From: Eric Blake <eblake@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Daniel P. Berrangé" <berrange@redhat.com>,
"Kevin Wolf" <kwolf@redhat.com>, "Max Reitz" <mreitz@redhat.com>,
"open list:Block layer core" <qemu-block@nongnu.org>
Subject: [Qemu-devel] [PULL 09/12] tests: add iotests helpers for dealing with TLS certificates
Date: Mon, 19 Nov 2018 11:54:24 -0600 [thread overview]
Message-ID: <20181119175427.2298497-10-eblake@redhat.com> (raw)
In-Reply-To: <20181119175427.2298497-1-eblake@redhat.com>
From: Daniel P. Berrangé <berrange@redhat.com>
Add helpers to common.tls for creating TLS certificates for a CA,
server and client.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20181116155325.22428-6-berrange@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
[eblake: spelling and quoting touchups]
Signed-off-by: Eric Blake <eblake@redhat.com>
---
tests/qemu-iotests/common.tls | 137 ++++++++++++++++++++++++++++++++++
1 file changed, 137 insertions(+)
create mode 100644 tests/qemu-iotests/common.tls
diff --git a/tests/qemu-iotests/common.tls b/tests/qemu-iotests/common.tls
new file mode 100644
index 00000000000..cecab269ec6
--- /dev/null
+++ b/tests/qemu-iotests/common.tls
@@ -0,0 +1,137 @@
+#!/bin/bash
+#
+# Helpers for TLS related config
+#
+# Copyright (C) 2018 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+tls_dir="${TEST_DIR}/tls"
+
+function tls_x509_cleanup()
+{
+ rm -f "${tls_dir}"/*.pem
+ rm -f "${tls_dir}"/*/*.pem
+ rmdir "${tls_dir}"/*
+ rmdir "${tls_dir}"
+}
+
+
+function tls_x509_init()
+{
+ mkdir -p "${tls_dir}"
+
+ # use a fixed key so we don't waste system entropy on
+ # each test run
+ cat > "${tls_dir}/key.pem" <<EOF
+-----BEGIN PRIVATE KEY-----
+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr
+BL40Tm6yq88FBhJNw1aaoCjmtg0l4dWQZ/e9Fimx4ARxFpT+ji4FE
+Cgl9s/SGqC+1nvlkm9ViSo0j7MKDbnDB+VRHDvMAzQhA2X7e8M0n9
+rPolUY2lIVC83q0BBaOBkCj2RSmT2xTEbbC2xLukSrg2WP/ihVOxc
+kXRuyFtzAgMBAAECgYB7slBexDwXrtItAMIH6m/U+LUpNe0Xx48OL
+IOn4a4whNgO/o84uIwygUK27ZGFZT0kAGAk8CdF9hA6ArcbQ62s1H
+myxrUbF9/mrLsQw1NEqpuUk9Ay2Tx5U/wPx35S3W/X2AvR/ZpTnCn
+2q/7ym9fyiSoj86drD7BTvmKXlOnOwQJBAPOFMp4mMa9NGpGuEssO
+m3Uwbp6lhcP0cA9MK+iOmeANpoKWfBdk5O34VbmeXnGYWEkrnX+9J
+bM4wVhnnBWtgBMCQQC+qAEmvwcfhauERKYznMVUVksyeuhxhCe7EK
+mPh+U2+g0WwdKvGDgO0PPt1gq0ILEjspMDeMHVdTwkaVBo/uMhAkA
+Z5SsZyCP2aTOPFDypXRdI4eqRcjaEPOUBq27r3uYb/jeboVb2weLa
+L1MmVuHiIHoa5clswPdWVI2y0em2IGoDAkBPSp/v9VKJEZabk9Frd
+a+7u4fanrM9QrEjY3KhduslSilXZZSxrWjjAJPyPiqFb3M8XXA26W
+nz1KYGnqYKhLcBAkB7dt57n9xfrhDpuyVEv+Uv1D3VVAhZlsaZ5Pp
+dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci
+-----END PRIVATE KEY-----
+EOF
+}
+
+
+function tls_x509_create_root_ca()
+{
+ name=${1:-ca-cert}
+
+ cat > "${tls_dir}/ca.info" <<EOF
+cn = Cthulhu Dark Lord Enterprises $name
+ca
+cert_signing_key
+EOF
+
+ certtool --generate-self-signed \
+ --load-privkey "${tls_dir}/key.pem" \
+ --template "${tls_dir}/ca.info" \
+ --outfile "${tls_dir}/$name-cert.pem" 2>&1 | head -1
+
+ rm -f "${tls_dir}/ca.info"
+}
+
+
+function tls_x509_create_server()
+{
+ caname=$1
+ name=$2
+
+ mkdir -p "${tls_dir}/$name"
+ cat > "${tls_dir}/cert.info" <<EOF
+organization = Cthulhu Dark Lord Enterprises $name
+cn = localhost
+dns_name = localhost
+dns_name = localhost.localdomain
+ip_address = 127.0.0.1
+ip_address = ::1
+tls_www_server
+encryption_key
+signing_key
+EOF
+
+ certtool --generate-certificate \
+ --load-ca-privkey "${tls_dir}/key.pem" \
+ --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
+ --load-privkey "${tls_dir}/key.pem" \
+ --template "${tls_dir}/cert.info" \
+ --outfile "${tls_dir}/$name/server-cert.pem" 2>&1 | head -1
+ ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
+ ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem"
+
+ rm -f "${tls_dir}/cert.info"
+}
+
+
+function tls_x509_create_client()
+{
+ caname=$1
+ name=$2
+
+ mkdir -p "${tls_dir}/$name"
+ cat > "${tls_dir}/cert.info" <<EOF
+country = South Pacific
+locality = R'lyeh
+organization = Cthulhu Dark Lord Enterprises $name
+cn = localhost
+tls_www_client
+encryption_key
+signing_key
+EOF
+
+ certtool --generate-certificate \
+ --load-ca-privkey "${tls_dir}/key.pem" \
+ --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
+ --load-privkey "${tls_dir}/key.pem" \
+ --template "${tls_dir}/cert.info" \
+ --outfile "${tls_dir}/$name/client-cert.pem" 2>&1 | head -1
+ ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
+ ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem"
+
+ rm -f "${tls_dir}/cert.info"
+}
--
2.17.2
next prev parent reply other threads:[~2018-11-19 17:54 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-19 17:54 [Qemu-devel] [PULL 00/12] NBD patches for 3.1-rc2 Eric Blake
2018-11-19 17:54 ` [Qemu-devel] [PULL 01/12] qemu-iotests: remove unused variable 'here' Eric Blake
2018-11-19 17:54 ` [Qemu-devel] [PULL 02/12] qemu-iotests: convert `pwd` and $(pwd) to $PWD Eric Blake
2018-11-19 17:54 ` [Qemu-devel] [PULL 03/12] qemu-iotests: Modern shell scripting (use $() instead of ``) Eric Blake
2018-11-19 17:54 ` [Qemu-devel] [PULL 04/12] nbd: fix whitespace in server error message Eric Blake
2018-11-19 17:54 ` [Qemu-devel] [PULL 05/12] nbd/server: Ignore write errors when replying to NBD_OPT_ABORT Eric Blake
2018-11-19 17:54 ` [Qemu-devel] [PULL 06/12] io: return 0 for EOF in TLS session read after shutdown Eric Blake
2018-11-19 17:54 ` [Qemu-devel] [PULL 07/12] tests: pull qemu-nbd iotest helpers into common.nbd file Eric Blake
2018-11-19 17:54 ` [Qemu-devel] [PULL 08/12] tests: check if qemu-nbd is still alive before waiting Eric Blake
2018-11-19 17:54 ` Eric Blake [this message]
2018-11-19 17:54 ` [Qemu-devel] [PULL 10/12] tests: exercise NBD server in TLS mode Eric Blake
2018-11-19 17:54 ` [Qemu-devel] [PULL 11/12] iotests: Also test I/O over NBD TLS Eric Blake
2018-11-19 17:54 ` [Qemu-devel] [PULL 12/12] iotests: Drop use of bash keyword 'function' Eric Blake
2018-11-20 10:20 ` [Qemu-devel] [PULL 00/12] NBD patches for 3.1-rc2 Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181119175427.2298497-10-eblake@redhat.com \
--to=eblake@redhat.com \
--cc=berrange@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).