[libvirt] [PATCH 3/3] Add a test case for certificate validation

Eric Blake eblake at redhat.com
Thu Jul 21 22:51:37 UTC 2011 

On 07/21/2011 06:30 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange"<berrange at redhat.com>
>
> This test case checks certification validation rules for
>
>   - Basic constraints
>   - Key purpose
>   - Key usage
>   - Start/expiry times
>
> It checks initial context creation sanity checks, and live
> session validation
> ---
>   tests/.gitignore             |    1 +

We've got half our tests excluded in libvirt/.gitignore, the other half 
in libvirt/tests/.gitignore.

Someday I should follow through with my threat to consolidate all 
.gitignore into the top level file.  But that's a separate patch, so 
don't worry about it in the context of this patch.

>
> +virnettlscontexttest_SOURCES = \
> +	virnettlscontexttest.c testutils.h testutils.c pkix_asn1_tab.c
> +virnettlscontexttest_CFLAGS = -Dabs_builddir="\"$(abs_builddir)\"" $(AM_CFLAGS)
> +virnettlscontexttest_LDADD = ../src/libvirt-net-rpc.la $(LDADDS) -ltasn1

Is -tasn1 available everywhere, or do we need to make compilation of 
this test conditional?  Also, I don't see tasn mentioned anywhere else 
in the current libvirt.git tree - does this require some configure.ac magic?

> + * This file comes from gnutls, licensed under the GPLv3+

I guess that's okay, since our test is not installed.

> + */
> +
> +#include<config.h>
> +#include<libtasn1.h>
> +
> +const ASN1_ARRAY_TYPE pkix_asn1_tab[] = {
> +  { "PKIX1", 536875024, NULL },
> +  { NULL, 1073741836, NULL },

How grungy.  And no comments to tell you what it is actually testing. 
Oh well; it's copied from elsewhere, so hopefully gnutls knows what it 
is doing.

> +
> +/*
> + * To avoid consuming random entroy to generate keys,

s/entroy/entropy/

> + * here's one we prepared earlier :-)

Thanks.  That would be a shame if running 'make check' ate entropy.

> +
> +    /*
> +     * First up generate a certificate request with some basic
> +     * data. This seems a little pointless. We can probably
> +     * just set this all on the certifivate object directly

s/certifivate/certificate/

> +    /* We'll use this for our fake client-server connection */
> +    if (socketpair(AF_UNIX, SOCK_STREAM, 0, channel)<  0)
> +        abort();

Won't compile on Win32, so you definitely need conditional compilation 
of this test.

Overall the idea is nice.

-- 
Eric Blake   eblake at redhat.com    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

More information about the libvir-list mailing list