qemu/tests/crypto-tls-x509-helpers.h
Daniel P. Berrange 9a2fd4347c crypto: add sanity checking of TLS x509 credentials
If the administrator incorrectly sets up their x509 certificates,
the errors seen at runtime during connection attempts are very
obscure and difficult to diagnose. This has been a particular
problem for people using openssl to generate their certificates
instead of the gnutls certtool, because the openssl tools don't
turn on the various x509 extensions that gnutls expects to be
present by default.

This change thus adds support in the TLS credentials object to
sanity check the certificates when QEMU first loads them. This
gives the administrator immediate feedback for the majority of
common configuration mistakes, reducing the pain involved in
setting up TLS. The code is derived from equivalent code that
has been part of libvirt's TLS support and has been seen to be
valuable in assisting admins.

It is possible to disable the sanity checking, however, via
the new 'sanity-check' property on the tls-creds object type,
with a value of 'no'.

Unit tests are included in this change to verify the correctness
of the sanity checking code in all the key scenarios it is
intended to cope with. As part of the test suite, the pkix_asn1_tab.c
from gnutls is imported. This file is intentionally copied from the
(long since obsolete) gnutls 1.6.3 source tree, since that version
was still under GPLv2+, rather than the GPLv3+ of gnutls >= 2.0.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2015-09-15 15:05:09 +01:00

134 lines
5.4 KiB
C

/*
* Copyright (C) 2015 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*
* Author: Daniel P. Berrange <berrange@redhat.com>
*/
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#if !(defined WIN32) && \
defined(CONFIG_TASN1) && \
defined(LIBGNUTLS_VERSION_NUMBER) && \
(LIBGNUTLS_VERSION_NUMBER >= 0x020600)
# define QCRYPTO_HAVE_TLS_TEST_SUPPORT
#endif
#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
# include <libtasn1.h>
# include "qemu-common.h"
/*
* This contains parameter about how to generate
* certificates.
*/
typedef struct QCryptoTLSTestCertReq QCryptoTLSTestCertReq;
struct QCryptoTLSTestCertReq {
gnutls_x509_crt_t crt;
const char *filename;
/* Identifying information */
const char *country;
const char *cn;
const char *altname1;
const char *altname2;
const char *ipaddr1;
const char *ipaddr2;
/* Basic constraints */
bool basicConstraintsEnable;
bool basicConstraintsCritical;
bool basicConstraintsIsCA;
/* Key usage */
bool keyUsageEnable;
bool keyUsageCritical;
int keyUsageValue;
/* Key purpose (aka Extended key usage) */
bool keyPurposeEnable;
bool keyPurposeCritical;
const char *keyPurposeOID1;
const char *keyPurposeOID2;
/* zero for current time, or non-zero for hours from now */
int start_offset;
/* zero for 24 hours from now, or non-zero for hours from now */
int expire_offset;
};
void test_tls_generate_cert(QCryptoTLSTestCertReq *req,
gnutls_x509_crt_t ca);
void test_tls_write_cert_chain(const char *filename,
gnutls_x509_crt_t *certs,
size_t ncerts);
void test_tls_discard_cert(QCryptoTLSTestCertReq *req);
void test_tls_init(const char *keyfile);
void test_tls_cleanup(const char *keyfile);
# define TLS_CERT_REQ(varname, cavarname, \
country, commonname, \
altname1, altname2, \
ipaddr1, ipaddr2, \
basicconsenable, basicconscritical, basicconsca, \
keyusageenable, keyusagecritical, keyusagevalue, \
keypurposeenable, keypurposecritical, \
keypurposeoid1, keypurposeoid2, \
startoffset, endoffset) \
static QCryptoTLSTestCertReq varname = { \
NULL, WORKDIR #varname "-ctx.pem", \
country, commonname, altname1, altname2, \
ipaddr1, ipaddr2, \
basicconsenable, basicconscritical, basicconsca, \
keyusageenable, keyusagecritical, keyusagevalue, \
keypurposeenable, keypurposecritical, \
keypurposeoid1, keypurposeoid2, \
startoffset, endoffset \
}; \
test_tls_generate_cert(&varname, cavarname.crt)
# define TLS_ROOT_REQ(varname, \
country, commonname, \
altname1, altname2, \
ipaddr1, ipaddr2, \
basicconsenable, basicconscritical, basicconsca, \
keyusageenable, keyusagecritical, keyusagevalue, \
keypurposeenable, keypurposecritical, \
keypurposeoid1, keypurposeoid2, \
startoffset, endoffset) \
static QCryptoTLSTestCertReq varname = { \
NULL, WORKDIR #varname "-ctx.pem", \
country, commonname, altname1, altname2, \
ipaddr1, ipaddr2, \
basicconsenable, basicconscritical, basicconsca, \
keyusageenable, keyusagecritical, keyusagevalue, \
keypurposeenable, keypurposecritical, \
keypurposeoid1, keypurposeoid2, \
startoffset, endoffset \
}; \
test_tls_generate_cert(&varname, NULL)
extern const ASN1_ARRAY_TYPE pkix_asn1_tab[];
#endif /* QCRYPTO_HAVE_TLS_TEST_SUPPORT */