[33af2b7] | 1 | SUBDIRS = tests |
---|
| 2 | |
---|
[05984a0] | 3 | test_scripts = test-00_basic.bash \ |
---|
[c51e33a] | 4 | test-01_serverwide_priorities.bash \ |
---|
| 5 | test-02_cache_in_vhost.bash \ |
---|
| 6 | test-03_cachetimeout_in_vhost.bash \ |
---|
| 7 | test-04_basic_nosni.bash \ |
---|
| 8 | test-05_mismatched-priorities.bash \ |
---|
| 9 | test-06_verify_sni_a.bash \ |
---|
| 10 | test-07_verify_sni_b.bash \ |
---|
| 11 | test-08_verify_no_sni_fallback_to_first_vhost.bash \ |
---|
| 12 | test-09_verify_no_sni_fails_with_wrong_order.bash \ |
---|
| 13 | test-10_basic_client_verification.bash \ |
---|
| 14 | test-11_basic_client_verification_fail.bash \ |
---|
| 15 | test-12_cgi_variables.bash \ |
---|
| 16 | test-13_cgi_variables_no_client_cert.bash \ |
---|
[6c5c2ec] | 17 | test-14_resume_session.bash |
---|
[65c18ce] | 18 | if USE_MSVA |
---|
[05984a0] | 19 | test_scripts += test-15_basic_msva.bash |
---|
[65c18ce] | 20 | endif |
---|
[05984a0] | 21 | test_scripts += test-16_view-status.bash \ |
---|
[eea8a16] | 22 | test-17_cgi_vars_large_cert.bash \ |
---|
[6e6a4e4] | 23 | test-18_client_verification_wrong_cert.bash \ |
---|
[ed82a6a] | 24 | test-19_TLS_reverse_proxy.bash \ |
---|
| 25 | test-20_TLS_reverse_proxy_client_auth.bash \ |
---|
[907ae8f] | 26 | test-21_TLS_reverse_proxy_wrong_cert.bash \ |
---|
[f030883] | 27 | test-22_TLS_reverse_proxy_crl_revoke.bash \ |
---|
[3f00958] | 28 | test-23_TLS_reverse_proxy_mismatched_priorities.bash \ |
---|
[29d3311] | 29 | test-24_pkcs11_cert.bash \ |
---|
[8ac7c0d] | 30 | test-25_Disable_TLS_1.0.bash \ |
---|
[c4d6e77] | 31 | test-26_redirect_HTTP_to_HTTPS.bash \ |
---|
[d50dac5] | 32 | test-27_OCSP_server.bash \ |
---|
[359f009] | 33 | test-28_HTTP2_support.bash \ |
---|
[0062ede] | 34 | test-29_force_handshake_vhost.bash \ |
---|
[5cf8e99] | 35 | test-30_ip_based_vhosts.bash \ |
---|
| 36 | test-31_vhost_SNI_serveralias_match.bash \ |
---|
[dcc053e] | 37 | test-32_vhost_SNI_serveralias_mismatch.bash \ |
---|
[f674424] | 38 | test-33_vhost_SNI_serveralias_missinghost.bash \ |
---|
| 39 | test-34_TLS_reverse_proxy_h2.bash |
---|
[5951102] | 40 | |
---|
[339a49d] | 41 | TEST_EXTENSIONS = .bash |
---|
[05984a0] | 42 | TESTS = $(test_scripts) |
---|
| 43 | |
---|
| 44 | dist_check_SCRIPTS = netns_py.bash $(test_scripts) |
---|
[8f90bf4] | 45 | |
---|
[7921dc7] | 46 | check_PROGRAMS = pgpcrc |
---|
[42829ae] | 47 | pgpcrc_SOURCES = pgpcrc.c |
---|
| 48 | |
---|
[42bee37] | 49 | # build OCSP database tool |
---|
| 50 | if ENABLE_OCSP_TEST |
---|
[b674e95] | 51 | check_PROGRAMS += gen_ocsp_index |
---|
[42bee37] | 52 | gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c |
---|
[439005a] | 53 | gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS) |
---|
[6c44ed2] | 54 | gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS) |
---|
[42bee37] | 55 | noinst_HEADERS = cert_helper.h |
---|
| 56 | endif |
---|
| 57 | |
---|
[6d3dc34] | 58 | # Python tools for tests |
---|
| 59 | noinst_PYTHON = https-test-client.py mgstest/http.py mgstest/__init__.py \ |
---|
[05984a0] | 60 | mgstest/services.py mgstest/tests.py runtest.py |
---|
[6d3dc34] | 61 | |
---|
[9a4d250] | 62 | # Identities in the miniature CA, server, and client environment for |
---|
| 63 | # the test suite |
---|
[e5546be] | 64 | shared_identities = authority authority/client |
---|
[c0bb823] | 65 | pgp_identities = $(shared_identities) |
---|
[c3aebe5] | 66 | x509_only_identities = authority/server authority/imposter \ |
---|
| 67 | authority/subca authority/subca/server \ |
---|
| 68 | rogueca rogueca/rogueclient |
---|
[a03f94e] | 69 | if ENABLE_OCSP_TEST |
---|
[7cfc02b] | 70 | x509_only_identities += authority/ocsp-responder authority/subca/ocsp-responder |
---|
[a03f94e] | 71 | endif |
---|
[c0bb823] | 72 | x509_identities = $(shared_identities) $(x509_only_identities) |
---|
| 73 | identities = $(shared_identities) $(x509_only_identities) |
---|
[9a4d250] | 74 | # Append strings after ":=" to each identity to generate a list of |
---|
| 75 | # necessary files |
---|
[d70dd6e] | 76 | pgp_tokens = $(pgp_identities:=/cert.pgp) \ |
---|
[c0bb823] | 77 | $(pgp_identities:=/secret.pgp) |
---|
| 78 | x509_keys = $(x509_identities:=/secret.key) |
---|
| 79 | x509_certs = $(x509_identities:=/x509.pem) |
---|
[9a4d250] | 80 | x509_tokens = $(x509_certs) $(x509_keys) |
---|
[39a27cf] | 81 | tokens = $(x509_tokens) |
---|
| 82 | if USE_MSVA |
---|
| 83 | tokens += $(pgp_tokens) |
---|
| 84 | endif |
---|
[9a4d250] | 85 | |
---|
[5b6a5d9] | 86 | if !DISABLE_FLOCK |
---|
| 87 | # flock command for write access to the authority keyring |
---|
[5725dca] | 88 | GPG_FLOCK = @FLOCK@ authority/lock |
---|
[5b6a5d9] | 89 | endif |
---|
| 90 | |
---|
[fc8e463b] | 91 | include $(srcdir)/test_ca.mk |
---|
[9a4d250] | 92 | |
---|
[39bd695] | 93 | # Test cases trying to create keys and certificates in parallel causes |
---|
| 94 | # race conditions. Ensure that all keys and certificates are generated |
---|
| 95 | # before tests get to run. |
---|
| 96 | # |
---|
| 97 | # NOTE: Once the support files have been generated, test cases can be |
---|
| 98 | # run with multiple jobs, but real parallelization would require |
---|
| 99 | # dynamic port assignments. At the moment, lock files ensure that only |
---|
| 100 | # one Apache instance (possibly plus a proxy back end instance) is |
---|
| 101 | # running at any time, so test cases actually have to wait for each |
---|
| 102 | # other - just not in any particular order. |
---|
[c825c3a] | 103 | check_DATA = $(tokens) authority/server/crl.pem |
---|
[39bd695] | 104 | |
---|
[c825c3a] | 105 | MOSTLYCLEANFILES = cache/* logs/* outputs/* authority/server/crl.pem |
---|
[6ce02e2] | 106 | |
---|
[e5546be] | 107 | cert_templates = authority/template.in authority/client/template.in \ |
---|
[e8498bf] | 108 | authority/imposter/template.in authority/ocsp-responder/template \ |
---|
[6dab61d] | 109 | authority/server/template.in \ |
---|
[c3aebe5] | 110 | authority/subca/template.in authority/subca/server/template.in \ |
---|
[7cfc02b] | 111 | authority/subca/ocsp-responder/template \ |
---|
[6dab61d] | 112 | rogueca/template rogueca/rogueclient/template.in |
---|
[e5546be] | 113 | generated_templates = authority/template authority/client/template \ |
---|
[6dab61d] | 114 | authority/imposter/template rogueca/rogueclient/template \ |
---|
[59afe51] | 115 | authority/server/template |
---|
[90a31a4] | 116 | |
---|
[9a4d250] | 117 | # Delete X.509 private keys on full clean. Note that unless you need |
---|
| 118 | # to generate fresh keys, the "mostlyclean" target should be |
---|
| 119 | # sufficient (see below). |
---|
| 120 | CLEANFILES = $(x509_keys) |
---|
| 121 | |
---|
[90a31a4] | 122 | # Delete X.509 certificates and generated templates on "mostlyclean" |
---|
| 123 | # target. Certificates can be rebuilt without generating new key |
---|
| 124 | # pairs, and regenerating them makes it possible to change identities |
---|
[7aeabcb] | 125 | # (e.g. host names) without wasting time on new keys (which would |
---|
[90a31a4] | 126 | # happen after "clean"). |
---|
[e5546be] | 127 | MOSTLYCLEANFILES += $(x509_certs) $(generated_templates) $(identities:=/uid) |
---|
[9a4d250] | 128 | |
---|
[90a31a4] | 129 | |
---|
[6ce02e2] | 130 | # Delete PGP keyrings on "mostlyclean" target. They are created from |
---|
| 131 | # the X.509 private keys and certificates with an expiration time of |
---|
| 132 | # one day, so regenerating them is both fast and frequently |
---|
| 133 | # necessary. |
---|
[e5546be] | 134 | pgp_patterns = /*.pgp /*.pgp.raw /*.gpg /*.gpg~ /gpg.conf \ |
---|
| 135 | /*.kbx /*.kbx~ /S.gpg-agent /private-keys-v1.d/* |
---|
| 136 | MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(pgp_identities:=$(pat))) \ |
---|
| 137 | authority/lock authority/tofu.db |
---|
[9a4d250] | 138 | # GnuPG random pool, no need to regenerate on every build |
---|
| 139 | CLEANFILES += authority/random_seed |
---|
[1708045] | 140 | |
---|
[ee94de5] | 141 | # GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP |
---|
| 142 | # identity) while creating the PGP certificates. This target is called |
---|
| 143 | # by both "check-local" and "mostlyclean-local": The former because |
---|
| 144 | # agent processes are started while preparing for "check" and are no |
---|
| 145 | # longer needed afterwards, the latter to make sure they are gone |
---|
| 146 | # along with their certificates. |
---|
| 147 | stop-gnupg-agent: |
---|
| 148 | for id in $(pgp_identities) $(msva_home); do \ |
---|
| 149 | GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \ |
---|
| 150 | done |
---|
| 151 | |
---|
| 152 | check-local: stop-gnupg-agent |
---|
| 153 | |
---|
[9a4d250] | 154 | # Delete lock files for test servers on "mostlyclean" target. |
---|
| 155 | MOSTLYCLEANFILES += *.lock |
---|
| 156 | |
---|
| 157 | # rule to build MSVA trust database |
---|
| 158 | if USE_MSVA |
---|
| 159 | msva_home = msva.gnupghome |
---|
[e5546be] | 160 | check_DATA += $(msva_home)/trustdb.gpg authority/client/uid |
---|
| 161 | MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(msva_home)$(pat)) |
---|
| 162 | $(msva_home)/trustdb.gpg: authority/minimal.pgp authority/client/cert.pgp |
---|
[9a4d250] | 163 | mkdir -p -m 0700 $(dir $@) |
---|
| 164 | GNUPGHOME=$(dir $@) gpg --import < $< |
---|
[ee94de5] | 165 | printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust |
---|
[e5546be] | 166 | GNUPGHOME=$(dir $@) gpg --import < authority/client/cert.pgp |
---|
[9a4d250] | 167 | printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf |
---|
| 168 | endif |
---|
[3f00958] | 169 | |
---|
[ea99ffe] | 170 | if ENABLE_OCSP_TEST |
---|
[20f8e99] | 171 | # rules to build OCSP database |
---|
[7cfc02b] | 172 | ocsp_index_data = authority/ocsp_index.txt authority/ocsp_index.txt.attr \ |
---|
| 173 | authority/subca/ocsp_index.txt authority/subca/ocsp_index.txt.attr |
---|
| 174 | check_DATA += $(ocsp_index_data) |
---|
| 175 | MOSTLYCLEANFILES += $(ocsp_index_data) |
---|
| 176 | |
---|
| 177 | # The "find" command builds a list of all certificates directly below |
---|
| 178 | # the CA that aren't for the ocsp-responder. |
---|
| 179 | %/ocsp_index.txt: $(x509_tokens) gen_ocsp_index |
---|
| 180 | ./gen_ocsp_index $$(find $(*) -mindepth 2 -maxdepth 2 ! -path '*/ocsp-responder/*' -name x509.pem) > $@ |
---|
| 181 | |
---|
| 182 | %/ocsp_index.txt.attr: |
---|
| 183 | @mkdir -m 0700 -p $(dir $@) |
---|
[ea99ffe] | 184 | echo "unique_subject = no" > $@ |
---|
[20f8e99] | 185 | |
---|
[f828974] | 186 | # Build certificate chain files. Note that intermediate tokens must be |
---|
| 187 | # listed explicitly, or the dependency chain will be broken because |
---|
| 188 | # the higher level pattern matches, too. |
---|
| 189 | chain_tokens = authority/server/x509-chain.pem \ |
---|
| 190 | authority/subca/x509-chain.pem \ |
---|
| 191 | authority/subca/server/x509-chain.pem |
---|
| 192 | check_DATA += $(chain_tokens) |
---|
[7cfc02b] | 193 | MOSTLYCLEANFILES += $(chain_tokens) authority/x509-chain.pem |
---|
[ea99ffe] | 194 | endif |
---|
[9a4d250] | 195 | |
---|
[b0e5dae] | 196 | # SoftHSM tokens. Note that the SoftHSM 2 token is a directory and |
---|
| 197 | # hence has to be treated slightly differently. |
---|
[c825c3a] | 198 | SOFTHSM_TOKEN = authority/server/softhsm.db |
---|
| 199 | SOFTHSM2_TOKEN = authority/server/softhsm2.db |
---|
[b0e5dae] | 200 | |
---|
| 201 | # Tokens should be cleaned whether or not the matching SoftHSM version |
---|
| 202 | # was detected on the last ./configure run. |
---|
| 203 | MOSTLYCLEANFILES += $(SOFTHSM_TOKEN) |
---|
| 204 | # included in mostlyclean-local below |
---|
| 205 | clean-softhsm2-db: |
---|
| 206 | -rm -rf $(SOFTHSM2_TOKEN) |
---|
| 207 | |
---|
| 208 | if HAVE_SOFTHSM1 |
---|
| 209 | check_DATA += $(SOFTHSM_TOKEN) |
---|
| 210 | endif HAVE_SOFTHSM1 |
---|
| 211 | |
---|
| 212 | if HAVE_SOFTHSM2 |
---|
| 213 | check_DATA += $(SOFTHSM2_TOKEN) |
---|
| 214 | endif HAVE_SOFTHSM2 |
---|
[9a4d250] | 215 | |
---|
| 216 | check_DATA += make-test-dirs |
---|
| 217 | extra_dirs = logs cache outputs |
---|
| 218 | make-test-dirs: |
---|
| 219 | mkdir -p $(extra_dirs) |
---|
[b0e5dae] | 220 | |
---|
[ee94de5] | 221 | .PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent |
---|
| 222 | |
---|
[b0e5dae] | 223 | |
---|
[ee94de5] | 224 | mostlyclean-local: clean-softhsm2-db stop-gnupg-agent |
---|
[42829ae] | 225 | -rmdir $(pgp_identities:=/private-keys-v1.d) || true |
---|
| 226 | if USE_MSVA |
---|
| 227 | -rmdir $(msva_home)/private-keys-v1.d || true |
---|
| 228 | endif |
---|
[3f00958] | 229 | |
---|
[acea635] | 230 | # Delete test data directories, and wait for test services to |
---|
| 231 | # exit. The reason for the wait is that Apache instances may take some |
---|
| 232 | # time to exit and delete their PID files. Occasionally some PID files |
---|
| 233 | # where still around during "distcheck" runs by the time the target |
---|
| 234 | # checked if the build directory was really empty after "distclean", |
---|
| 235 | # breaking the build. Delaying "clean-local" until PID files are gone |
---|
| 236 | # avoids this issue, and the timeout will expose actually unclean |
---|
| 237 | # stops. |
---|
[9a4d250] | 238 | clean-local: |
---|
| 239 | -rmdir $(extra_dirs) || true |
---|
| 240 | if USE_MSVA |
---|
| 241 | -rmdir $(msva_home) || true |
---|
| 242 | endif |
---|
[acea635] | 243 | wait=0; \ |
---|
| 244 | while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \ |
---|
| 245 | wait=$$(($$wait + 1)); \ |
---|
| 246 | echo "waiting for test services to exit ($$wait seconds)"; \ |
---|
| 247 | sleep 1; \ |
---|
| 248 | done |
---|
[33af2b7] | 249 | |
---|
[9a4d250] | 250 | # Apache configuration and data files |
---|
[b674e95] | 251 | apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \ |
---|
[b8b1990] | 252 | data/secret.txt data/test.txt ffdhe3072.pem mime.types \ |
---|
[94430e6] | 253 | proxy_mods.conf |
---|
[33af2b7] | 254 | |
---|
[c91382d] | 255 | EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=/uid.in) \ |
---|
[05984a0] | 256 | apache_service.bash common.bash authority/server/crl.template \ |
---|
[6d3dc34] | 257 | softhsm.bash |
---|
[52c3f68] | 258 | |
---|
[34e5dc7] | 259 | # Lockfile for the main Apache process |
---|
| 260 | test_lockfile = ./test.lock |
---|
[412ee84] | 261 | # Lockfile for the proxy backend Apache process (if any) |
---|
| 262 | backend_lockfile = ./backend.lock |
---|
[94430e6] | 263 | # Lockfile for the OCSP server Apache process (if any) |
---|
| 264 | ocsp_lockfile = ./ocsp.lock |
---|
[50eab8e] | 265 | |
---|
[34e5dc7] | 266 | # port for the main Apache server |
---|
| 267 | TEST_PORT ?= 9932 |
---|
| 268 | # port for MSVA in test cases that use it |
---|
| 269 | MSVA_PORT ?= 9933 |
---|
[97d7c63] | 270 | # port for TLS proxy backend server |
---|
| 271 | BACKEND_PORT ?= 9934 |
---|
| 272 | # port for the OCSP responder |
---|
[21181b2] | 273 | if ENABLE_OCSP_TEST |
---|
| 274 | OCSP_PORT ?= 9936 |
---|
[b47dc70] | 275 | OCSP_URI_TEMPLATE = ocsp_uri = http://$(TEST_HOST):$(OCSP_PORT)/ocsp/ |
---|
[21181b2] | 276 | endif |
---|
[a61edfd] | 277 | # maximum time to wait for MSVA startup (milliseconds) |
---|
[4fb510d] | 278 | TEST_SERVICE_MAX_WAIT ?= 10000 |
---|
[a61edfd] | 279 | # wait loop time for MSVA startup (milliseconds) |
---|
[4fb510d] | 280 | TEST_SERVICE_WAIT ?= 400 |
---|
[34e5dc7] | 281 | |
---|
[5725dca] | 282 | AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \ |
---|
| 283 | export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \ |
---|
[8335f8c] | 284 | export PYTHON="@PYTHON@"; \ |
---|
[6c030c1] | 285 | export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \ |
---|
[849b87e] | 286 | export TEST_IP="@TEST_IP@"; \ |
---|
[5725dca] | 287 | export TEST_HOST="@TEST_HOST@"; \ |
---|
[34e5dc7] | 288 | export TEST_PORT="$(TEST_PORT)"; \ |
---|
| 289 | export MSVA_PORT="$(MSVA_PORT)"; \ |
---|
[4fb510d] | 290 | export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \ |
---|
| 291 | export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \ |
---|
[6c030c1] | 292 | export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \ |
---|
[5725dca] | 293 | export BACKEND_HOST="@TEST_HOST@"; \ |
---|
[97d7c63] | 294 | export BACKEND_PORT="$(BACKEND_PORT)"; \ |
---|
[67f2f58] | 295 | export HTTP_CLI="@HTTP_CLI@"; |
---|
[f9f184f] | 296 | |
---|
[5eb4544] | 297 | if HAVE_SOFTHSM |
---|
[74772b2] | 298 | AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \ |
---|
[aeaf28b] | 299 | export SOFTHSM_MAJOR_VERSION="@SOFTHSM_MAJOR_VERSION@"; \ |
---|
[a592762] | 300 | export SOFTHSM_LIB="@SOFTHSM_LIB@"; |
---|
[5eb4544] | 301 | endif |
---|
| 302 | |
---|
[21181b2] | 303 | if ENABLE_OCSP_TEST |
---|
| 304 | AM_TESTS_ENVIRONMENT += export OPENSSL="@OPENSSL@"; \ |
---|
| 305 | export OCSP_PORT="$(OCSP_PORT)"; |
---|
| 306 | endif |
---|
| 307 | |
---|
[cf4e708] | 308 | if ENABLE_NETNS |
---|
[5725dca] | 309 | AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \ |
---|
[cf4e708] | 310 | export USE_TEST_NAMESPACE=1; |
---|
| 311 | endif |
---|
[94430e6] | 312 | # Without flock tests must not run in parallel, and PID files are used |
---|
| 313 | # to prevent conflicts between server instances. Otherwise set lock |
---|
| 314 | # files for flock. |
---|
[412ee84] | 315 | if DISABLE_FLOCK |
---|
[94430e6] | 316 | AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \ |
---|
| 317 | export BACKEND_LOCK="backend.pid"; \ |
---|
| 318 | export OCSP_LOCK="ocsp.pid"; |
---|
[412ee84] | 319 | .NOTPARALLEL: |
---|
| 320 | else |
---|
[5725dca] | 321 | AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \ |
---|
[412ee84] | 322 | export TEST_LOCK="$(test_lockfile)"; \ |
---|
[94430e6] | 323 | export BACKEND_LOCK="$(backend_lockfile)"; \ |
---|
| 324 | export OCSP_LOCK="$(ocsp_lockfile)"; |
---|
[412ee84] | 325 | endif |
---|
| 326 | |
---|
[f9f184f] | 327 | # Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if |
---|
| 328 | # you want to manually run an Apache instance with Valgrind using the |
---|
| 329 | # same configuration as a test case. |
---|
| 330 | show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT) |
---|
| 331 | show-test-env: |
---|
| 332 | @echo "$${TEST_ENV}" |
---|