qemu-e2k/tests/qemu-iotests/common.tls

#!/bin/bash
#
# Helpers for TLS related config
#
# Copyright (C) 2018 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

tls_dir="${TEST_DIR}/tls"

tls_x509_cleanup()
{
    rm -f "${tls_dir}"/*.pem
    rm -f "${tls_dir}"/*/*.pem
    rmdir "${tls_dir}"/*
    rmdir "${tls_dir}"
}


tls_x509_init()
{
    (certtool --help) >/dev/null 2>&1 || \
	_notrun "certtool utility not found, skipping test"

    mkdir -p "${tls_dir}"

    # use a fixed key so we don't waste system entropy on
    # each test run
    cat > "${tls_dir}/key.pem" <<EOF
-----BEGIN PRIVATE KEY-----
MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr
BL40Tm6yq88FBhJNw1aaoCjmtg0l4dWQZ/e9Fimx4ARxFpT+ji4FE
Cgl9s/SGqC+1nvlkm9ViSo0j7MKDbnDB+VRHDvMAzQhA2X7e8M0n9
rPolUY2lIVC83q0BBaOBkCj2RSmT2xTEbbC2xLukSrg2WP/ihVOxc
kXRuyFtzAgMBAAECgYB7slBexDwXrtItAMIH6m/U+LUpNe0Xx48OL
IOn4a4whNgO/o84uIwygUK27ZGFZT0kAGAk8CdF9hA6ArcbQ62s1H
myxrUbF9/mrLsQw1NEqpuUk9Ay2Tx5U/wPx35S3W/X2AvR/ZpTnCn
2q/7ym9fyiSoj86drD7BTvmKXlOnOwQJBAPOFMp4mMa9NGpGuEssO
m3Uwbp6lhcP0cA9MK+iOmeANpoKWfBdk5O34VbmeXnGYWEkrnX+9J
bM4wVhnnBWtgBMCQQC+qAEmvwcfhauERKYznMVUVksyeuhxhCe7EK
mPh+U2+g0WwdKvGDgO0PPt1gq0ILEjspMDeMHVdTwkaVBo/uMhAkA
Z5SsZyCP2aTOPFDypXRdI4eqRcjaEPOUBq27r3uYb/jeboVb2weLa
L1MmVuHiIHoa5clswPdWVI2y0em2IGoDAkBPSp/v9VKJEZabk9Frd
a+7u4fanrM9QrEjY3KhduslSilXZZSxrWjjAJPyPiqFb3M8XXA26W
nz1KYGnqYKhLcBAkB7dt57n9xfrhDpuyVEv+Uv1D3VVAhZlsaZ5Pp
dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci
-----END PRIVATE KEY-----
EOF
}


tls_x509_create_root_ca()
{
    name=${1:-ca-cert}

    cat > "${tls_dir}/ca.info" <<EOF
cn = Cthulhu Dark Lord Enterprises $name
ca
cert_signing_key
EOF

    certtool --generate-self-signed \
             --load-privkey "${tls_dir}/key.pem" \
             --template "${tls_dir}/ca.info" \
             --outfile "${tls_dir}/$name-cert.pem" 2>&1 | head -1

    rm -f "${tls_dir}/ca.info"
}


tls_x509_create_server()
{
    caname=$1
    name=$2

    mkdir -p "${tls_dir}/$name"
    cat > "${tls_dir}/cert.info" <<EOF
organization = Cthulhu Dark Lord Enterprises $name
cn = localhost
dns_name = localhost
dns_name = localhost.localdomain
ip_address = 127.0.0.1
ip_address = ::1
tls_www_server
encryption_key
signing_key
EOF

    certtool --generate-certificate \
             --load-ca-privkey "${tls_dir}/key.pem" \
             --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
             --load-privkey "${tls_dir}/key.pem" \
             --template "${tls_dir}/cert.info" \
             --outfile "${tls_dir}/$name/server-cert.pem" 2>&1 | head -1
    ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
    ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem"

    rm -f "${tls_dir}/cert.info"
}


tls_x509_create_client()
{
    caname=$1
    name=$2

    mkdir -p "${tls_dir}/$name"
    cat > "${tls_dir}/cert.info" <<EOF
country = South Pacific
locality =  R'lyeh
organization = Cthulhu Dark Lord Enterprises $name
cn = localhost
tls_www_client
encryption_key
signing_key
EOF

    certtool --generate-certificate \
             --load-ca-privkey "${tls_dir}/key.pem" \
             --load-ca-certificate "${tls_dir}/$caname-cert.pem" \
             --load-privkey "${tls_dir}/key.pem" \
             --template "${tls_dir}/cert.info" \
             --outfile "${tls_dir}/$name/client-cert.pem" 2>&1 | head -1
    ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
    ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem"

    rm -f "${tls_dir}/cert.info"
}
tests: add iotests helpers for dealing with TLS certificates Add helpers to common.tls for creating TLS certificates for a CA, server and client. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20181116155325.22428-6-berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> [eblake: spelling and quoting touchups] Signed-off-by: Eric Blake <eblake@redhat.com> 2018-11-16 16:53:24 +01:00			`#!/bin/bash`
			`#`
			`# Helpers for TLS related config`
			`#`
			`# Copyright (C) 2018 Red Hat, Inc.`
			`#`
			`# This program is free software; you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation; either version 2 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`#`

			`tls_dir="${TEST_DIR}/tls"`

iotests: Drop use of bash keyword 'function' Bash allows functions to be declared with or without the leading keyword 'function'; but including the keyword does not comply with POSIX syntax, and is confusing to ksh users where the use of the keyword changes the scoping rules for functions. Stick to the POSIX form through iotests. Done mechanically with: sed -i 's/^function //' $(git ls-files tests/qemu-iotests) Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <20181116215002.2124581-1-eblake@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> 2018-11-16 22:50:02 +01:00			`tls_x509_cleanup()`
tests: add iotests helpers for dealing with TLS certificates Add helpers to common.tls for creating TLS certificates for a CA, server and client. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20181116155325.22428-6-berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> [eblake: spelling and quoting touchups] Signed-off-by: Eric Blake <eblake@redhat.com> 2018-11-16 16:53:24 +01:00			`{`
			`rm -f "${tls_dir}"/*.pem`
			`rm -f "${tls_dir}"//.pem`
			`rmdir "${tls_dir}"/*`
			`rmdir "${tls_dir}"`
			`}`


iotests: Drop use of bash keyword 'function' Bash allows functions to be declared with or without the leading keyword 'function'; but including the keyword does not comply with POSIX syntax, and is confusing to ksh users where the use of the keyword changes the scoping rules for functions. Stick to the POSIX form through iotests. Done mechanically with: sed -i 's/^function //' $(git ls-files tests/qemu-iotests) Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <20181116215002.2124581-1-eblake@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> 2018-11-16 22:50:02 +01:00			`tls_x509_init()`
tests: add iotests helpers for dealing with TLS certificates Add helpers to common.tls for creating TLS certificates for a CA, server and client. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20181116155325.22428-6-berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> [eblake: spelling and quoting touchups] Signed-off-by: Eric Blake <eblake@redhat.com> 2018-11-16 16:53:24 +01:00			`{`
iotests: Skip 233 if certtool not installed The use of TLS while building qemu is optional. While the 'certtool' binary should be available on every platform that supports building against TLS, that does not imply that the developer has installed it. Make the test gracefully skip in that case. Reported-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Wainer dos Santos Moschetta <wainersm@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> 2018-11-20 23:52:41 +01:00			`(certtool --help) >/dev/null 2>&1 \|\| \`
			`_notrun "certtool utility not found, skipping test"`

tests: add iotests helpers for dealing with TLS certificates Add helpers to common.tls for creating TLS certificates for a CA, server and client. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20181116155325.22428-6-berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> [eblake: spelling and quoting touchups] Signed-off-by: Eric Blake <eblake@redhat.com> 2018-11-16 16:53:24 +01:00			`mkdir -p "${tls_dir}"`

			`# use a fixed key so we don't waste system entropy on`
			`# each test run`
			`cat > "${tls_dir}/key.pem" <<EOF`
			`-----BEGIN PRIVATE KEY-----`
			`MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr`
			`BL40Tm6yq88FBhJNw1aaoCjmtg0l4dWQZ/e9Fimx4ARxFpT+ji4FE`
			`Cgl9s/SGqC+1nvlkm9ViSo0j7MKDbnDB+VRHDvMAzQhA2X7e8M0n9`
			`rPolUY2lIVC83q0BBaOBkCj2RSmT2xTEbbC2xLukSrg2WP/ihVOxc`
			`kXRuyFtzAgMBAAECgYB7slBexDwXrtItAMIH6m/U+LUpNe0Xx48OL`
			`IOn4a4whNgO/o84uIwygUK27ZGFZT0kAGAk8CdF9hA6ArcbQ62s1H`
			`myxrUbF9/mrLsQw1NEqpuUk9Ay2Tx5U/wPx35S3W/X2AvR/ZpTnCn`
			`2q/7ym9fyiSoj86drD7BTvmKXlOnOwQJBAPOFMp4mMa9NGpGuEssO`
			`m3Uwbp6lhcP0cA9MK+iOmeANpoKWfBdk5O34VbmeXnGYWEkrnX+9J`
			`bM4wVhnnBWtgBMCQQC+qAEmvwcfhauERKYznMVUVksyeuhxhCe7EK`
			`mPh+U2+g0WwdKvGDgO0PPt1gq0ILEjspMDeMHVdTwkaVBo/uMhAkA`
			`Z5SsZyCP2aTOPFDypXRdI4eqRcjaEPOUBq27r3uYb/jeboVb2weLa`
			`L1MmVuHiIHoa5clswPdWVI2y0em2IGoDAkBPSp/v9VKJEZabk9Frd`
			`a+7u4fanrM9QrEjY3KhduslSilXZZSxrWjjAJPyPiqFb3M8XXA26W`
			`nz1KYGnqYKhLcBAkB7dt57n9xfrhDpuyVEv+Uv1D3VVAhZlsaZ5Pp`
			`dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci`
			`-----END PRIVATE KEY-----`
			`EOF`
			`}`


iotests: Drop use of bash keyword 'function' Bash allows functions to be declared with or without the leading keyword 'function'; but including the keyword does not comply with POSIX syntax, and is confusing to ksh users where the use of the keyword changes the scoping rules for functions. Stick to the POSIX form through iotests. Done mechanically with: sed -i 's/^function //' $(git ls-files tests/qemu-iotests) Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <20181116215002.2124581-1-eblake@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> 2018-11-16 22:50:02 +01:00			`tls_x509_create_root_ca()`
tests: add iotests helpers for dealing with TLS certificates Add helpers to common.tls for creating TLS certificates for a CA, server and client. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20181116155325.22428-6-berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> [eblake: spelling and quoting touchups] Signed-off-by: Eric Blake <eblake@redhat.com> 2018-11-16 16:53:24 +01:00			`{`
			`name=${1:-ca-cert}`

			`cat > "${tls_dir}/ca.info" <<EOF`
			`cn = Cthulhu Dark Lord Enterprises $name`
			`ca`
			`cert_signing_key`
			`EOF`

			`certtool --generate-self-signed \`
			`--load-privkey "${tls_dir}/key.pem" \`
			`--template "${tls_dir}/ca.info" \`
			`--outfile "${tls_dir}/$name-cert.pem" 2>&1 \| head -1`

			`rm -f "${tls_dir}/ca.info"`
			`}`


iotests: Drop use of bash keyword 'function' Bash allows functions to be declared with or without the leading keyword 'function'; but including the keyword does not comply with POSIX syntax, and is confusing to ksh users where the use of the keyword changes the scoping rules for functions. Stick to the POSIX form through iotests. Done mechanically with: sed -i 's/^function //' $(git ls-files tests/qemu-iotests) Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <20181116215002.2124581-1-eblake@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> 2018-11-16 22:50:02 +01:00			`tls_x509_create_server()`
tests: add iotests helpers for dealing with TLS certificates Add helpers to common.tls for creating TLS certificates for a CA, server and client. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20181116155325.22428-6-berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> [eblake: spelling and quoting touchups] Signed-off-by: Eric Blake <eblake@redhat.com> 2018-11-16 16:53:24 +01:00			`{`
			`caname=$1`
			`name=$2`

			`mkdir -p "${tls_dir}/$name"`
			`cat > "${tls_dir}/cert.info" <<EOF`
			`organization = Cthulhu Dark Lord Enterprises $name`
			`cn = localhost`
			`dns_name = localhost`
			`dns_name = localhost.localdomain`
			`ip_address = 127.0.0.1`
			`ip_address = ::1`
			`tls_www_server`
			`encryption_key`
			`signing_key`
			`EOF`

			`certtool --generate-certificate \`
			`--load-ca-privkey "${tls_dir}/key.pem" \`
			`--load-ca-certificate "${tls_dir}/$caname-cert.pem" \`
			`--load-privkey "${tls_dir}/key.pem" \`
			`--template "${tls_dir}/cert.info" \`
			`--outfile "${tls_dir}/$name/server-cert.pem" 2>&1 \| head -1`
			`ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"`
			`ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem"`

			`rm -f "${tls_dir}/cert.info"`
			`}`


iotests: Drop use of bash keyword 'function' Bash allows functions to be declared with or without the leading keyword 'function'; but including the keyword does not comply with POSIX syntax, and is confusing to ksh users where the use of the keyword changes the scoping rules for functions. Stick to the POSIX form through iotests. Done mechanically with: sed -i 's/^function //' $(git ls-files tests/qemu-iotests) Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <20181116215002.2124581-1-eblake@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> 2018-11-16 22:50:02 +01:00			`tls_x509_create_client()`
tests: add iotests helpers for dealing with TLS certificates Add helpers to common.tls for creating TLS certificates for a CA, server and client. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20181116155325.22428-6-berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> [eblake: spelling and quoting touchups] Signed-off-by: Eric Blake <eblake@redhat.com> 2018-11-16 16:53:24 +01:00			`{`
			`caname=$1`
			`name=$2`

			`mkdir -p "${tls_dir}/$name"`
			`cat > "${tls_dir}/cert.info" <<EOF`
			`country = South Pacific`
			`locality = R'lyeh`
			`organization = Cthulhu Dark Lord Enterprises $name`
			`cn = localhost`
			`tls_www_client`
			`encryption_key`
			`signing_key`
			`EOF`

			`certtool --generate-certificate \`
			`--load-ca-privkey "${tls_dir}/key.pem" \`
			`--load-ca-certificate "${tls_dir}/$caname-cert.pem" \`
			`--load-privkey "${tls_dir}/key.pem" \`
			`--template "${tls_dir}/cert.info" \`
			`--outfile "${tls_dir}/$name/client-cert.pem" 2>&1 \| head -1`
			`ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"`
			`ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem"`

			`rm -f "${tls_dir}/cert.info"`
			`}`