Re: [Qemu-devel] [PATCH 5/6] tests: add iotests helpers for dealing with TLS certificates

["Daniel P. Berrangé" <berrange@redhat.com>]

On Fri, Nov 16, 2018 at 10:39:03AM -0600, Eric Blake wrote:
> On 11/16/18 9:53 AM, Daniel P. Berrangé wrote:
> > Add helpers to common.tls for creating TLS certificates for a CA,
> > server and client.
> 
> MUCH appreciated!  We NEED this coverage, easily automated.
> 
> > 
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> > ---
> >   tests/qemu-iotests/common.tls | 139 ++++++++++++++++++++++++++++++++++
> >   1 file changed, 139 insertions(+)
> >   create mode 100644 tests/qemu-iotests/common.tls
> > 
> > diff --git a/tests/qemu-iotests/common.tls b/tests/qemu-iotests/common.tls
> > new file mode 100644
> 
> I was a bit surprised that this wasn't 100755, but this matches the fact
> that none of the other common.* are executable. And after thinking more, it
> makes sense - they aren't standalone scripts, but designed to be sourced,
> and 'source' doesn't care about execute bits.
> 
> > +tls_dir="${TEST_DIR}/tls"
> > +
> > +function tls_x509_cleanup()
> > +{
> > +    rm -f ${tls_dir}/*.pem
> > +    rm -f ${tls_dir}/*/*.pem
> > +    rmdir ${tls_dir}/*
> > +    rmdir ${tls_dir}
> 
> Why not just:
> rm -rf $tls_dir

Yeah, I guess we could do that for simplicity

> Also, the quoting is a bit inconsistent. if ${TEST_DIR} can contain spaces,
> then all uses of ${tls_dir} need to be in "".

Hmm, yes.

> > +}
> > +
> > +
> > +function tls_x509_init()
> > +{
> > +    mkdir "${tls_dir}"
> 
> And this just highlights the quoting inconsistency.  Should this use mkdir
> -p?

I assume $TEST_DIR would already exist, so wouldn't need -p.

> > +
> > +function tls_x509_create_root_ca()
> > +{
> > +    name=$1
> > +
> > +    test -z "$name" && name=ca-cert
> 
> Could also be shortened as:
> 
> name=${1:-ca-cert}

ok

> > +
> > +    cat > ${tls_dir}/ca.info <<EOF
> > +cn = Cthulu Dark Lord Enterprises $name
> 
> s/Cthulu/Cthulhu/ - after all, we don't want him coming after us just
> because we botched the spelling of his name :)
> 
> > +ca
> > +cert_signing_key
> > +EOF
> > +
> > +    certtool --generate-self-signed \
> > +             --load-privkey ${tls_dir}/key.pem \
> > +             --template ${tls_dir}/ca.info \
> > +             --outfile ${tls_dir}/$name-cert.pem 2>&1 | head -1
> 
> More missing ""
> 
> > +
> > +    rm -f ${tls_dir}/ca.info
> > +}
> > +
> > +
> > +function tls_x509_create_server()
> > +{
> > +    caname=$1
> > +    name=$2
> > +
> > +    mkdir ${tls_dir}/$name
> > +    cat > ${tls_dir}/cert.info <<EOF
> > +organization = Cthulu Dark Lord Enterprises $name
> 
> Matched spelling
> 
> > +function tls_x509_create_client()
> > +{
> > +    caname=$1
> > +    name=$2
> > +
> > +    mkdir ${tls_dir}/$name
> > +    cat > ${tls_dir}/cert.info <<EOF
> > +country = South Pacific
> > +locality =  R'lyeh
> > +organization = Cthulu Dark Lord Enterprises $name
> 
> And again
> 
> Needs several touch-ups, but the idea itself is sound.

Yes will fix

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|