summaryrefslogtreecommitdiffstats
path: root/tests/crypto-tls-x509-helpers.c
Commit message (Collapse)AuthorAgeFilesLines
* crypto: use a stronger private key for testsDaniel P. Berrangé2020-07-171-19/+40
| | | | | | | | | | | | | | | | | | | | The unit tests using the x509 crypto functionality have started failing in Fedora 33 rawhide with a message like The certificate uses an insecure algorithm This is result of Fedora changes to support strong crypto [1]. RSA with 1024 bit key is viewed as legacy and thus insecure. Generate a new private key which is 3072 bits long and reasonable future proof. [1] https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20200715154701.1041325-1-berrange@redhat.com> Reviewed-by: Kashyap Chamarthy <kchamart@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* tests: call qcrypto_init instead of gnutls_global_initDaniel P. Berrangé2018-07-241-1/+2
| | | | | | | | | | Calling qcrypto_init ensures that all relevant initialization is done. In particular this honours the debugging settings and thread settings. Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* crypto: fix test cert generation to not use SHA1 algorithmDaniel P. Berrange2017-09-041-1/+2
| | | | | | | | | | | GNUTLS 3.6.0 marked SHA1 as untrusted for certificates. Unfortunately the gnutls_x509_crt_sign() method we are using to create certificates in the test suite is fixed to always use SHA1. We must switch to a different method and explicitly ask for SHA256. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* tests: Clean up includesPeter Maydell2016-02-161-3/+1Star
| | | | | | | | | | | Clean up includes so that osdep.h is included first and headers which it implies are not included manually. This commit was created with scripts/clean-includes. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Eric Blake <eblake@redhat.com> Tested-by: Eric Blake <eblake@redhat.com>
* crypto: fix leaks in TLS x509 helper functionsDaniel P. Berrange2015-11-181-0/+2
| | | | | | | | | | The test_tls_get_ipaddr() method forgot to free the returned data from getaddrinfo(). The test_tls_write_cert_chain() method forgot to free the allocated buffer holding the certificate data after writing it out to a file. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* crypto: add sanity checking of TLS x509 credentialsDaniel P. Berrange2015-09-151-0/+485
If the administrator incorrectly sets up their x509 certificates, the errors seen at runtime during connection attempts are very obscure and difficult to diagnose. This has been a particular problem for people using openssl to generate their certificates instead of the gnutls certtool, because the openssl tools don't turn on the various x509 extensions that gnutls expects to be present by default. This change thus adds support in the TLS credentials object to sanity check the certificates when QEMU first loads them. This gives the administrator immediate feedback for the majority of common configuration mistakes, reducing the pain involved in setting up TLS. The code is derived from equivalent code that has been part of libvirt's TLS support and has been seen to be valuable in assisting admins. It is possible to disable the sanity checking, however, via the new 'sanity-check' property on the tls-creds object type, with a value of 'no'. Unit tests are included in this change to verify the correctness of the sanity checking code in all the key scenarios it is intended to cope with. As part of the test suite, the pkix_asn1_tab.c from gnutls is imported. This file is intentionally copied from the (long since obsolete) gnutls 1.6.3 source tree, since that version was still under GPLv2+, rather than the GPLv3+ of gnutls >= 2.0. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>