|
|
43fe83 |
From 1f5e6cb8df70b658f48d5b562b5b483778dd911e Mon Sep 17 00:00:00 2001
|
|
|
43fe83 |
Message-Id: <1f5e6cb8df70b658f48d5b562b5b483778dd911e.1377873637.git.jdenemar@redhat.com>
|
|
|
43fe83 |
From: "Daniel P. Berrange" <berrange@redhat.com>
|
|
|
43fe83 |
Date: Tue, 13 Aug 2013 11:32:46 +0100
|
|
|
43fe83 |
Subject: [PATCH] Avoid re-generating certs every time
|
|
|
43fe83 |
|
|
|
43fe83 |
For https://bugzilla.redhat.com/show_bug.cgi?id=994158
|
|
|
43fe83 |
|
|
|
43fe83 |
Currently every test case in the TLS test suite generates the
|
|
|
43fe83 |
certs fresh. This is a waste of time, since its parameters
|
|
|
43fe83 |
don't change across test cases. Create certs once in main
|
|
|
43fe83 |
method.
|
|
|
43fe83 |
|
|
|
43fe83 |
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
|
|
43fe83 |
(cherry picked from commit 90811c5987870f348ebc545b5a6d127cc2076723)
|
|
|
43fe83 |
---
|
|
|
43fe83 |
tests/virnettlscontexttest.c | 670 +++++++++++++++++++++++--------------------
|
|
|
43fe83 |
tests/virnettlshelpers.c | 9 +-
|
|
|
43fe83 |
tests/virnettlshelpers.h | 4 +-
|
|
|
43fe83 |
tests/virnettlssessiontest.c | 152 +++++-----
|
|
|
43fe83 |
4 files changed, 445 insertions(+), 390 deletions(-)
|
|
|
43fe83 |
|
|
|
43fe83 |
diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
|
|
|
43fe83 |
index 0a0d31a..4211a74 100644
|
|
|
43fe83 |
--- a/tests/virnettlscontexttest.c
|
|
|
43fe83 |
+++ b/tests/virnettlscontexttest.c
|
|
|
43fe83 |
@@ -62,10 +62,6 @@ static int testTLSContextInit(const void *opaque)
|
|
|
43fe83 |
virNetTLSContextPtr ctxt = NULL;
|
|
|
43fe83 |
int ret = -1;
|
|
|
43fe83 |
|
|
|
43fe83 |
- testTLSGenerateCert(&data->careq);
|
|
|
43fe83 |
- data->certreq.cacrt = data->careq.crt;
|
|
|
43fe83 |
- testTLSGenerateCert(&data->certreq);
|
|
|
43fe83 |
-
|
|
|
43fe83 |
if (data->isServer) {
|
|
|
43fe83 |
ctxt = virNetTLSContextNewServer(data->careq.filename,
|
|
|
43fe83 |
NULL,
|
|
|
43fe83 |
@@ -103,8 +99,6 @@ static int testTLSContextInit(const void *opaque)
|
|
|
43fe83 |
|
|
|
43fe83 |
cleanup:
|
|
|
43fe83 |
virObjectUnref(ctxt);
|
|
|
43fe83 |
- testTLSDiscardCert(&data->careq);
|
|
|
43fe83 |
- testTLSDiscardCert(&data->certreq);
|
|
|
43fe83 |
return ret;
|
|
|
43fe83 |
}
|
|
|
43fe83 |
|
|
|
43fe83 |
@@ -124,38 +118,54 @@ mymain(void)
|
|
|
43fe83 |
data.careq = _caReq; \
|
|
|
43fe83 |
data.certreq = _certReq; \
|
|
|
43fe83 |
data.expectFail = _expectFail; \
|
|
|
43fe83 |
- if (virtTestRun("TLS Context", 1, testTLSContextInit, &data) < 0) \
|
|
|
43fe83 |
+ if (virtTestRun("TLS Context " #_caReq " + " #_certReq, 1, \
|
|
|
43fe83 |
+ testTLSContextInit, &data) < 0) \
|
|
|
43fe83 |
ret = -1; \
|
|
|
43fe83 |
} while (0)
|
|
|
43fe83 |
|
|
|
43fe83 |
+# define TLS_CERT_REQ(varname, cavarname, \
|
|
|
43fe83 |
+ co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
|
|
|
43fe83 |
+ kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
|
|
|
43fe83 |
+ static struct testTLSCertReq varname = { \
|
|
|
43fe83 |
+ NULL, #varname ".pem", \
|
|
|
43fe83 |
+ co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
|
|
|
43fe83 |
+ kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo \
|
|
|
43fe83 |
+ }; \
|
|
|
43fe83 |
+ testTLSGenerateCert(&varname, cavarname.crt)
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+# define TLS_ROOT_REQ(varname, \
|
|
|
43fe83 |
+ co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
|
|
|
43fe83 |
+ kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
|
|
|
43fe83 |
+ static struct testTLSCertReq varname = { \
|
|
|
43fe83 |
+ NULL, #varname ".pem", \
|
|
|
43fe83 |
+ co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
|
|
|
43fe83 |
+ kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo \
|
|
|
43fe83 |
+ }; \
|
|
|
43fe83 |
+ testTLSGenerateCert(&varname, NULL)
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+
|
|
|
43fe83 |
/* A perfect CA, perfect client & perfect server */
|
|
|
43fe83 |
|
|
|
43fe83 |
/* Basic:CA:critical */
|
|
|
43fe83 |
- static struct testTLSCertReq cacertreq = {
|
|
|
43fe83 |
- NULL, NULL, "cacert.pem", "UK",
|
|
|
43fe83 |
- "libvirt CA", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, true,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
- static struct testTLSCertReq servercertreq = {
|
|
|
43fe83 |
- NULL, NULL, "servercert.pem", "UK",
|
|
|
43fe83 |
- "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
- true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
- static struct testTLSCertReq clientcertreq = {
|
|
|
43fe83 |
- NULL, NULL, "clientcert.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
- true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
-
|
|
|
43fe83 |
+ TLS_ROOT_REQ(cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt CA", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, true,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercertreq, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+ TLS_CERT_REQ(clientcertreq, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
|
|
|
43fe83 |
DO_CTX_TEST(true, cacertreq, servercertreq, false);
|
|
|
43fe83 |
DO_CTX_TEST(false, cacertreq, clientcertreq, false);
|
|
|
43fe83 |
@@ -164,249 +174,241 @@ mymain(void)
|
|
|
43fe83 |
/* Some other CAs which are good */
|
|
|
43fe83 |
|
|
|
43fe83 |
/* Basic:CA:critical */
|
|
|
43fe83 |
- static struct testTLSCertReq cacert1req = {
|
|
|
43fe83 |
- NULL, NULL, "cacert1.pem", "UK",
|
|
|
43fe83 |
- "libvirt CA 1", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, true,
|
|
|
43fe83 |
- false, false, 0,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_ROOT_REQ(cacert1req,
|
|
|
43fe83 |
+ "UK", "libvirt CA 1", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, true,
|
|
|
43fe83 |
+ false, false, 0,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercert1req, cacert1req,
|
|
|
43fe83 |
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
/* Basic:CA:not-critical */
|
|
|
43fe83 |
- static struct testTLSCertReq cacert2req = {
|
|
|
43fe83 |
- NULL, NULL, "cacert2.pem", "UK",
|
|
|
43fe83 |
- "libvirt CA 2", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, false, true,
|
|
|
43fe83 |
- false, false, 0,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_ROOT_REQ(cacert2req,
|
|
|
43fe83 |
+ "UK", "libvirt CA 2", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, false, true,
|
|
|
43fe83 |
+ false, false, 0,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercert2req, cacert2req,
|
|
|
43fe83 |
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
/* Key usage:cert-sign:critical */
|
|
|
43fe83 |
- static struct testTLSCertReq cacert3req = {
|
|
|
43fe83 |
- NULL, NULL, "cacert3.pem", "UK",
|
|
|
43fe83 |
- "libvirt CA 3", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, true,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
-
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacert1req, servercertreq, false);
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacert2req, servercertreq, false);
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacert3req, servercertreq, false);
|
|
|
43fe83 |
+ TLS_ROOT_REQ(cacert3req,
|
|
|
43fe83 |
+ "UK", "libvirt CA 3", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, true,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercert3req, cacert3req,
|
|
|
43fe83 |
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacert1req, servercert1req, false);
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacert2req, servercert2req, false);
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacert3req, servercert3req, false);
|
|
|
43fe83 |
|
|
|
43fe83 |
/* Now some bad certs */
|
|
|
43fe83 |
|
|
|
43fe83 |
/* Key usage:dig-sig:not-critical */
|
|
|
43fe83 |
- static struct testTLSCertReq cacert4req = {
|
|
|
43fe83 |
- NULL, NULL, "cacert4.pem", "UK",
|
|
|
43fe83 |
- "libvirt CA 4", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, true,
|
|
|
43fe83 |
- true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_ROOT_REQ(cacert4req,
|
|
|
43fe83 |
+ "UK", "libvirt CA 4", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, true,
|
|
|
43fe83 |
+ true, false, GNUTLS_KEY_DIGITAL_SIGNATURE,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercert4req, cacert4req,
|
|
|
43fe83 |
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* no-basic */
|
|
|
43fe83 |
- static struct testTLSCertReq cacert5req = {
|
|
|
43fe83 |
- NULL, NULL, "cacert5.pem", "UK",
|
|
|
43fe83 |
- "libvirt CA 5", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- false, false, false,
|
|
|
43fe83 |
- false, false, 0,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_ROOT_REQ(cacert5req,
|
|
|
43fe83 |
+ "UK", "libvirt CA 5", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ false, false, false,
|
|
|
43fe83 |
+ false, false, 0,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercert5req, cacert5req,
|
|
|
43fe83 |
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* Key usage:dig-sig:critical */
|
|
|
43fe83 |
- static struct testTLSCertReq cacert6req = {
|
|
|
43fe83 |
- NULL, NULL, "cacert6.pem", "UK",
|
|
|
43fe83 |
- "libvirt CA 6", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, true,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_ROOT_REQ(cacert6req,
|
|
|
43fe83 |
+ "UK", "libvirt CA 6", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, true,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercert6req, cacert6req,
|
|
|
43fe83 |
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
|
|
|
43fe83 |
/* Technically a CA cert with basic constraints
|
|
|
43fe83 |
* key purpose == key signing + non-critical should
|
|
|
43fe83 |
* be rejected. GNUTLS < 3 does not reject it and
|
|
|
43fe83 |
* we don't anticipate them changing this behaviour
|
|
|
43fe83 |
*/
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacert4req, servercertreq, GNUTLS_VERSION_MAJOR >= 3);
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacert5req, servercertreq, true);
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacert6req, servercertreq, true);
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacert4req, servercert4req, GNUTLS_VERSION_MAJOR >= 3);
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacert5req, servercert5req, true);
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacert6req, servercert6req, true);
|
|
|
43fe83 |
|
|
|
43fe83 |
|
|
|
43fe83 |
/* Various good servers */
|
|
|
43fe83 |
/* no usage or purpose */
|
|
|
43fe83 |
- static struct testTLSCertReq servercert1req = {
|
|
|
43fe83 |
- NULL, NULL, "servercert1.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- false, false, 0,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercert7req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ false, false, 0,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* usage:cert-sign+dig-sig+encipher:critical */
|
|
|
43fe83 |
- static struct testTLSCertReq servercert2req = {
|
|
|
43fe83 |
- NULL, NULL, "servercert2.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercert8req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* usage:cert-sign:not-critical */
|
|
|
43fe83 |
- static struct testTLSCertReq servercert3req = {
|
|
|
43fe83 |
- NULL, NULL, "servercert3.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, false, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercert9req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, false, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* purpose:server:critical */
|
|
|
43fe83 |
- static struct testTLSCertReq servercert4req = {
|
|
|
43fe83 |
- NULL, NULL, "servercert4.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- false, false, 0,
|
|
|
43fe83 |
- true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercert10req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ false, false, 0,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* purpose:server:not-critical */
|
|
|
43fe83 |
- static struct testTLSCertReq servercert5req = {
|
|
|
43fe83 |
- NULL, NULL, "servercert5.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- false, false, 0,
|
|
|
43fe83 |
- true, false, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercert11req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ false, false, 0,
|
|
|
43fe83 |
+ true, false, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* purpose:client+server:critical */
|
|
|
43fe83 |
- static struct testTLSCertReq servercert6req = {
|
|
|
43fe83 |
- NULL, NULL, "servercert6.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- false, false, 0,
|
|
|
43fe83 |
- true, true, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercert12req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ false, false, 0,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* purpose:client+server:not-critical */
|
|
|
43fe83 |
- static struct testTLSCertReq servercert7req = {
|
|
|
43fe83 |
- NULL, NULL, "servercert7.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- false, false, 0,
|
|
|
43fe83 |
- true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
-
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacertreq, servercert1req, false);
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacertreq, servercert2req, false);
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacertreq, servercert3req, false);
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacertreq, servercert4req, false);
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacertreq, servercert5req, false);
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacertreq, servercert6req, false);
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercert13req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ false, false, 0,
|
|
|
43fe83 |
+ true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
DO_CTX_TEST(true, cacertreq, servercert7req, false);
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacertreq, servercert8req, false);
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacertreq, servercert9req, false);
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacertreq, servercert10req, false);
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacertreq, servercert11req, false);
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacertreq, servercert12req, false);
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacertreq, servercert13req, false);
|
|
|
43fe83 |
/* Bad servers */
|
|
|
43fe83 |
|
|
|
43fe83 |
/* usage:cert-sign:critical */
|
|
|
43fe83 |
- static struct testTLSCertReq servercert8req = {
|
|
|
43fe83 |
- NULL, NULL, "servercert8.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercert14req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* purpose:client:critical */
|
|
|
43fe83 |
- static struct testTLSCertReq servercert9req = {
|
|
|
43fe83 |
- NULL, NULL, "servercert9.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- false, false, 0,
|
|
|
43fe83 |
- true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercert15req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ false, false, 0,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* usage: none:critical */
|
|
|
43fe83 |
- static struct testTLSCertReq servercert10req = {
|
|
|
43fe83 |
- NULL, NULL, "servercert10.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, true, 0,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercert16req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, 0,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacertreq, servercert8req, true);
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacertreq, servercert9req, true);
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacertreq, servercert10req, true);
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacertreq, servercert14req, true);
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacertreq, servercert15req, true);
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacertreq, servercert16req, true);
|
|
|
43fe83 |
|
|
|
43fe83 |
|
|
|
43fe83 |
|
|
|
43fe83 |
/* Various good clients */
|
|
|
43fe83 |
/* no usage or purpose */
|
|
|
43fe83 |
- static struct testTLSCertReq clientcert1req = {
|
|
|
43fe83 |
- NULL, NULL, "clientcert1.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- false, false, 0,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(clientcert1req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ false, false, 0,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* usage:cert-sign+dig-sig+encipher:critical */
|
|
|
43fe83 |
- static struct testTLSCertReq clientcert2req = {
|
|
|
43fe83 |
- NULL, NULL, "clientcert2.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(clientcert2req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* usage:cert-sign:not-critical */
|
|
|
43fe83 |
- static struct testTLSCertReq clientcert3req = {
|
|
|
43fe83 |
- NULL, NULL, "clientcert3.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, false, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(clientcert3req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, false, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* purpose:client:critical */
|
|
|
43fe83 |
- static struct testTLSCertReq clientcert4req = {
|
|
|
43fe83 |
- NULL, NULL, "clientcert4.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- false, false, 0,
|
|
|
43fe83 |
- true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(clientcert4req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ false, false, 0,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* purpose:client:not-critical */
|
|
|
43fe83 |
- static struct testTLSCertReq clientcert5req = {
|
|
|
43fe83 |
- NULL, NULL, "clientcert5.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- false, false, 0,
|
|
|
43fe83 |
- true, false, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(clientcert5req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ false, false, 0,
|
|
|
43fe83 |
+ true, false, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* purpose:client+client:critical */
|
|
|
43fe83 |
- static struct testTLSCertReq clientcert6req = {
|
|
|
43fe83 |
- NULL, NULL, "clientcert6.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- false, false, 0,
|
|
|
43fe83 |
- true, true, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(clientcert6req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ false, false, 0,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* purpose:client+client:not-critical */
|
|
|
43fe83 |
- static struct testTLSCertReq clientcert7req = {
|
|
|
43fe83 |
- NULL, NULL, "clientcert7.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- false, false, 0,
|
|
|
43fe83 |
- true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(clientcert7req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ false, false, 0,
|
|
|
43fe83 |
+ true, false, GNUTLS_KP_TLS_WWW_CLIENT, GNUTLS_KP_TLS_WWW_SERVER,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
|
|
|
43fe83 |
DO_CTX_TEST(false, cacertreq, clientcert1req, false);
|
|
|
43fe83 |
DO_CTX_TEST(false, cacertreq, clientcert2req, false);
|
|
|
43fe83 |
@@ -418,32 +420,26 @@ mymain(void)
|
|
|
43fe83 |
/* Bad clients */
|
|
|
43fe83 |
|
|
|
43fe83 |
/* usage:cert-sign:critical */
|
|
|
43fe83 |
- static struct testTLSCertReq clientcert8req = {
|
|
|
43fe83 |
- NULL, NULL, "clientcert8.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(clientcert8req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* purpose:client:critical */
|
|
|
43fe83 |
- static struct testTLSCertReq clientcert9req = {
|
|
|
43fe83 |
- NULL, NULL, "clientcert9.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- false, false, 0,
|
|
|
43fe83 |
- true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(clientcert9req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ false, false, 0,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* usage: none:critical */
|
|
|
43fe83 |
- static struct testTLSCertReq clientcert10req = {
|
|
|
43fe83 |
- NULL, NULL, "clientcert10.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, true, 0,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(clientcert10req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, 0,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
|
|
|
43fe83 |
DO_CTX_TEST(false, cacertreq, clientcert8req, true);
|
|
|
43fe83 |
DO_CTX_TEST(false, cacertreq, clientcert9req, true);
|
|
|
43fe83 |
@@ -453,66 +449,114 @@ mymain(void)
|
|
|
43fe83 |
|
|
|
43fe83 |
/* Expired stuff */
|
|
|
43fe83 |
|
|
|
43fe83 |
- static struct testTLSCertReq cacertexpreq = {
|
|
|
43fe83 |
- NULL, NULL, "cacert.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, true,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, -1,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
- static struct testTLSCertReq servercertexpreq = {
|
|
|
43fe83 |
- NULL, NULL, "servercert.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
- true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
- 0, -1,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
- static struct testTLSCertReq clientcertexpreq = {
|
|
|
43fe83 |
- NULL, NULL, "clientcert.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
- true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
43fe83 |
- 0, -1,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
-
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacertexpreq, servercertreq, true);
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacertreq, servercertexpreq, true);
|
|
|
43fe83 |
- DO_CTX_TEST(false, cacertreq, clientcertexpreq, true);
|
|
|
43fe83 |
+ TLS_ROOT_REQ(cacertexpreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, true,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, -1);
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercertexpreq, cacertexpreq,
|
|
|
43fe83 |
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercertexp1req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
+ 0, -1);
|
|
|
43fe83 |
+ TLS_CERT_REQ(clientcertexp1req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
43fe83 |
+ 0, -1);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacertexpreq, servercertexpreq, true);
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacertreq, servercertexp1req, true);
|
|
|
43fe83 |
+ DO_CTX_TEST(false, cacertreq, clientcertexp1req, true);
|
|
|
43fe83 |
|
|
|
43fe83 |
|
|
|
43fe83 |
/* Not activated stuff */
|
|
|
43fe83 |
|
|
|
43fe83 |
- static struct testTLSCertReq cacertnewreq = {
|
|
|
43fe83 |
- NULL, NULL, "cacert.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, true,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 1, 2,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
- static struct testTLSCertReq servercertnewreq = {
|
|
|
43fe83 |
- NULL, NULL, "servercert.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
- true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
- 1, 2,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
- static struct testTLSCertReq clientcertnewreq = {
|
|
|
43fe83 |
- NULL, NULL, "clientcert.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
- true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
43fe83 |
- 1, 2,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
-
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacertnewreq, servercertreq, true);
|
|
|
43fe83 |
- DO_CTX_TEST(true, cacertreq, servercertnewreq, true);
|
|
|
43fe83 |
- DO_CTX_TEST(false, cacertreq, clientcertnewreq, true);
|
|
|
43fe83 |
+ TLS_ROOT_REQ(cacertnewreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, true,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 1, 2);
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercertnewreq, cacertnewreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercertnew1req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
+ 1, 2);
|
|
|
43fe83 |
+ TLS_CERT_REQ(clientcertnew1req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
43fe83 |
+ 1, 2);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacertnewreq, servercertnewreq, true);
|
|
|
43fe83 |
+ DO_CTX_TEST(true, cacertreq, servercertnew1req, true);
|
|
|
43fe83 |
+ DO_CTX_TEST(false, cacertreq, clientcertnew1req, true);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ testTLSDiscardCert(&cacertreq);
|
|
|
43fe83 |
+ testTLSDiscardCert(&cacert1req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&cacert2req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&cacert3req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&cacert4req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&cacert5req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&cacert6req);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercertreq);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercert1req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercert2req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercert3req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercert4req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercert5req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercert6req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercert7req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercert8req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercert9req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercert10req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercert11req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercert12req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercert13req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercert14req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercert15req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercert16req);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ testTLSDiscardCert(&clientcertreq);
|
|
|
43fe83 |
+ testTLSDiscardCert(&clientcert1req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&clientcert2req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&clientcert3req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&clientcert4req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&clientcert5req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&clientcert6req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&clientcert7req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&clientcert8req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&clientcert9req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&clientcert10req);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ testTLSDiscardCert(&cacertexpreq);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercertexpreq);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercertexp1req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&clientcertexp1req);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ testTLSDiscardCert(&cacertnewreq);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercertnewreq);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercertnew1req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&clientcertnew1req);
|
|
|
43fe83 |
|
|
|
43fe83 |
testTLSCleanup();
|
|
|
43fe83 |
|
|
|
43fe83 |
diff --git a/tests/virnettlshelpers.c b/tests/virnettlshelpers.c
|
|
|
43fe83 |
index 96b2f6e..8236e82 100644
|
|
|
43fe83 |
--- a/tests/virnettlshelpers.c
|
|
|
43fe83 |
+++ b/tests/virnettlshelpers.c
|
|
|
43fe83 |
@@ -152,7 +152,8 @@ static void testTLSDerEncode(ASN1_TYPE src,
|
|
|
43fe83 |
* TLS certificate code
|
|
|
43fe83 |
*/
|
|
|
43fe83 |
void
|
|
|
43fe83 |
-testTLSGenerateCert(struct testTLSCertReq *req)
|
|
|
43fe83 |
+testTLSGenerateCert(struct testTLSCertReq *req,
|
|
|
43fe83 |
+ gnutls_x509_crt_t ca)
|
|
|
43fe83 |
{
|
|
|
43fe83 |
gnutls_x509_crt_t crt;
|
|
|
43fe83 |
int err;
|
|
|
43fe83 |
@@ -379,10 +380,10 @@ testTLSGenerateCert(struct testTLSCertReq *req)
|
|
|
43fe83 |
|
|
|
43fe83 |
|
|
|
43fe83 |
/*
|
|
|
43fe83 |
- * If no 'cart' is set then we are self signing
|
|
|
43fe83 |
- * the cert. This is done for CA certs
|
|
|
43fe83 |
+ * If no 'ca' is set then we are self signing
|
|
|
43fe83 |
+ * the cert. This is done for the root CA certs
|
|
|
43fe83 |
*/
|
|
|
43fe83 |
- if ((err = gnutls_x509_crt_sign(crt, req->cacrt ? req->cacrt : crt, privkey) < 0)) {
|
|
|
43fe83 |
+ if ((err = gnutls_x509_crt_sign(crt, ca ? ca : crt, privkey) < 0)) {
|
|
|
43fe83 |
VIR_WARN("Failed to sign certificate %s", gnutls_strerror(err));
|
|
|
43fe83 |
abort();
|
|
|
43fe83 |
}
|
|
|
43fe83 |
diff --git a/tests/virnettlshelpers.h b/tests/virnettlshelpers.h
|
|
|
43fe83 |
index 3ea9978..50a4ba1 100644
|
|
|
43fe83 |
--- a/tests/virnettlshelpers.h
|
|
|
43fe83 |
+++ b/tests/virnettlshelpers.h
|
|
|
43fe83 |
@@ -36,7 +36,6 @@ extern const char *keyfile;
|
|
|
43fe83 |
*/
|
|
|
43fe83 |
struct testTLSCertReq {
|
|
|
43fe83 |
gnutls_x509_crt_t crt;
|
|
|
43fe83 |
- gnutls_x509_crt_t cacrt; /* If not set, then the cert will be self-signed */
|
|
|
43fe83 |
|
|
|
43fe83 |
const char *filename;
|
|
|
43fe83 |
|
|
|
43fe83 |
@@ -70,7 +69,8 @@ struct testTLSCertReq {
|
|
|
43fe83 |
int expire_offset;
|
|
|
43fe83 |
};
|
|
|
43fe83 |
|
|
|
43fe83 |
-void testTLSGenerateCert(struct testTLSCertReq *req);
|
|
|
43fe83 |
+void testTLSGenerateCert(struct testTLSCertReq *req,
|
|
|
43fe83 |
+ gnutls_x509_crt_t ca);
|
|
|
43fe83 |
void testTLSDiscardCert(struct testTLSCertReq *req);
|
|
|
43fe83 |
|
|
|
43fe83 |
void testTLSInit(void);
|
|
|
43fe83 |
diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c
|
|
|
43fe83 |
index 9c5b3ca..370ba52 100644
|
|
|
43fe83 |
--- a/tests/virnettlssessiontest.c
|
|
|
43fe83 |
+++ b/tests/virnettlssessiontest.c
|
|
|
43fe83 |
@@ -100,20 +100,6 @@ static int testTLSSessionInit(const void *opaque)
|
|
|
43fe83 |
ignore_value(virSetNonBlock(channel[1]));
|
|
|
43fe83 |
|
|
|
43fe83 |
|
|
|
43fe83 |
- /* Generate all the certs we need for this test */
|
|
|
43fe83 |
- testTLSGenerateCert(&data->careq);
|
|
|
43fe83 |
- data->serverreq.cacrt = data->careq.crt;
|
|
|
43fe83 |
- testTLSGenerateCert(&data->serverreq);
|
|
|
43fe83 |
-
|
|
|
43fe83 |
- if (data->othercareq.filename) {
|
|
|
43fe83 |
- testTLSGenerateCert(&data->othercareq);
|
|
|
43fe83 |
- data->clientreq.cacrt = data->othercareq.crt;
|
|
|
43fe83 |
- } else {
|
|
|
43fe83 |
- data->clientreq.cacrt = data->careq.crt;
|
|
|
43fe83 |
- }
|
|
|
43fe83 |
- testTLSGenerateCert(&data->clientreq);
|
|
|
43fe83 |
-
|
|
|
43fe83 |
-
|
|
|
43fe83 |
/* We skip initial sanity checks here because we
|
|
|
43fe83 |
* want to make sure that problems are being
|
|
|
43fe83 |
* detected at the TLS session validation stage
|
|
|
43fe83 |
@@ -243,12 +229,6 @@ cleanup:
|
|
|
43fe83 |
virObjectUnref(serverSess);
|
|
|
43fe83 |
virObjectUnref(clientSess);
|
|
|
43fe83 |
|
|
|
43fe83 |
- testTLSDiscardCert(&data->careq);
|
|
|
43fe83 |
- if (data->othercareq.filename)
|
|
|
43fe83 |
- testTLSDiscardCert(&data->othercareq);
|
|
|
43fe83 |
- testTLSDiscardCert(&data->clientreq);
|
|
|
43fe83 |
- testTLSDiscardCert(&data->serverreq);
|
|
|
43fe83 |
-
|
|
|
43fe83 |
VIR_FORCE_CLOSE(channel[0]);
|
|
|
43fe83 |
VIR_FORCE_CLOSE(channel[1]);
|
|
|
43fe83 |
return ret;
|
|
|
43fe83 |
@@ -275,7 +255,8 @@ mymain(void)
|
|
|
43fe83 |
data.expectClientFail = _expectClientFail; \
|
|
|
43fe83 |
data.hostname = _hostname; \
|
|
|
43fe83 |
data.wildcards = _wildcards; \
|
|
|
43fe83 |
- if (virtTestRun("TLS Session", 1, testTLSSessionInit, &data) < 0) \
|
|
|
43fe83 |
+ if (virtTestRun("TLS Session " #_serverReq " + " #_clientReq, \
|
|
|
43fe83 |
+ 1, testTLSSessionInit, &data) < 0) \
|
|
|
43fe83 |
ret = -1; \
|
|
|
43fe83 |
} while (0)
|
|
|
43fe83 |
|
|
|
43fe83 |
@@ -292,68 +273,87 @@ mymain(void)
|
|
|
43fe83 |
data.expectClientFail = _expectClientFail; \
|
|
|
43fe83 |
data.hostname = _hostname; \
|
|
|
43fe83 |
data.wildcards = _wildcards; \
|
|
|
43fe83 |
- if (virtTestRun("TLS Session", 1, testTLSSessionInit, &data) < 0) \
|
|
|
43fe83 |
+ if (virtTestRun("TLS Session " #_serverReq " + " #_clientReq, \
|
|
|
43fe83 |
+ 1, testTLSSessionInit, &data) < 0) \
|
|
|
43fe83 |
ret = -1; \
|
|
|
43fe83 |
} while (0)
|
|
|
43fe83 |
|
|
|
43fe83 |
+# define TLS_CERT_REQ(varname, cavarname, \
|
|
|
43fe83 |
+ co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
|
|
|
43fe83 |
+ kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
|
|
|
43fe83 |
+ static struct testTLSCertReq varname = { \
|
|
|
43fe83 |
+ NULL, #varname ".pem", \
|
|
|
43fe83 |
+ co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
|
|
|
43fe83 |
+ kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, so \
|
|
|
43fe83 |
+ }; \
|
|
|
43fe83 |
+ testTLSGenerateCert(&varname, cavarname.crt)
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+# define TLS_ROOT_REQ(varname, \
|
|
|
43fe83 |
+ co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
|
|
|
43fe83 |
+ kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, eo) \
|
|
|
43fe83 |
+ static struct testTLSCertReq varname = { \
|
|
|
43fe83 |
+ NULL, #varname ".pem", \
|
|
|
43fe83 |
+ co, cn, an1, an2, ia1, ia2, bce, bcc, bci, \
|
|
|
43fe83 |
+ kue, kuc, kuv, kpe, kpc, kpo1, kpo2, so, so \
|
|
|
43fe83 |
+ }; \
|
|
|
43fe83 |
+ testTLSGenerateCert(&varname, NULL)
|
|
|
43fe83 |
+
|
|
|
43fe83 |
/* A perfect CA, perfect client & perfect server */
|
|
|
43fe83 |
|
|
|
43fe83 |
/* Basic:CA:critical */
|
|
|
43fe83 |
- static struct testTLSCertReq cacertreq = {
|
|
|
43fe83 |
- NULL, NULL, "cacert.pem", "UK",
|
|
|
43fe83 |
- "libvirt CA", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, true,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
- static struct testTLSCertReq cacert1req = {
|
|
|
43fe83 |
- NULL, NULL, "cacert1.pem", "UK",
|
|
|
43fe83 |
- "libvirt CA 1", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, true,
|
|
|
43fe83 |
- false, false, 0,
|
|
|
43fe83 |
- false, false, NULL, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
- static struct testTLSCertReq servercertreq = {
|
|
|
43fe83 |
- NULL, NULL, "servercert.pem", "UK",
|
|
|
43fe83 |
- "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
- true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
- static struct testTLSCertReq clientcertreq = {
|
|
|
43fe83 |
- NULL, NULL, "clientcert.pem", "UK",
|
|
|
43fe83 |
- "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
- true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_ROOT_REQ(cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt CA", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, true,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_KEY_CERT_SIGN,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ TLS_ROOT_REQ(altcacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt CA 1", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, true,
|
|
|
43fe83 |
+ false, false, 0,
|
|
|
43fe83 |
+ false, false, NULL, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercertreq, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt.org", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+ TLS_CERT_REQ(clientcertreq, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ TLS_CERT_REQ(clientcertaltreq, altcacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt", NULL, NULL, NULL, NULL,
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
|
|
|
43fe83 |
DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", NULL);
|
|
|
43fe83 |
- DO_SESS_TEST_EXT(cacertreq, cacert1req, servercertreq, clientcertreq, true, true, "libvirt.org", NULL);
|
|
|
43fe83 |
+ DO_SESS_TEST_EXT(cacertreq, altcacertreq, servercertreq, clientcertaltreq, true, true, "libvirt.org", NULL);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
|
|
|
43fe83 |
/* When an altname is set, the CN is ignored, so it must be duplicated
|
|
|
43fe83 |
* as an altname for it to match */
|
|
|
43fe83 |
- static struct testTLSCertReq servercertalt1req = {
|
|
|
43fe83 |
- NULL, NULL, "servercert.pem", "UK",
|
|
|
43fe83 |
- "libvirt.org", "www.libvirt.org", "libvirt.org", "192.168.122.1", "fec0::dead:beaf",
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
- true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercertalt1req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt.org", "www.libvirt.org", "libvirt.org", "192.168.122.1", "fec0::dead:beaf",
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
/* This intentionally doesn't replicate */
|
|
|
43fe83 |
- static struct testTLSCertReq servercertalt2req = {
|
|
|
43fe83 |
- NULL, NULL, "servercert.pem", "UK",
|
|
|
43fe83 |
- "libvirt.org", "www.libvirt.org", "wiki.libvirt.org", "192.168.122.1", "fec0::dead:beaf",
|
|
|
43fe83 |
- true, true, false,
|
|
|
43fe83 |
- true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
- true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
- 0, 0,
|
|
|
43fe83 |
- };
|
|
|
43fe83 |
+ TLS_CERT_REQ(servercertalt2req, cacertreq,
|
|
|
43fe83 |
+ "UK", "libvirt.org", "www.libvirt.org", "wiki.libvirt.org", "192.168.122.1", "fec0::dead:beaf",
|
|
|
43fe83 |
+ true, true, false,
|
|
|
43fe83 |
+ true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT,
|
|
|
43fe83 |
+ true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
|
|
|
43fe83 |
+ 0, 0);
|
|
|
43fe83 |
|
|
|
43fe83 |
DO_SESS_TEST(cacertreq, servercertalt1req, clientcertreq, false, false, "libvirt.org", NULL);
|
|
|
43fe83 |
DO_SESS_TEST(cacertreq, servercertalt1req, clientcertreq, false, false, "www.libvirt.org", NULL);
|
|
|
43fe83 |
@@ -396,6 +396,16 @@ mymain(void)
|
|
|
43fe83 |
DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", wildcards5);
|
|
|
43fe83 |
DO_SESS_TEST(cacertreq, servercertreq, clientcertreq, false, false, "libvirt.org", wildcards6);
|
|
|
43fe83 |
|
|
|
43fe83 |
+ testTLSDiscardCert(&clientcertreq);
|
|
|
43fe83 |
+ testTLSDiscardCert(&clientcertaltreq);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercertreq);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercertalt1req);
|
|
|
43fe83 |
+ testTLSDiscardCert(&servercertalt2req);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
+ testTLSDiscardCert(&cacertreq);
|
|
|
43fe83 |
+ testTLSDiscardCert(&altcacertreq);
|
|
|
43fe83 |
+
|
|
|
43fe83 |
testTLSCleanup();
|
|
|
43fe83 |
|
|
|
43fe83 |
return ret==0 ? EXIT_SUCCESS : EXIT_FAILURE;
|
|
|
43fe83 |
--
|
|
|
43fe83 |
1.8.3.2
|
|
|
43fe83 |
|