10cc95c38f
This validates that connections to an NBD server running on a UNIX socket can use TLS with pre-shared keys (PSK). Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20220304193610.3293146-13-berrange@redhat.com> [eblake: squash in rebase fix] Tested-by: Eric Blake <eblake@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com>
203 lines
6.1 KiB
Bash
203 lines
6.1 KiB
Bash
#!/usr/bin/env bash
|
|
#
|
|
# Helpers for TLS related config
|
|
#
|
|
# Copyright (C) 2018 Red Hat, Inc.
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
tls_dir="${TEST_DIR}/tls"
|
|
|
|
tls_x509_cleanup()
|
|
{
|
|
rm -f "${tls_dir}"/*.pem
|
|
rm -f "${tls_dir}"/*/*.pem
|
|
rm -f "${tls_dir}"/*/*.psk
|
|
rmdir "${tls_dir}"/*
|
|
rmdir "${tls_dir}"
|
|
}
|
|
|
|
|
|
tls_certtool()
|
|
{
|
|
certtool "$@" 1>"${tls_dir}"/certtool.log 2>&1
|
|
if test "$?" = 0; then
|
|
head -1 "${tls_dir}"/certtool.log
|
|
else
|
|
cat "${tls_dir}"/certtool.log
|
|
fi
|
|
rm -f "${tls_dir}"/certtool.log
|
|
}
|
|
|
|
tls_psktool()
|
|
{
|
|
psktool "$@" 1>"${tls_dir}"/psktool.log 2>&1
|
|
if test "$?" = 0; then
|
|
head -1 "${tls_dir}"/psktool.log
|
|
else
|
|
cat "${tls_dir}"/psktool.log
|
|
fi
|
|
rm -f "${tls_dir}"/psktool.log
|
|
}
|
|
|
|
|
|
tls_x509_init()
|
|
{
|
|
(certtool --help) >/dev/null 2>&1 || \
|
|
_notrun "certtool utility not found, skipping test"
|
|
|
|
mkdir -p "${tls_dir}"
|
|
|
|
# use a fixed key so we don't waste system entropy on
|
|
# each test run
|
|
cat > "${tls_dir}/key.pem" <<EOF
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
MIIG5AIBAAKCAYEAyjWyLSNm5PZvYUKUcDWGqbLX10b2ood+YaFjWSnJrqx/q3qh
|
|
rVGBJglD25AJENJsmZF3zPP1oMhfIxsXu63Hdkb6Rdlc2RUoUP34x9VC1izH25mR
|
|
6c8DPDp1d6IraZ/llDMI1HsBFz0qGWtvOHgm815XG4PAr/N8rDsuqfv/cJ01KlnO
|
|
0OdO5QRXCJf9g/dYd41MPu7wOXk9FqjQlmRoP59HgtJ+zUpE4z+Keruw9cMT9VJj
|
|
0oT+pQ9ysenqeZ3gbT224T1khrEhT5kifhtFLNyDssRchUUWH0hiqoOO1vgb+850
|
|
W6/1VdxvuPam48py4diSPi1Vip8NITCOBaX9FIpVp4Ruw4rTPVMNMjq9Cpx/DwMP
|
|
9MbfXfnaVaZaMrmq67/zPhl0eVbUrecH2hQ3ZB9oIF4GkNskzlWF5+yPy6zqk304
|
|
AKaiFR6jRyh3YfHo2XFqV8x/hxdsIEXOtEUGhSIcpynsW+ckUCartzu7xbhXjd4b
|
|
kxJT89+riPFYij09AgMBAAECggGBAKyFkaZXXROeejrmHlV6JZGlp+fhgM38gkRz
|
|
+Jp7P7rLLAY3E7gXIPQ91WqAAmwazFNdvHPd9USfkCQYmnAi/VoZhrCPmlsQZRxt
|
|
A5QjjOnEvSPMa6SrXZxGWDCg6R8uMCb4P+FhrPWR1thnRDZOtRTQ+crc50p3mHgt
|
|
6ktXWIJRbqnag8zSfQqCYGtRmhe8sfsWT+Yl4El4+jjaAVU/B364u7+PLmaiphGp
|
|
BdJfTsTwEpgtGkPj+osDmhzXcZkfq3V+fz5JLkemsCiQKmn4VJRpg8c3ZmE8NPNt
|
|
gRtGWZ4W3WKDvhotT65WpQx4+6R8Duux/blNPBmH1Upmwd7kj7GYFBArbCjgd9PT
|
|
xgfCSUZpgOZHHkcgSB+022a8XncXna7WYYij28SLtwImFyu0nNtqECFQHH5u+k6C
|
|
LRYBSN+3t3At8dQuk01NVrJBndmjmXRfxpqUtTdeaNgVpdUYRY98s30G68NYGSra
|
|
aEvhhRSghkcLNetkobpY9pUgeqW/tQKBwQDZHHK9nDMt/zk1TxtILeUSitPXcv1/
|
|
8ufXqO0miHdH23XuXhIEA6Ef26RRVGDGgpjkveDJK/1w5feJ4H/ni4Vclil/cm38
|
|
OwRqjjd7ElHJX6JQbsxEx/gNTk5/QW1iAL9TXUalgepsSXYT6AJ0/CJv0jmJSJ36
|
|
YoKMOM8uqzb2KhN6i+RlJRi5iY53kUhWTJq5ArWvNhUzQNSYODI4bNxlsKSBL2Ik
|
|
LZ5QKHuaEjQet0IlPlfIb4PzMm8CHa/urOcCgcEA7m3zW/lL5bIFoKPjWig5Lbn1
|
|
aHfrG2ngqzWtgWtfZqMH8OkZc1Mdhhmvd46titjiLjeI+UP/uHXR0068PnrNngzl
|
|
tTgwlakzu+bWzqhBm1F+3/341st/FEk07r0P/3/PhezVjwfO8c8Exj7pLxH4wrH0
|
|
ROHgDbClmlJRu6OO78wk1+Vapf5DWa8YfA+q+fdvr7KvgGyytheKMT/b/dsqOq7y
|
|
qZPjmaJKWAvV3RWG8lWHFSdHx2IAHMHfGr17Y/w7AoHBALzwZeYebeekiVucGSjq
|
|
T8SgLhT7zCIx+JMUPjVfYzaUhP/Iu7Lkma6IzWm9nW6Drpy5pUpMzwUWDCLfzU9q
|
|
eseFIl337kEn9wLn+t5OpgAyCqYmlftxbqvdrrBN9uvnrJjWvqk/8wsDrw9JxAGc
|
|
fjeD4nBXUqvYWLXApoR9mZoGKedmoH9pFig4zlO9ig8YITnKYuQ0k6SD0b8agJHc
|
|
Ir0YSUDnRGgpjvFBGbeOCe+FGbohk/EpItJc3IAh5740lwKBwAdXd2DjokSmYKn7
|
|
oeqKxofz6+yVlLW5YuOiuX78sWlVp87xPolgi84vSEnkKM/Xsc8+goc6YstpRVa+
|
|
W+mImoA9YW1dF5HkLeWhTAf9AlgoAEIhbeIfTgBv6KNZSv7RDrDPBBxtXx/vAfSg
|
|
x0ldwk0scZsVYXLKd67yzfV7KdGUdaX4N/xYgfZm/9gCG3+q8NN2KxVHQ5F71BOE
|
|
JeABOaGo9WvnU+DNMIDZjHJMUWVw4MHz/a/UArDf/2CxaPVBNQKBwASg6j4ohSTk
|
|
J7aE6RQ3OBmmDDpixcoCJt9u9SjHVYMlbs5CEJGVSczk0SG3y8P1lOWNDSRnMksZ
|
|
xWnHdP/ogcuYMuvK7UACNAF0zNddtzOhzcpNmejFj+WCHYY/UmPr2/Kf6t7Cxk2K
|
|
3cZ4tqWsiTmBT8Bknmah7L5DrhS+ZBJliDeFAA8fZHdMH0Xjr4UBp9kF90EMTdW1
|
|
Xr5uz7ZrMsYpYQI7mmyqV9SSjUg4iBXwVSoag1iDJ1K8Qg/L7Semgg==
|
|
-----END RSA PRIVATE KEY-----
|
|
EOF
|
|
}
|
|
|
|
|
|
tls_x509_create_root_ca()
|
|
{
|
|
name=${1:-ca-cert}
|
|
|
|
cat > "${tls_dir}/ca.info" <<EOF
|
|
cn = Cthulhu Dark Lord Enterprises $name
|
|
ca
|
|
cert_signing_key
|
|
EOF
|
|
|
|
tls_certtool \
|
|
--generate-self-signed \
|
|
--load-privkey "${tls_dir}/key.pem" \
|
|
--template "${tls_dir}/ca.info" \
|
|
--outfile "${tls_dir}/$name-cert.pem"
|
|
|
|
rm -f "${tls_dir}/ca.info"
|
|
}
|
|
|
|
|
|
tls_x509_create_server()
|
|
{
|
|
caname=$1
|
|
name=$2
|
|
|
|
# We don't include 'localhost' in the cert, as
|
|
# we want to keep it unlisted to let tests
|
|
# validate hostname override
|
|
mkdir -p "${tls_dir}/$name"
|
|
cat > "${tls_dir}/cert.info" <<EOF
|
|
organization = Cthulhu Dark Lord Enterprises $name
|
|
cn = iotests.qemu.org
|
|
ip_address = 127.0.0.1
|
|
ip_address = ::1
|
|
tls_www_server
|
|
encryption_key
|
|
signing_key
|
|
EOF
|
|
|
|
tls_certtool \
|
|
--generate-certificate \
|
|
--load-ca-privkey "${tls_dir}/key.pem" \
|
|
--load-ca-certificate "${tls_dir}/$caname-cert.pem" \
|
|
--load-privkey "${tls_dir}/key.pem" \
|
|
--template "${tls_dir}/cert.info" \
|
|
--outfile "${tls_dir}/$name/server-cert.pem"
|
|
|
|
ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
|
|
ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem"
|
|
|
|
rm -f "${tls_dir}/cert.info"
|
|
}
|
|
|
|
|
|
tls_x509_create_client()
|
|
{
|
|
caname=$1
|
|
name=$2
|
|
|
|
mkdir -p "${tls_dir}/$name"
|
|
cat > "${tls_dir}/cert.info" <<EOF
|
|
country = South Pacific
|
|
locality = R'lyeh
|
|
organization = Cthulhu Dark Lord Enterprises $name
|
|
cn = localhost
|
|
tls_www_client
|
|
encryption_key
|
|
signing_key
|
|
EOF
|
|
|
|
tls_certtool \
|
|
--generate-certificate \
|
|
--load-ca-privkey "${tls_dir}/key.pem" \
|
|
--load-ca-certificate "${tls_dir}/$caname-cert.pem" \
|
|
--load-privkey "${tls_dir}/key.pem" \
|
|
--template "${tls_dir}/cert.info" \
|
|
--outfile "${tls_dir}/$name/client-cert.pem"
|
|
|
|
ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
|
|
ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem"
|
|
|
|
rm -f "${tls_dir}/cert.info"
|
|
}
|
|
|
|
tls_psk_create_creds()
|
|
{
|
|
name=$1
|
|
|
|
mkdir -p "${tls_dir}/$name"
|
|
|
|
tls_psktool \
|
|
--pskfile "${tls_dir}/$name/keys.psk" \
|
|
--username "$name"
|
|
}
|