This validates that we correctly handle migration success and failure
scenarios when using TLS with x509 certificates. There are quite a few
different scenarios that matter in relation to hostname validation.
Signed-off-by: Daniel P. Berrangé
---
meson.build | 1 +
tests/qtest/meson.build | 5 +
tests/qtest/migration-test.c | 382 ++-
3 files changed, 386 insertions(+), 2 deletions(-)
diff --git a/meson.build b/meson.build
index 2d6601467f..89c0283ebe 100644
--- a/meson.build
+++ b/meson.build
@@ -1562,6 +1562,7 @@ config_host_data.set('CONFIG_KEYUTILS', keyutils.found())
config_host_data.set('CONFIG_GETTID', has_gettid)
config_host_data.set('CONFIG_GNUTLS', gnutls.found())
config_host_data.set('CONFIG_GNUTLS_CRYPTO', gnutls_crypto.found())
+config_host_data.set('CONFIG_TASN1', tasn1.found())
config_host_data.set('CONFIG_GCRYPT', gcrypt.found())
config_host_data.set('CONFIG_NETTLE', nettle.found())
config_host_data.set('CONFIG_QEMU_PRIVATE_XTS', xts == 'private')
diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index 81e7b9d530..ce94380a08 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -281,6 +281,11 @@ tpmemu_files = ['tpm-emu.c', 'tpm-util.c', 'tpm-tests.c']
migration_files = [files('migration-helpers.c')]
if gnutls.found()
migration_files += [files('../unit/crypto-tls-psk-helpers.c'), gnutls]
+
+ if tasn1.found()
+migration_files += [files('../unit/crypto-tls-x509-helpers.c',
+ '../unit/pkix_asn1_tab.c'), tasn1]
+ endif
endif
qtests = {
diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
index f733aa352e..c730697f74 100644
--- a/tests/qtest/migration-test.c
+++ b/tests/qtest/migration-test.c
@@ -29,6 +29,9 @@
#include "tests/migration/migration-test.h"
#ifdef CONFIG_GNUTLS
# include "tests/unit/crypto-tls-psk-helpers.h"
+# ifdef CONFIG_TASN1
+# include "tests/unit/crypto-tls-x509-helpers.h"
+# endif /* CONFIG_TASN1 */
#endif /* CONFIG_GNUTLS */
/* For dirty ring test; so far only x86_64 is supported */
@@ -736,6 +739,234 @@ test_migrate_tls_psk_finish(QTestState *from,
g_free(data->pskfile);
g_free(data);
}
+
+#ifdef CONFIG_TASN1
+typedef struct {
+char *workdir;
+char *keyfile;
+char *cacert;
+char *servercert;
+char *serverkey;
+char *clientcert;
+char *clientkey;
+} TestMigrateTLSX509Data;
+
+typedef struct {
+bool verifyclient;
+bool clientcert;
+bool hostileclient;
+bool authzclient;
+const char *certhostname;
+const char *certipaddr;
+} TestMigrateTLSX509;
+
+static void *
+test_migrate_tls_x509_start_common(QTestState *from,
+ QTestState *to,
+ TestMigrateTLSX509 *args)
+{
+TestMigrateTLSX509Data *data = g_new0(TestMigrateTLSX509Data, 1);
+QDict *rsp;
+
+data->workdir = g_strdup_printf("%s/tlscredsx5090", tmpfs);
+data->keyfile = g_strdup_printf("%s/key.pem", data->workdir);
+
+data->cacert = g_strdup_printf("%s/ca-cert.pem", data->workdir);
+data->serverkey = g_strdup_printf("%s/server-key.pem", data->workdir);
+data->servercert = g_strdup_printf("%s/server-cert.pem", data->workdir);
+if (args->clientcert) {
+data->clientkey = g_strdup_printf("%s/client-key.pem", data->workdir);
+data->clientcert = g_strdup_printf("%s/client-cert.pem",
data->workdir);
+}
+
+mkdir(data->workdir, 0700);
+
+test_tls_init(data->keyfile);
+g_assert(link(data->keyfile, data->serverkey) == 0);
+if (args->clientcert) {
+g_assert(link(data->keyfile, data->clientkey) == 0);
+}
+
+TLS_ROOT_REQ_SIMPLE(cacertreq, data->cacert);
+if (args->clientcert) {
+TLS_CERT_REQ_SIMPLE_CLIENT(servercertreq, cacertreq,
+ args->hostileclient ?
+ QCRYPTO_TLS_TEST_CLIENT_HOSTILE_NAME :
+ QCRYPTO_TLS_TEST_CLIENT_NAME,
+ data->clientcert);
+}
+
+TLS_CERT_REQ_SIMPLE_SERVER(clientcertreq, cacertreq,
+ data->servercert,
+ args->certhostname,
+ args->certipaddr);
+
+rsp = wait_command(from,
+ "{ 'execute': 'object-add',"
+ " 'arguments': { 'qom-type': 'tls-creds-x509',"
+ " 'id': 'tlscredsx509client0',"
+ " 'endpoint': 'client',"
+ " 'dir': %s,"
+ " 'sanity-check': true,"
+ " 'verify-peer': true} }",
+ data->workdir);
+qobject_unref(rsp);
+migrate_set_parameter_str(from, "tls-creds", "tlscredsx509client0");
+if (args->certhostname) {
+