You need to sign in or sign up before continuing.
提交 90811c59 编写于 作者: D Daniel P. Berrange

Avoid re-generating certs every time

Currently every test case in the TLS test suite generates the
certs fresh. This is a waste of time, since its parameters
don't change across test cases. Create certs once in main
method.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
上级 236da82d
...@@ -62,10 +62,6 @@ static int testTLSContextInit(const void *opaque) ...@@ -62,10 +62,6 @@ static int testTLSContextInit(const void *opaque)
virNetTLSContextPtr ctxt = NULL; virNetTLSContextPtr ctxt = NULL;
int ret = -1; int ret = -1;
testTLSGenerateCert(&data->careq);
data->certreq.cacrt = data->careq.crt;
testTLSGenerateCert(&data->certreq);
if (data->isServer) { if (data->isServer) {
ctxt = virNetTLSContextNewServer(data->careq.filename, ctxt = virNetTLSContextNewServer(data->careq.filename,
NULL, NULL,
...@@ -103,8 +99,6 @@ static int testTLSContextInit(const void *opaque) ...@@ -103,8 +99,6 @@ static int testTLSContextInit(const void *opaque)
cleanup: cleanup:
virObjectUnref(ctxt); virObjectUnref(ctxt);
testTLSDiscardCert(&data->careq);
testTLSDiscardCert(&data->certreq);
return ret; return ret;
} }
...@@ -124,38 +118,54 @@ mymain(void) ...@@ -124,38 +118,54 @@ mymain(void)
data.careq = _caReq; \ data.careq = _caReq; \
data.certreq = _certReq; \ data.certreq = _certReq; \
data.expectFail = _expectFail; \ data.expectFail = _expectFail; \
if (virtTestRun("TLS Context", 1, testTLSContextInit, &data) < 0) \ if (virtTestRun("TLS Context " #_caReq " + " #_certReq, 1, \
testTLSContextInit, &data) < 0) \
ret = -1; \ ret = -1; \
} while (0) } while (0)
# define TLS_CERT_REQ(varname, cavarname, \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
static struct testTLSCertReq varname = { \
NULL, #varname ".pem", \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo \
}; \
testTLSGenerateCert(&varname, cavarname.crt)
# define TLS_ROOT_REQ(varname, \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
static struct testTLSCertReq varname = { \
NULL, #varname ".pem", \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo \
}; \
testTLSGenerateCert(&varname, NULL)
/* A perfect CA, perfect client & perfect server */ /* A perfect CA, perfect client & perfect server */
/* Basic:CA:critical */ /* Basic:CA:critical */
static struct testTLSCertReq cacertreq = { TLS_ROOT_REQ(cacertreq,
NULL, NULL, "cacert.pem", "UK", "UK", "libvirt CA", NULL, NULL, NULL, NULL,
"libvirt CA", NULL, NULL, NULL, NULL,
true, true, true, true, true, true,
true, true, GNUTLS_KEY_KEY_CERT_SIGN, true, true, GNUTLS_KEY_KEY_CERT_SIGN,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
};
static struct testTLSCertReq servercertreq = { TLS_CERT_REQ(servercertreq, cacertreq,
NULL, NULL, "servercert.pem", "UK", "UK", "libvirt.org", NULL, NULL, NULL, NULL,
"libvirt.org", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0, 0, 0);
}; TLS_CERT_REQ(clientcertreq, cacertreq,
static struct testTLSCertReq clientcertreq = { "UK", "libvirt", NULL, NULL, NULL, NULL,
NULL, NULL, "clientcert.pem", "UK",
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, 0, 0, 0);
};
DO_CTX_TEST(true, cacertreq, servercertreq, false); DO_CTX_TEST(true, cacertreq, servercertreq, false);
DO_CTX_TEST(false, cacertreq, clientcertreq, false); DO_CTX_TEST(false, cacertreq, clientcertreq, false);
...@@ -164,249 +174,241 @@ mymain(void) ...@@ -164,249 +174,241 @@ mymain(void)
/* Some other CAs which are good */ /* Some other CAs which are good */
/* Basic:CA:critical */ /* Basic:CA:critical */
static struct testTLSCertReq cacert1req = { TLS_ROOT_REQ(cacert1req,
NULL, NULL, "cacert1.pem", "UK", "UK", "libvirt CA 1", NULL, NULL, NULL, NULL,
"libvirt CA 1", NULL, NULL, NULL, NULL,
true, true, true, true, true, true,
false, false, 0, false, false, 0,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
}; TLS_CERT_REQ(servercert1req, cacert1req,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
/* Basic:CA:not-critical */ /* Basic:CA:not-critical */
static struct testTLSCertReq cacert2req = { TLS_ROOT_REQ(cacert2req,
NULL, NULL, "cacert2.pem", "UK", "UK", "libvirt CA 2", NULL, NULL, NULL, NULL,
"libvirt CA 2", NULL, NULL, NULL, NULL,
true, false, true, true, false, true,
false, false, 0, false, false, 0,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
}; TLS_CERT_REQ(servercert2req, cacert2req,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
/* Key usage:cert-sign:critical */ /* Key usage:cert-sign:critical */
static struct testTLSCertReq cacert3req = { TLS_ROOT_REQ(cacert3req,
NULL, NULL, "cacert3.pem", "UK", "UK", "libvirt CA 3", NULL, NULL, NULL, NULL,
"libvirt CA 3", NULL, NULL, NULL, NULL,
true, true, true, true, true, true,
true, true, GNUTLS_KEY_KEY_CERT_SIGN, true, true, GNUTLS_KEY_KEY_CERT_SIGN,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
}; TLS_CERT_REQ(servercert3req, cacert3req,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
DO_CTX_TEST(true, cacert1req, servercertreq, false); DO_CTX_TEST(true, cacert1req, servercert1req, false);
DO_CTX_TEST(true, cacert2req, servercertreq, false); DO_CTX_TEST(true, cacert2req, servercert2req, false);
DO_CTX_TEST(true, cacert3req, servercertreq, false); DO_CTX_TEST(true, cacert3req, servercert3req, false);
/* Now some bad certs */ /* Now some bad certs */
/* Key usage:dig-sig:not-critical */ /* Key usage:dig-sig:not-critical */
static struct testTLSCertReq cacert4req = { TLS_ROOT_REQ(cacert4req,
NULL, NULL, "cacert4.pem", "UK", "UK", "libvirt CA 4", NULL, NULL, NULL, NULL,
"libvirt CA 4", NULL, NULL, NULL, NULL,
true, true, true, true, true, true,
true, false, GNUTLS_KEY_DIGITAL_SIGNATURE, true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
}; TLS_CERT_REQ(servercert4req, cacert4req,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
/* no-basic */ /* no-basic */
static struct testTLSCertReq cacert5req = { TLS_ROOT_REQ(cacert5req,
NULL, NULL, "cacert5.pem", "UK", "UK", "libvirt CA 5", NULL, NULL, NULL, NULL,
"libvirt CA 5", NULL, NULL, NULL, NULL,
false, false, false, false, false, false,
false, false, 0, false, false, 0,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
}; TLS_CERT_REQ(servercert5req, cacert5req,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
/* Key usage:dig-sig:critical */ /* Key usage:dig-sig:critical */
static struct testTLSCertReq cacert6req = { TLS_ROOT_REQ(cacert6req,
NULL, NULL, "cacert6.pem", "UK", "UK", "libvirt CA 6", NULL, NULL, NULL, NULL,
"libvirt CA 6", NULL, NULL, NULL, NULL,
true, true, true, true, true, true,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
}; TLS_CERT_REQ(servercert6req, cacert6req,
"UK", "libvirt.org", NULL, NULL, NULL, NULL,
true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
/* Technically a CA cert with basic constraints /* Technically a CA cert with basic constraints
* key purpose == key signing + non-critical should * key purpose == key signing + non-critical should
* be rejected. GNUTLS < 3 does not reject it and * be rejected. GNUTLS < 3 does not reject it and
* we don't anticipate them changing this behaviour * we don't anticipate them changing this behaviour
*/ */
DO_CTX_TEST(true, cacert4req, servercertreq, GNUTLS_VERSION_MAJOR >= 3); DO_CTX_TEST(true, cacert4req, servercert4req, GNUTLS_VERSION_MAJOR >= 3);
DO_CTX_TEST(true, cacert5req, servercertreq, true); DO_CTX_TEST(true, cacert5req, servercert5req, true);
DO_CTX_TEST(true, cacert6req, servercertreq, true); DO_CTX_TEST(true, cacert6req, servercert6req, true);
/* Various good servers */ /* Various good servers */
/* no usage or purpose */ /* no usage or purpose */
static struct testTLSCertReq servercert1req = { TLS_CERT_REQ(servercert7req, cacertreq,
NULL, NULL, "servercert1.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
false, false, 0, false, false, 0,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
};
/* usage:cert-sign+dig-sig+encipher:critical */ /* usage:cert-sign+dig-sig+encipher:critical */
static struct testTLSCertReq servercert2req = { TLS_CERT_REQ(servercert8req, cacertreq,
NULL, NULL, "servercert2.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN, true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
};
/* usage:cert-sign:not-critical */ /* usage:cert-sign:not-critical */
static struct testTLSCertReq servercert3req = { TLS_CERT_REQ(servercert9req, cacertreq,
NULL, NULL, "servercert3.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
true, false, GNUTLS_KEY_KEY_CERT_SIGN, true, false, GNUTLS_KEY_KEY_CERT_SIGN,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
};
/* purpose:server:critical */ /* purpose:server:critical */
static struct testTLSCertReq servercert4req = { TLS_CERT_REQ(servercert10req, cacertreq,
NULL, NULL, "servercert4.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
false, false, 0, false, false, 0,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0, 0, 0);
};
/* purpose:server:not-critical */ /* purpose:server:not-critical */
static struct testTLSCertReq servercert5req = { TLS_CERT_REQ(servercert11req, cacertreq,
NULL, NULL, "servercert5.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
false, false, 0, false, false, 0,
true, false, GNUTLS_KP_TLS_WWW_SERVER, NULL, true, false, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0, 0, 0);
};
/* purpose:client+server:critical */ /* purpose:client+server:critical */
static struct testTLSCertReq servercert6req = { TLS_CERT_REQ(servercert12req, cacertreq,
NULL, NULL, "servercert6.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
false, false, 0, false, false, 0,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER, true, true, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
0, 0, 0, 0);
};
/* purpose:client+server:not-critical */ /* purpose:client+server:not-critical */
static struct testTLSCertReq servercert7req = { TLS_CERT_REQ(servercert13req, cacertreq,
NULL, NULL, "servercert7.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
false, false, 0, false, false, 0,
true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER, true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
0, 0, 0, 0);
};
DO_CTX_TEST(true, cacertreq, servercert1req, false);
DO_CTX_TEST(true, cacertreq, servercert2req, false);
DO_CTX_TEST(true, cacertreq, servercert3req, false);
DO_CTX_TEST(true, cacertreq, servercert4req, false);
DO_CTX_TEST(true, cacertreq, servercert5req, false);
DO_CTX_TEST(true, cacertreq, servercert6req, false);
DO_CTX_TEST(true, cacertreq, servercert7req, false); DO_CTX_TEST(true, cacertreq, servercert7req, false);
DO_CTX_TEST(true, cacertreq, servercert8req, false);
DO_CTX_TEST(true, cacertreq, servercert9req, false);
DO_CTX_TEST(true, cacertreq, servercert10req, false);
DO_CTX_TEST(true, cacertreq, servercert11req, false);
DO_CTX_TEST(true, cacertreq, servercert12req, false);
DO_CTX_TEST(true, cacertreq, servercert13req, false);
/* Bad servers */ /* Bad servers */
/* usage:cert-sign:critical */ /* usage:cert-sign:critical */
static struct testTLSCertReq servercert8req = { TLS_CERT_REQ(servercert14req, cacertreq,
NULL, NULL, "servercert8.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
true, true, GNUTLS_KEY_KEY_CERT_SIGN, true, true, GNUTLS_KEY_KEY_CERT_SIGN,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
};
/* purpose:client:critical */ /* purpose:client:critical */
static struct testTLSCertReq servercert9req = { TLS_CERT_REQ(servercert15req, cacertreq,
NULL, NULL, "servercert9.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
false, false, 0, false, false, 0,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, 0, 0, 0);
};
/* usage: none:critical */ /* usage: none:critical */
static struct testTLSCertReq servercert10req = { TLS_CERT_REQ(servercert16req, cacertreq,
NULL, NULL, "servercert10.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
true, true, 0, true, true, 0,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
};
DO_CTX_TEST(true, cacertreq, servercert8req, true); DO_CTX_TEST(true, cacertreq, servercert14req, true);
DO_CTX_TEST(true, cacertreq, servercert9req, true); DO_CTX_TEST(true, cacertreq, servercert15req, true);
DO_CTX_TEST(true, cacertreq, servercert10req, true); DO_CTX_TEST(true, cacertreq, servercert16req, true);
/* Various good clients */ /* Various good clients */
/* no usage or purpose */ /* no usage or purpose */
static struct testTLSCertReq clientcert1req = { TLS_CERT_REQ(clientcert1req, cacertreq,
NULL, NULL, "clientcert1.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
false, false, 0, false, false, 0,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
};
/* usage:cert-sign+dig-sig+encipher:critical */ /* usage:cert-sign+dig-sig+encipher:critical */
static struct testTLSCertReq clientcert2req = { TLS_CERT_REQ(clientcert2req, cacertreq,
NULL, NULL, "clientcert2.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN, true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
};
/* usage:cert-sign:not-critical */ /* usage:cert-sign:not-critical */
static struct testTLSCertReq clientcert3req = { TLS_CERT_REQ(clientcert3req, cacertreq,
NULL, NULL, "clientcert3.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
true, false, GNUTLS_KEY_KEY_CERT_SIGN, true, false, GNUTLS_KEY_KEY_CERT_SIGN,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
};
/* purpose:client:critical */ /* purpose:client:critical */
static struct testTLSCertReq clientcert4req = { TLS_CERT_REQ(clientcert4req, cacertreq,
NULL, NULL, "clientcert4.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
false, false, 0, false, false, 0,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, 0, 0, 0);
};
/* purpose:client:not-critical */ /* purpose:client:not-critical */
static struct testTLSCertReq clientcert5req = { TLS_CERT_REQ(clientcert5req, cacertreq,
NULL, NULL, "clientcert5.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
false, false, 0, false, false, 0,
true, false, GNUTLS_KP_TLS_WWW_CLIENT, NULL, true, false, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, 0, 0, 0);
};
/* purpose:client+client:critical */ /* purpose:client+client:critical */
static struct testTLSCertReq clientcert6req = { TLS_CERT_REQ(clientcert6req, cacertreq,
NULL, NULL, "clientcert6.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
false, false, 0, false, false, 0,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER, true, true, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
0, 0, 0, 0);
};
/* purpose:client+client:not-critical */ /* purpose:client+client:not-critical */
static struct testTLSCertReq clientcert7req = { TLS_CERT_REQ(clientcert7req, cacertreq,
NULL, NULL, "clientcert7.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
false, false, 0, false, false, 0,
true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER, true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
0, 0, 0, 0);
};
DO_CTX_TEST(false, cacertreq, clientcert1req, false); DO_CTX_TEST(false, cacertreq, clientcert1req, false);
DO_CTX_TEST(false, cacertreq, clientcert2req, false); DO_CTX_TEST(false, cacertreq, clientcert2req, false);
...@@ -418,32 +420,26 @@ mymain(void) ...@@ -418,32 +420,26 @@ mymain(void)
/* Bad clients */ /* Bad clients */
/* usage:cert-sign:critical */ /* usage:cert-sign:critical */
static struct testTLSCertReq clientcert8req = { TLS_CERT_REQ(clientcert8req, cacertreq,
NULL, NULL, "clientcert8.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
true, true, GNUTLS_KEY_KEY_CERT_SIGN, true, true, GNUTLS_KEY_KEY_CERT_SIGN,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
};
/* purpose:client:critical */ /* purpose:client:critical */
static struct testTLSCertReq clientcert9req = { TLS_CERT_REQ(clientcert9req, cacertreq,
NULL, NULL, "clientcert9.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
false, false, 0, false, false, 0,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0, 0, 0);
};
/* usage: none:critical */ /* usage: none:critical */
static struct testTLSCertReq clientcert10req = { TLS_CERT_REQ(clientcert10req, cacertreq,
NULL, NULL, "clientcert10.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
true, true, 0, true, true, 0,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
};
DO_CTX_TEST(false, cacertreq, clientcert8req, true); DO_CTX_TEST(false, cacertreq, clientcert8req, true);
DO_CTX_TEST(false, cacertreq, clientcert9req, true); DO_CTX_TEST(false, cacertreq, clientcert9req, true);
...@@ -453,66 +449,114 @@ mymain(void) ...@@ -453,66 +449,114 @@ mymain(void)
/* Expired stuff */ /* Expired stuff */
static struct testTLSCertReq cacertexpreq = { TLS_ROOT_REQ(cacertexpreq,
NULL, NULL, "cacert.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, true, true, true, true,
true, true, GNUTLS_KEY_KEY_CERT_SIGN, true, true, GNUTLS_KEY_KEY_CERT_SIGN,
false, false, NULL, NULL, false, false, NULL, NULL,
0, -1, 0, -1);
}; TLS_CERT_REQ(servercertexpreq, cacertexpreq,
static struct testTLSCertReq servercertexpreq = { "UK", "libvirt.org", NULL, NULL, NULL, NULL,
NULL, NULL, "servercert.pem", "UK", true, true, false,
"libvirt", NULL, NULL, NULL, NULL, true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
TLS_CERT_REQ(servercertexp1req, cacertreq,
"UK", "libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, -1, 0, -1);
}; TLS_CERT_REQ(clientcertexp1req, cacertreq,
static struct testTLSCertReq clientcertexpreq = { "UK", "libvirt", NULL, NULL, NULL, NULL,
NULL, NULL, "clientcert.pem", "UK",
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, -1, 0, -1);
};
DO_CTX_TEST(true, cacertexpreq, servercertreq, true); DO_CTX_TEST(true, cacertexpreq, servercertexpreq, true);
DO_CTX_TEST(true, cacertreq, servercertexpreq, true); DO_CTX_TEST(true, cacertreq, servercertexp1req, true);
DO_CTX_TEST(false, cacertreq, clientcertexpreq, true); DO_CTX_TEST(false, cacertreq, clientcertexp1req, true);
/* Not activated stuff */ /* Not activated stuff */
static struct testTLSCertReq cacertnewreq = { TLS_ROOT_REQ(cacertnewreq,
NULL, NULL, "cacert.pem", "UK", "UK", "libvirt", NULL, NULL, NULL, NULL,
"libvirt", NULL, NULL, NULL, NULL,
true, true, true, true, true, true,
true, true, GNUTLS_KEY_KEY_CERT_SIGN, true, true, GNUTLS_KEY_KEY_CERT_SIGN,
false, false, NULL, NULL, false, false, NULL, NULL,
1, 2, 1, 2);
}; TLS_CERT_REQ(servercertnewreq, cacertnewreq,
static struct testTLSCertReq servercertnewreq = { "UK", "libvirt", NULL, NULL, NULL, NULL,
NULL, NULL, "servercert.pem", "UK",
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
1, 2, 0, 0);
}; TLS_CERT_REQ(servercertnew1req, cacertreq,
static struct testTLSCertReq clientcertnewreq = { "UK", "libvirt", NULL, NULL, NULL, NULL,
NULL, NULL, "clientcert.pem", "UK", true, true, false,
"libvirt", NULL, NULL, NULL, NULL, true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
1, 2);
TLS_CERT_REQ(clientcertnew1req, cacertreq,
"UK", "libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
1, 2, 1, 2);
};
DO_CTX_TEST(true, cacertnewreq, servercertnewreq, true);
DO_CTX_TEST(true, cacertnewreq, servercertreq, true); DO_CTX_TEST(true, cacertreq, servercertnew1req, true);
DO_CTX_TEST(true, cacertreq, servercertnewreq, true); DO_CTX_TEST(false, cacertreq, clientcertnew1req, true);
DO_CTX_TEST(false, cacertreq, clientcertnewreq, true);
testTLSDiscardCert(&cacertreq);
testTLSDiscardCert(&cacert1req);
testTLSDiscardCert(&cacert2req);
testTLSDiscardCert(&cacert3req);
testTLSDiscardCert(&cacert4req);
testTLSDiscardCert(&cacert5req);
testTLSDiscardCert(&cacert6req);
testTLSDiscardCert(&servercertreq);
testTLSDiscardCert(&servercert1req);
testTLSDiscardCert(&servercert2req);
testTLSDiscardCert(&servercert3req);
testTLSDiscardCert(&servercert4req);
testTLSDiscardCert(&servercert5req);
testTLSDiscardCert(&servercert6req);
testTLSDiscardCert(&servercert7req);
testTLSDiscardCert(&servercert8req);
testTLSDiscardCert(&servercert9req);
testTLSDiscardCert(&servercert10req);
testTLSDiscardCert(&servercert11req);
testTLSDiscardCert(&servercert12req);
testTLSDiscardCert(&servercert13req);
testTLSDiscardCert(&servercert14req);
testTLSDiscardCert(&servercert15req);
testTLSDiscardCert(&servercert16req);
testTLSDiscardCert(&clientcertreq);
testTLSDiscardCert(&clientcert1req);
testTLSDiscardCert(&clientcert2req);
testTLSDiscardCert(&clientcert3req);
testTLSDiscardCert(&clientcert4req);
testTLSDiscardCert(&clientcert5req);
testTLSDiscardCert(&clientcert6req);
testTLSDiscardCert(&clientcert7req);
testTLSDiscardCert(&clientcert8req);
testTLSDiscardCert(&clientcert9req);
testTLSDiscardCert(&clientcert10req);
testTLSDiscardCert(&cacertexpreq);
testTLSDiscardCert(&servercertexpreq);
testTLSDiscardCert(&servercertexp1req);
testTLSDiscardCert(&clientcertexp1req);
testTLSDiscardCert(&cacertnewreq);
testTLSDiscardCert(&servercertnewreq);
testTLSDiscardCert(&servercertnew1req);
testTLSDiscardCert(&clientcertnew1req);
testTLSCleanup(); testTLSCleanup();
......
...@@ -152,7 +152,8 @@ static void testTLSDerEncode(ASN1_TYPE src, ...@@ -152,7 +152,8 @@ static void testTLSDerEncode(ASN1_TYPE src,
* TLS certificate code * TLS certificate code
*/ */
void void
testTLSGenerateCert(struct testTLSCertReq *req) testTLSGenerateCert(struct testTLSCertReq *req,
gnutls_x509_crt_t ca)
{ {
gnutls_x509_crt_t crt; gnutls_x509_crt_t crt;
int err; int err;
...@@ -379,10 +380,10 @@ testTLSGenerateCert(struct testTLSCertReq *req) ...@@ -379,10 +380,10 @@ testTLSGenerateCert(struct testTLSCertReq *req)
/* /*
* If no 'cart' is set then we are self signing * If no 'ca' is set then we are self signing
* the cert. This is done for CA certs * the cert. This is done for the root CA certs
*/ */
if ((err = gnutls_x509_crt_sign(crt, req->cacrt ? req->cacrt : crt, privkey) < 0)) { if ((err = gnutls_x509_crt_sign(crt, ca ? ca : crt, privkey) < 0)) {
VIR_WARN("Failed to sign certificate %s", gnutls_strerror(err)); VIR_WARN("Failed to sign certificate %s", gnutls_strerror(err));
abort(); abort();
} }
......
...@@ -36,7 +36,6 @@ extern const char *keyfile; ...@@ -36,7 +36,6 @@ extern const char *keyfile;
*/ */
struct testTLSCertReq { struct testTLSCertReq {
gnutls_x509_crt_t crt; gnutls_x509_crt_t crt;
gnutls_x509_crt_t cacrt; /* If not set, then the cert will be self-signed */
const char *filename; const char *filename;
...@@ -70,7 +69,8 @@ struct testTLSCertReq { ...@@ -70,7 +69,8 @@ struct testTLSCertReq {
int expire_offset; int expire_offset;
}; };
void testTLSGenerateCert(struct testTLSCertReq *req); void testTLSGenerateCert(struct testTLSCertReq *req,
gnutls_x509_crt_t ca);
void testTLSDiscardCert(struct testTLSCertReq *req); void testTLSDiscardCert(struct testTLSCertReq *req);
void testTLSInit(void); void testTLSInit(void);
......
...@@ -100,20 +100,6 @@ static int testTLSSessionInit(const void *opaque) ...@@ -100,20 +100,6 @@ static int testTLSSessionInit(const void *opaque)
ignore_value(virSetNonBlock(channel[1])); ignore_value(virSetNonBlock(channel[1]));
/* Generate all the certs we need for this test */
testTLSGenerateCert(&data->careq);
data->serverreq.cacrt = data->careq.crt;
testTLSGenerateCert(&data->serverreq);
if (data->othercareq.filename) {
testTLSGenerateCert(&data->othercareq);
data->clientreq.cacrt = data->othercareq.crt;
} else {
data->clientreq.cacrt = data->careq.crt;
}
testTLSGenerateCert(&data->clientreq);
/* We skip initial sanity checks here because we /* We skip initial sanity checks here because we
* want to make sure that problems are being * want to make sure that problems are being
* detected at the TLS session validation stage * detected at the TLS session validation stage
...@@ -243,12 +229,6 @@ cleanup: ...@@ -243,12 +229,6 @@ cleanup:
virObjectUnref(serverSess); virObjectUnref(serverSess);
virObjectUnref(clientSess); virObjectUnref(clientSess);
testTLSDiscardCert(&data->careq);
if (data->othercareq.filename)
testTLSDiscardCert(&data->othercareq);
testTLSDiscardCert(&data->clientreq);
testTLSDiscardCert(&data->serverreq);
VIR_FORCE_CLOSE(channel[0]); VIR_FORCE_CLOSE(channel[0]);
VIR_FORCE_CLOSE(channel[1]); VIR_FORCE_CLOSE(channel[1]);
return ret; return ret;
...@@ -275,7 +255,8 @@ mymain(void) ...@@ -275,7 +255,8 @@ mymain(void)
data.expectClientFail = _expectClientFail; \ data.expectClientFail = _expectClientFail; \
data.hostname = _hostname; \ data.hostname = _hostname; \
data.wildcards = _wildcards; \ data.wildcards = _wildcards; \
if (virtTestRun("TLS Session", 1, testTLSSessionInit, &data) < 0) \ if (virtTestRun("TLS Session " #_serverReq " + " #_clientReq, \
1, testTLSSessionInit, &data) < 0) \
ret = -1; \ ret = -1; \
} while (0) } while (0)
...@@ -292,68 +273,87 @@ mymain(void) ...@@ -292,68 +273,87 @@ mymain(void)
data.expectClientFail = _expectClientFail; \ data.expectClientFail = _expectClientFail; \
data.hostname = _hostname; \ data.hostname = _hostname; \
data.wildcards = _wildcards; \ data.wildcards = _wildcards; \
if (virtTestRun("TLS Session", 1, testTLSSessionInit, &data) < 0) \ if (virtTestRun("TLS Session " #_serverReq " + " #_clientReq, \
1, testTLSSessionInit, &data) < 0) \
ret = -1; \ ret = -1; \
} while (0) } while (0)
# define TLS_CERT_REQ(varname, cavarname, \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
static struct testTLSCertReq varname = { \
NULL, #varname ".pem", \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, so \
}; \
testTLSGenerateCert(&varname, cavarname.crt)
# define TLS_ROOT_REQ(varname, \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
static struct testTLSCertReq varname = { \
NULL, #varname ".pem", \
co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, so \
}; \
testTLSGenerateCert(&varname, NULL)
/* A perfect CA, perfect client & perfect server */ /* A perfect CA, perfect client & perfect server */
/* Basic:CA:critical */ /* Basic:CA:critical */
static struct testTLSCertReq cacertreq = { TLS_ROOT_REQ(cacertreq,
NULL, NULL, "cacert.pem", "UK", "UK", "libvirt CA", NULL, NULL, NULL, NULL,
"libvirt CA", NULL, NULL, NULL, NULL,
true, true, true, true, true, true,
true, true, GNUTLS_KEY_KEY_CERT_SIGN, true, true, GNUTLS_KEY_KEY_CERT_SIGN,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
};
static struct testTLSCertReq cacert1req = { TLS_ROOT_REQ(altcacertreq,
NULL, NULL, "cacert1.pem", "UK", "UK", "libvirt CA 1", NULL, NULL, NULL, NULL,
"libvirt CA 1", NULL, NULL, NULL, NULL,
true, true, true, true, true, true,
false, false, 0, false, false, 0,
false, false, NULL, NULL, false, false, NULL, NULL,
0, 0, 0, 0);
};
static struct testTLSCertReq servercertreq = { TLS_CERT_REQ(servercertreq, cacertreq,
NULL, NULL, "servercert.pem", "UK", "UK", "libvirt.org", NULL, NULL, NULL, NULL,
"libvirt.org", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0, 0, 0);
}; TLS_CERT_REQ(clientcertreq, cacertreq,
static struct testTLSCertReq clientcertreq = { "UK", "libvirt", NULL, NULL, NULL, NULL,
NULL, NULL, "clientcert.pem", "UK",
"libvirt", NULL, NULL, NULL, NULL,
true, true, false, true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, 0, 0, 0);
};
TLS_CERT_REQ(clientcertaltreq, altcacertreq,
"UK", "libvirt", NULL, NULL, NULL, NULL,
true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
0, 0);
DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", NULL); DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", NULL);
DO_SESS_TEST_EXT(cacertreq, cacert1req, servercertreq, clientcertreq, true, true, "libvirt.org", NULL); DO_SESS_TEST_EXT(cacertreq, altcacertreq, servercertreq, clientcertaltreq, true, true, "libvirt.org", NULL);
/* When an altname is set, the CN is ignored, so it must be duplicated /* When an altname is set, the CN is ignored, so it must be duplicated
* as an altname for it to match */ * as an altname for it to match */
static struct testTLSCertReq servercertalt1req = { TLS_CERT_REQ(servercertalt1req, cacertreq,
NULL, NULL, "servercert.pem", "UK", "UK", "libvirt.org", "www.libvirt.org", "libvirt.org", "192.168.122.1", "fec0::dead:beaf",
"libvirt.org", "www.libvirt.org", "libvirt.org", "192.168.122.1", "fec0::dead:beaf",
true, true, false, true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0, 0, 0);
};
/* This intentionally doesn't replicate */ /* This intentionally doesn't replicate */
static struct testTLSCertReq servercertalt2req = { TLS_CERT_REQ(servercertalt2req, cacertreq,
NULL, NULL, "servercert.pem", "UK", "UK", "libvirt.org", "www.libvirt.org", "wiki.libvirt.org", "192.168.122.1", "fec0::dead:beaf",
"libvirt.org", "www.libvirt.org", "wiki.libvirt.org", "192.168.122.1", "fec0::dead:beaf",
true, true, false, true, true, false,
true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0, 0, 0);
};
DO_SESS_TEST(cacertreq, servercertalt1req, clientcertreq, false, false, "libvirt.org", NULL); DO_SESS_TEST(cacertreq, servercertalt1req, clientcertreq, false, false, "libvirt.org", NULL);
DO_SESS_TEST(cacertreq, servercertalt1req, clientcertreq, false, false, "www.libvirt.org", NULL); DO_SESS_TEST(cacertreq, servercertalt1req, clientcertreq, false, false, "www.libvirt.org", NULL);
...@@ -396,6 +396,16 @@ mymain(void) ...@@ -396,6 +396,16 @@ mymain(void)
DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", wildcards5); DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", wildcards5);
DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", wildcards6); DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", wildcards6);
testTLSDiscardCert(&clientcertreq);
testTLSDiscardCert(&clientcertaltreq);
testTLSDiscardCert(&servercertreq);
testTLSDiscardCert(&servercertalt1req);
testTLSDiscardCert(&servercertalt2req);
testTLSDiscardCert(&cacertreq);
testTLSDiscardCert(&altcacertreq);
testTLSCleanup(); testTLSCleanup();
return ret==0 ? EXIT_SUCCESS : EXIT_FAILURE; return ret==0 ? EXIT_SUCCESS : EXIT_FAILURE;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册