qemu/tests/qemu-iotests/common.tls
Daniel P. Berrangé 10cc95c38f tests/qemu-iotests: validate NBD TLS with UNIX sockets and PSK
This validates that connections to an NBD server running on a UNIX
socket can use TLS with pre-shared keys (PSK).

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220304193610.3293146-13-berrange@redhat.com>
[eblake: squash in rebase fix]
Tested-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
2022-03-07 17:13:31 -06:00

203 lines
6.1 KiB
Bash

#!/usr/bin/env bash
#
# Helpers for TLS related config
#
# Copyright (C) 2018 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
tls_dir="${TEST_DIR}/tls"
tls_x509_cleanup()
{
rm -f "${tls_dir}"/*.pem
rm -f "${tls_dir}"/*/*.pem
rm -f "${tls_dir}"/*/*.psk
rmdir "${tls_dir}"/*
rmdir "${tls_dir}"
}
tls_certtool()
{
certtool "$@" 1>"${tls_dir}"/certtool.log 2>&1
if test "$?" = 0; then
head -1 "${tls_dir}"/certtool.log
else
cat "${tls_dir}"/certtool.log
fi
rm -f "${tls_dir}"/certtool.log
}
tls_psktool()
{
psktool "$@" 1>"${tls_dir}"/psktool.log 2>&1
if test "$?" = 0; then
head -1 "${tls_dir}"/psktool.log
else
cat "${tls_dir}"/psktool.log
fi
rm -f "${tls_dir}"/psktool.log
}
tls_x509_init()
{
(certtool --help) >/dev/null 2>&1 || \
_notrun "certtool utility not found, skipping test"
mkdir -p "${tls_dir}"
# use a fixed key so we don't waste system entropy on
# each test run
cat > "${tls_dir}/key.pem" <<EOF
-----BEGIN RSA PRIVATE KEY-----
MIIG5AIBAAKCAYEAyjWyLSNm5PZvYUKUcDWGqbLX10b2ood+YaFjWSnJrqx/q3qh
rVGBJglD25AJENJsmZF3zPP1oMhfIxsXu63Hdkb6Rdlc2RUoUP34x9VC1izH25mR
6c8DPDp1d6IraZ/llDMI1HsBFz0qGWtvOHgm815XG4PAr/N8rDsuqfv/cJ01KlnO
0OdO5QRXCJf9g/dYd41MPu7wOXk9FqjQlmRoP59HgtJ+zUpE4z+Keruw9cMT9VJj
0oT+pQ9ysenqeZ3gbT224T1khrEhT5kifhtFLNyDssRchUUWH0hiqoOO1vgb+850
W6/1VdxvuPam48py4diSPi1Vip8NITCOBaX9FIpVp4Ruw4rTPVMNMjq9Cpx/DwMP
9MbfXfnaVaZaMrmq67/zPhl0eVbUrecH2hQ3ZB9oIF4GkNskzlWF5+yPy6zqk304
AKaiFR6jRyh3YfHo2XFqV8x/hxdsIEXOtEUGhSIcpynsW+ckUCartzu7xbhXjd4b
kxJT89+riPFYij09AgMBAAECggGBAKyFkaZXXROeejrmHlV6JZGlp+fhgM38gkRz
+Jp7P7rLLAY3E7gXIPQ91WqAAmwazFNdvHPd9USfkCQYmnAi/VoZhrCPmlsQZRxt
A5QjjOnEvSPMa6SrXZxGWDCg6R8uMCb4P+FhrPWR1thnRDZOtRTQ+crc50p3mHgt
6ktXWIJRbqnag8zSfQqCYGtRmhe8sfsWT+Yl4El4+jjaAVU/B364u7+PLmaiphGp
BdJfTsTwEpgtGkPj+osDmhzXcZkfq3V+fz5JLkemsCiQKmn4VJRpg8c3ZmE8NPNt
gRtGWZ4W3WKDvhotT65WpQx4+6R8Duux/blNPBmH1Upmwd7kj7GYFBArbCjgd9PT
xgfCSUZpgOZHHkcgSB+022a8XncXna7WYYij28SLtwImFyu0nNtqECFQHH5u+k6C
LRYBSN+3t3At8dQuk01NVrJBndmjmXRfxpqUtTdeaNgVpdUYRY98s30G68NYGSra
aEvhhRSghkcLNetkobpY9pUgeqW/tQKBwQDZHHK9nDMt/zk1TxtILeUSitPXcv1/
8ufXqO0miHdH23XuXhIEA6Ef26RRVGDGgpjkveDJK/1w5feJ4H/ni4Vclil/cm38
OwRqjjd7ElHJX6JQbsxEx/gNTk5/QW1iAL9TXUalgepsSXYT6AJ0/CJv0jmJSJ36
YoKMOM8uqzb2KhN6i+RlJRi5iY53kUhWTJq5ArWvNhUzQNSYODI4bNxlsKSBL2Ik
LZ5QKHuaEjQet0IlPlfIb4PzMm8CHa/urOcCgcEA7m3zW/lL5bIFoKPjWig5Lbn1
aHfrG2ngqzWtgWtfZqMH8OkZc1Mdhhmvd46titjiLjeI+UP/uHXR0068PnrNngzl
tTgwlakzu+bWzqhBm1F+3/341st/FEk07r0P/3/PhezVjwfO8c8Exj7pLxH4wrH0
ROHgDbClmlJRu6OO78wk1+Vapf5DWa8YfA+q+fdvr7KvgGyytheKMT/b/dsqOq7y
qZPjmaJKWAvV3RWG8lWHFSdHx2IAHMHfGr17Y/w7AoHBALzwZeYebeekiVucGSjq
T8SgLhT7zCIx+JMUPjVfYzaUhP/Iu7Lkma6IzWm9nW6Drpy5pUpMzwUWDCLfzU9q
eseFIl337kEn9wLn+t5OpgAyCqYmlftxbqvdrrBN9uvnrJjWvqk/8wsDrw9JxAGc
fjeD4nBXUqvYWLXApoR9mZoGKedmoH9pFig4zlO9ig8YITnKYuQ0k6SD0b8agJHc
Ir0YSUDnRGgpjvFBGbeOCe+FGbohk/EpItJc3IAh5740lwKBwAdXd2DjokSmYKn7
oeqKxofz6+yVlLW5YuOiuX78sWlVp87xPolgi84vSEnkKM/Xsc8+goc6YstpRVa+
W+mImoA9YW1dF5HkLeWhTAf9AlgoAEIhbeIfTgBv6KNZSv7RDrDPBBxtXx/vAfSg
x0ldwk0scZsVYXLKd67yzfV7KdGUdaX4N/xYgfZm/9gCG3+q8NN2KxVHQ5F71BOE
JeABOaGo9WvnU+DNMIDZjHJMUWVw4MHz/a/UArDf/2CxaPVBNQKBwASg6j4ohSTk
J7aE6RQ3OBmmDDpixcoCJt9u9SjHVYMlbs5CEJGVSczk0SG3y8P1lOWNDSRnMksZ
xWnHdP/ogcuYMuvK7UACNAF0zNddtzOhzcpNmejFj+WCHYY/UmPr2/Kf6t7Cxk2K
3cZ4tqWsiTmBT8Bknmah7L5DrhS+ZBJliDeFAA8fZHdMH0Xjr4UBp9kF90EMTdW1
Xr5uz7ZrMsYpYQI7mmyqV9SSjUg4iBXwVSoag1iDJ1K8Qg/L7Semgg==
-----END RSA PRIVATE KEY-----
EOF
}
tls_x509_create_root_ca()
{
name=${1:-ca-cert}
cat > "${tls_dir}/ca.info" <<EOF
cn = Cthulhu Dark Lord Enterprises $name
ca
cert_signing_key
EOF
tls_certtool \
--generate-self-signed \
--load-privkey "${tls_dir}/key.pem" \
--template "${tls_dir}/ca.info" \
--outfile "${tls_dir}/$name-cert.pem"
rm -f "${tls_dir}/ca.info"
}
tls_x509_create_server()
{
caname=$1
name=$2
# We don't include 'localhost' in the cert, as
# we want to keep it unlisted to let tests
# validate hostname override
mkdir -p "${tls_dir}/$name"
cat > "${tls_dir}/cert.info" <<EOF
organization = Cthulhu Dark Lord Enterprises $name
cn = iotests.qemu.org
ip_address = 127.0.0.1
ip_address = ::1
tls_www_server
encryption_key
signing_key
EOF
tls_certtool \
--generate-certificate \
--load-ca-privkey "${tls_dir}/key.pem" \
--load-ca-certificate "${tls_dir}/$caname-cert.pem" \
--load-privkey "${tls_dir}/key.pem" \
--template "${tls_dir}/cert.info" \
--outfile "${tls_dir}/$name/server-cert.pem"
ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/server-key.pem"
rm -f "${tls_dir}/cert.info"
}
tls_x509_create_client()
{
caname=$1
name=$2
mkdir -p "${tls_dir}/$name"
cat > "${tls_dir}/cert.info" <<EOF
country = South Pacific
locality = R'lyeh
organization = Cthulhu Dark Lord Enterprises $name
cn = localhost
tls_www_client
encryption_key
signing_key
EOF
tls_certtool \
--generate-certificate \
--load-ca-privkey "${tls_dir}/key.pem" \
--load-ca-certificate "${tls_dir}/$caname-cert.pem" \
--load-privkey "${tls_dir}/key.pem" \
--template "${tls_dir}/cert.info" \
--outfile "${tls_dir}/$name/client-cert.pem"
ln -s "${tls_dir}/$caname-cert.pem" "${tls_dir}/$name/ca-cert.pem"
ln -s "${tls_dir}/key.pem" "${tls_dir}/$name/client-key.pem"
rm -f "${tls_dir}/cert.info"
}
tls_psk_create_creds()
{
name=$1
mkdir -p "${tls_dir}/$name"
tls_psktool \
--pskfile "${tls_dir}/$name/keys.psk" \
--username "$name"
}