On Fri, Nov 16, 2018 at 10:39:03AM -0600, Eric Blake wrote: > On 11/16/18 9:53 AM, Daniel P. Berrangé wrote: > > Add helpers to common.tls for creating TLS certificates for a CA, > > server and client. > > MUCH appreciated! We NEED this coverage, easily automated. > > > > > Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> > > --- > > tests/qemu-iotests/common.tls | 139 ++++++++++++++++++++++++++++++++++ > > 1 file changed, 139 insertions(+) > > create mode 100644 tests/qemu-iotests/common.tls > > > > diff --git a/tests/qemu-iotests/common.tls b/tests/qemu-iotests/common.tls > > new file mode 100644 > > I was a bit surprised that this wasn't 100755, but this matches the fact > that none of the other common.* are executable. And after thinking more, it > makes sense - they aren't standalone scripts, but designed to be sourced, > and 'source' doesn't care about execute bits. > > > +tls_dir="${TEST_DIR}/tls" > > + > > +function tls_x509_cleanup() > > +{ > > + rm -f ${tls_dir}/*.pem > > + rm -f ${tls_dir}/*/*.pem > > + rmdir ${tls_dir}/* > > + rmdir ${tls_dir} > > Why not just: > rm -rf $tls_dir
Yeah, I guess we could do that for simplicity > Also, the quoting is a bit inconsistent. if ${TEST_DIR} can contain spaces, > then all uses of ${tls_dir} need to be in "". Hmm, yes. > > +} > > + > > + > > +function tls_x509_init() > > +{ > > + mkdir "${tls_dir}" > > And this just highlights the quoting inconsistency. Should this use mkdir > -p? I assume $TEST_DIR would already exist, so wouldn't need -p. > > + > > +function tls_x509_create_root_ca() > > +{ > > + name=$1 > > + > > + test -z "$name" && name=ca-cert > > Could also be shortened as: > > name=${1:-ca-cert} ok > > + > > + cat > ${tls_dir}/ca.info <<EOF > > +cn = Cthulu Dark Lord Enterprises $name > > s/Cthulu/Cthulhu/ - after all, we don't want him coming after us just > because we botched the spelling of his name :) > > > +ca > > +cert_signing_key > > +EOF > > + > > + certtool --generate-self-signed \ > > + --load-privkey ${tls_dir}/key.pem \ > > + --template ${tls_dir}/ca.info \ > > + --outfile ${tls_dir}/$name-cert.pem 2>&1 | head -1 > > More missing "" > > > + > > + rm -f ${tls_dir}/ca.info > > +} > > + > > + > > +function tls_x509_create_server() > > +{ > > + caname=$1 > > + name=$2 > > + > > + mkdir ${tls_dir}/$name > > + cat > ${tls_dir}/cert.info <<EOF > > +organization = Cthulu Dark Lord Enterprises $name > > Matched spelling > > > +function tls_x509_create_client() > > +{ > > + caname=$1 > > + name=$2 > > + > > + mkdir ${tls_dir}/$name > > + cat > ${tls_dir}/cert.info <<EOF > > +country = South Pacific > > +locality = R'lyeh > > +organization = Cthulu Dark Lord Enterprises $name > > And again > > Needs several touch-ups, but the idea itself is sound. Yes will fix Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|