false ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert7req . filename , false ) ;
2011-07-20 19:04:18 +01:00
/* Bad clients */
/* usage:cert-sign:critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( clientcert8req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* purpose:client:critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( clientcert9req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
false , false , 0 ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
/* usage: none:critical */
2013-08-05 17:08:17 +01:00
TLS_CERT_REQ ( clientcert10req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , 0 ,
false , false , NULL , NULL ,
0 , 0 ) ;
2011-07-20 19:04:18 +01:00
2013-08-06 11:35:49 +01:00
DO_CTX_TEST ( false , cacertreq . filename , clientcert8req . filename , true ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert9req . filename , true ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcert10req . filename , true ) ;
2011-07-20 19:04:18 +01:00
/* Expired stuff */
2013-08-05 17:08:17 +01:00
TLS_ROOT_REQ ( cacertexpreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , - 1 ) ;
TLS_CERT_REQ ( servercertexpreq , cacertexpreq ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercertexp1req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , - 1 ) ;
TLS_CERT_REQ ( clientcertexp1req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , - 1 ) ;
2013-08-06 11:35:49 +01:00
DO_CTX_TEST ( true , cacertexpreq . filename , servercertexpreq . filename , true ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercertexp1req . filename , true ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcertexp1req . filename , true ) ;
2011-07-20 19:04:18 +01:00
/* Not activated stuff */
2013-08-05 17:08:17 +01:00
TLS_ROOT_REQ ( cacertnewreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
1 , 2 ) ;
TLS_CERT_REQ ( servercertnewreq , cacertnewreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercertnew1req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
1 , 2 ) ;
TLS_CERT_REQ ( clientcertnew1req , cacertreq ,
" UK " , " libvirt " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
1 , 2 ) ;
2013-08-06 11:35:49 +01:00
DO_CTX_TEST ( true , cacertnewreq . filename , servercertnewreq . filename , true ) ;
DO_CTX_TEST ( true , cacertreq . filename , servercertnew1req . filename , true ) ;
DO_CTX_TEST ( false , cacertreq . filename , clientcertnew1req . filename , true ) ;
2013-08-05 17:08:17 +01:00
2013-08-06 12:31:20 +01:00
TLS_ROOT_REQ ( cacertrootreq ,
" UK " , " libvirt root " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( cacertlevel1areq , cacertrootreq ,
" UK " , " libvirt level 1a " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( cacertlevel1breq , cacertrootreq ,
" UK " , " libvirt level 1b " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( cacertlevel2areq , cacertlevel1areq ,
" UK " , " libvirt level 2a " , NULL , NULL , NULL , NULL ,
true , true , true ,
true , true , GNUTLS_KEY_KEY_CERT_SIGN ,
false , false , NULL , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( servercertlevel3areq , cacertlevel2areq ,
" UK " , " libvirt.org " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_SERVER , NULL ,
0 , 0 ) ;
TLS_CERT_REQ ( clientcertlevel2breq , cacertlevel1breq ,
" UK " , " libvirt client level 2b " , NULL , NULL , NULL , NULL ,
true , true , false ,
true , true , GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT ,
true , true , GNUTLS_KP_TLS_WWW_CLIENT , NULL ,
0 , 0 ) ;
gnutls_x509_crt_t certchain [ ] = {
cacertrootreq . crt ,
cacertlevel1areq . crt ,
cacertlevel1breq . crt ,
cacertlevel2areq . crt ,
} ;
2013-08-09 09:53:30 +02:00
testTLSWriteCertChain ( " cacertchain-ctx.pem " ,
2013-08-06 12:31:20 +01:00
certchain ,
2019-10-15 13:55:26 +02:00
G_N_ELEMENTS ( certchain ) ) ;
2013-08-06 12:31:20 +01:00
2020-08-03 17:32:22 +02:00
VIR_WARNINGS_RESET
2013-08-09 09:53:30 +02:00
DO_CTX_TEST ( true , " cacertchain-ctx.pem " , servercertlevel3areq . filename , false ) ;
DO_CTX_TEST ( false , " cacertchain-ctx.pem " , clientcertlevel2breq . filename , false ) ;
2013-08-06 12:31:20 +01:00
2013-08-21 12:48:58 +01:00
DO_CTX_TEST ( false , " cacertdoesnotexist.pem " , " servercertdoesnotexist.pem " , true ) ;
2013-08-05 17:08:17 +01:00
testTLSDiscardCert ( & cacertreq ) ;
testTLSDiscardCert ( & cacert1req ) ;
testTLSDiscardCert ( & cacert2req ) ;
testTLSDiscardCert ( & cacert3req ) ;
testTLSDiscardCert ( & cacert4req ) ;
testTLSDiscardCert ( & cacert5req ) ;
testTLSDiscardCert ( & cacert6req ) ;
testTLSDiscardCert ( & servercertreq ) ;
testTLSDiscardCert ( & servercert1req ) ;
testTLSDiscardCert ( & servercert2req ) ;
testTLSDiscardCert ( & servercert3req ) ;
testTLSDiscardCert ( & servercert4req ) ;
testTLSDiscardCert ( & servercert5req ) ;
testTLSDiscardCert ( & servercert6req ) ;
testTLSDiscardCert ( & servercert7req ) ;
testTLSDiscardCert ( & servercert8req ) ;
testTLSDiscardCert ( & servercert9req ) ;
testTLSDiscardCert ( & servercert10req ) ;
testTLSDiscardCert ( & servercert11req ) ;
testTLSDiscardCert ( & servercert12req ) ;
testTLSDiscardCert ( & servercert13req ) ;
testTLSDiscardCert ( & servercert14req ) ;
testTLSDiscardCert ( & servercert15req ) ;
testTLSDiscardCert ( & servercert16req ) ;
testTLSDiscardCert ( & clientcertreq ) ;
testTLSDiscardCert ( & clientcert1req ) ;
testTLSDiscardCert ( & clientcert2req ) ;
testTLSDiscardCert ( & clientcert3req ) ;
testTLSDiscardCert ( & clientcert4req ) ;
testTLSDiscardCert ( & clientcert5req ) ;
testTLSDiscardCert ( & clientcert6req ) ;
testTLSDiscardCert ( & clientcert7req ) ;
testTLSDiscardCert ( & clientcert8req ) ;
testTLSDiscardCert ( & clientcert9req ) ;
testTLSDiscardCert ( & clientcert10req ) ;
testTLSDiscardCert ( & cacertexpreq ) ;
testTLSDiscardCert ( & servercertexpreq ) ;
testTLSDiscardCert ( & servercertexp1req ) ;
testTLSDiscardCert ( & clientcertexp1req ) ;
testTLSDiscardCert ( & cacertnewreq ) ;
testTLSDiscardCert ( & servercertnewreq ) ;
testTLSDiscardCert ( & servercertnew1req ) ;
testTLSDiscardCert ( & clientcertnew1req ) ;
2011-07-20 19:04:18 +01:00
2013-08-06 12:31:20 +01:00
testTLSDiscardCert ( & cacertrootreq ) ;
testTLSDiscardCert ( & cacertlevel1areq ) ;
testTLSDiscardCert ( & cacertlevel1breq ) ;
testTLSDiscardCert ( & cacertlevel2areq ) ;
testTLSDiscardCert ( & servercertlevel3areq ) ;
testTLSDiscardCert ( & clientcertlevel2breq ) ;
2013-08-09 09:53:30 +02:00
unlink ( " cacertchain-ctx.pem " ) ;
2013-08-06 12:31:20 +01:00
2013-08-08 23:08:25 +01:00
testTLSCleanup ( KEYFILE ) ;
2011-07-20 19:04:18 +01:00
2014-03-17 10:38:38 +01:00
return ret = = 0 ? EXIT_SUCCESS : EXIT_FAILURE ;
2011-07-20 19:04:18 +01:00
}
2022-11-21 12:40:21 +01:00
VIR_TEST_MAIN ( mymain ) ;
2011-07-22 11:59:37 -06:00
2011-07-20 19:04:18 +01:00
# else
2011-07-28 17:48:12 +02:00
2011-07-22 11:59:37 -06:00
int
2011-07-28 17:48:12 +02:00
main ( void )
2011-07-20 19:04:18 +01:00
{
2011-07-28 17:48:12 +02:00
return EXIT_AM_SKIP ;
2011-07-20 19:04:18 +01:00
}
2011-07-28 17:48:12 +02:00
2011-07-20 19:04:18 +01:00
# endif