Add helpers to common.tls for creating TLS certificates for a CA, server and client.
Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> --- tests/qemu-iotests/common.tls | 139 ++++++++++++++++++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100644 tests/qemu-iotests/common.tls diff --git a/tests/qemu-iotests/common.tls b/tests/qemu-iotests/common.tls new file mode 100644 index 0000000000..6178ca5764 --- /dev/null +++ b/tests/qemu-iotests/common.tls @@ -0,0 +1,139 @@ +#!/bin/bash +# +# Helpers for TLS related config +# +# Copyright (C) 2018 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +tls_dir="${TEST_DIR}/tls" + +function tls_x509_cleanup() +{ + rm -f ${tls_dir}/*.pem + rm -f ${tls_dir}/*/*.pem + rmdir ${tls_dir}/* + rmdir ${tls_dir} +} + + +function tls_x509_init() +{ + mkdir "${tls_dir}" + + # use a fixed key so we don't waste system entropy on + # each test run + cat > ${tls_dir}/key.pem <<EOF +-----BEGIN PRIVATE KEY----- +MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr +BL40Tm6yq88FBhJNw1aaoCjmtg0l4dWQZ/e9Fimx4ARxFpT+ji4FE +Cgl9s/SGqC+1nvlkm9ViSo0j7MKDbnDB+VRHDvMAzQhA2X7e8M0n9 +rPolUY2lIVC83q0BBaOBkCj2RSmT2xTEbbC2xLukSrg2WP/ihVOxc +kXRuyFtzAgMBAAECgYB7slBexDwXrtItAMIH6m/U+LUpNe0Xx48OL +IOn4a4whNgO/o84uIwygUK27ZGFZT0kAGAk8CdF9hA6ArcbQ62s1H +myxrUbF9/mrLsQw1NEqpuUk9Ay2Tx5U/wPx35S3W/X2AvR/ZpTnCn +2q/7ym9fyiSoj86drD7BTvmKXlOnOwQJBAPOFMp4mMa9NGpGuEssO +m3Uwbp6lhcP0cA9MK+iOmeANpoKWfBdk5O34VbmeXnGYWEkrnX+9J +bM4wVhnnBWtgBMCQQC+qAEmvwcfhauERKYznMVUVksyeuhxhCe7EK +mPh+U2+g0WwdKvGDgO0PPt1gq0ILEjspMDeMHVdTwkaVBo/uMhAkA +Z5SsZyCP2aTOPFDypXRdI4eqRcjaEPOUBq27r3uYb/jeboVb2weLa +L1MmVuHiIHoa5clswPdWVI2y0em2IGoDAkBPSp/v9VKJEZabk9Frd +a+7u4fanrM9QrEjY3KhduslSilXZZSxrWjjAJPyPiqFb3M8XXA26W +nz1KYGnqYKhLcBAkB7dt57n9xfrhDpuyVEv+Uv1D3VVAhZlsaZ5Pp +dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci +-----END PRIVATE KEY----- +EOF +} + + +function tls_x509_create_root_ca() +{ + name=$1 + + test -z "$name" && name=ca-cert + + cat > ${tls_dir}/ca.info <<EOF +cn = Cthulu Dark Lord Enterprises $name +ca +cert_signing_key +EOF + + certtool --generate-self-signed \ + --load-privkey ${tls_dir}/key.pem \ + --template ${tls_dir}/ca.info \ + --outfile ${tls_dir}/$name-cert.pem 2>&1 | head -1 + + rm -f ${tls_dir}/ca.info +} + + +function tls_x509_create_server() +{ + caname=$1 + name=$2 + + mkdir ${tls_dir}/$name + cat > ${tls_dir}/cert.info <<EOF +organization = Cthulu Dark Lord Enterprises $name +cn = localhost +dns_name = localhost +dns_name = localhost.localdomain +ip_address = 127.0.0.1 +ip_address = ::1 +tls_www_server +encryption_key +signing_key +EOF + + certtool --generate-certificate \ + --load-ca-privkey ${tls_dir}/key.pem \ + --load-ca-certificate ${tls_dir}/$caname-cert.pem \ + --load-privkey ${tls_dir}/key.pem \ + --template ${tls_dir}/cert.info \ + --outfile ${tls_dir}/$name/server-cert.pem 2>&1 | head -1 + ln -s ${tls_dir}/$caname-cert.pem ${tls_dir}/$name/ca-cert.pem + ln -s ${tls_dir}/key.pem ${tls_dir}/$name/server-key.pem + + rm -f ${tls_dir}/cert.info +} + + +function tls_x509_create_client() +{ + caname=$1 + name=$2 + + mkdir ${tls_dir}/$name + cat > ${tls_dir}/cert.info <<EOF +country = South Pacific +locality = R'lyeh +organization = Cthulu Dark Lord Enterprises $name +cn = localhost +tls_www_client +encryption_key +signing_key +EOF + + certtool --generate-certificate \ + --load-ca-privkey ${tls_dir}/key.pem \ + --load-ca-certificate ${tls_dir}/$caname-cert.pem \ + --load-privkey ${tls_dir}/key.pem \ + --template ${tls_dir}/cert.info \ + --outfile ${tls_dir}/$name/client-cert.pem 2>&1 | head -1 + ln -s ${tls_dir}/$caname-cert.pem ${tls_dir}/$name/ca-cert.pem + ln -s ${tls_dir}/key.pem ${tls_dir}/$name/client-key.pem + + rm -f ${tls_dir}/cert.info +} -- 2.19.1