source: mod_gnutls/test/Makefile.am @ 5d9f34e

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since 5d9f34e was c0bb823, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Test suite: Create rogue client certificate for client auth test

Test case 18 (verification of a client certificate not issued by the
accepted CA) used the Rogue CA certificate as a client
certificate. However, recent gnutls-cli (from GnuTLS git at the time
of this commit) detects the constraint violation and rejects the
certificate, so the test fails before mod_gnutls can check the
certificate. Create a rougue client certificate with correct
constraints to make the test work as expected.

  • Property mode set to 100644
File size: 6.6 KB
RevLine 
[33af2b7]1SUBDIRS = tests
2
3dist_check_SCRIPTS = test-00_basic.bash \
[c51e33a]4        test-01_serverwide_priorities.bash \
5        test-02_cache_in_vhost.bash \
6        test-03_cachetimeout_in_vhost.bash \
7        test-04_basic_nosni.bash \
8        test-05_mismatched-priorities.bash \
9        test-06_verify_sni_a.bash \
10        test-07_verify_sni_b.bash \
11        test-08_verify_no_sni_fallback_to_first_vhost.bash \
12        test-09_verify_no_sni_fails_with_wrong_order.bash \
13        test-10_basic_client_verification.bash \
14        test-11_basic_client_verification_fail.bash \
15        test-12_cgi_variables.bash \
16        test-13_cgi_variables_no_client_cert.bash \
[65c18ce]17        test-14_basic_openpgp.bash
18if USE_MSVA
[33af2b7]19dist_check_SCRIPTS += test-15_basic_msva.bash
[65c18ce]20endif
[33af2b7]21dist_check_SCRIPTS += test-16_view-status.bash \
[eea8a16]22        test-17_cgi_vars_large_cert.bash \
[6e6a4e4]23        test-18_client_verification_wrong_cert.bash \
[ed82a6a]24        test-19_TLS_reverse_proxy.bash \
25        test-20_TLS_reverse_proxy_client_auth.bash \
[907ae8f]26        test-21_TLS_reverse_proxy_wrong_cert.bash \
[f030883]27        test-22_TLS_reverse_proxy_crl_revoke.bash \
[3f00958]28        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
[29d3311]29        test-24_pkcs11_cert.bash \
30        test-25_Disable_TLS_1.0.bash
[5951102]31
[33af2b7]32TESTS = $(dist_check_SCRIPTS)
[8f90bf4]33
[9a4d250]34# Identities in the miniature CA, server, and client environment for
35# the test suite
[c0bb823]36shared_identities = server authority client imposter rogueca
37pgp_identities = $(shared_identities)
38x509_only_identities = rogueclient
39x509_identities = $(shared_identities) $(x509_only_identities)
40identities = $(shared_identities) $(x509_only_identities)
[9a4d250]41# Append strings after ":=" to each identity to generate a list of
42# necessary files
[c0bb823]43pgp_tokens = $(pgp_identities:=/secring.gpg) $(pgp_identities:=/cert.pgp) \
44        $(pgp_identities:=/secret.pgp)
45x509_keys = $(x509_identities:=/secret.key)
46x509_certs = $(x509_identities:=/x509.pem)
[9a4d250]47x509_tokens = $(x509_certs) $(x509_keys)
48tokens = $(x509_tokens) $(pgp_tokens)
49
[5b6a5d9]50if !DISABLE_FLOCK
51# flock command for write access to the authority keyring
52GPG_FLOCK = $(FLOCK) authority/lock
53endif
54
[fc8e463]55include $(srcdir)/test_ca.mk
[9a4d250]56
[39bd695]57# Test cases trying to create keys and certificates in parallel causes
58# race conditions. Ensure that all keys and certificates are generated
59# before tests get to run.
60#
61# NOTE: Once the support files have been generated, test cases can be
62# run with multiple jobs, but real parallelization would require
63# dynamic port assignments. At the moment, lock files ensure that only
64# one Apache instance (possibly plus a proxy back end instance) is
65# running at any time, so test cases actually have to wait for each
66# other - just not in any particular order.
[9a4d250]67check_DATA = $(tokens) server/crl.pem
[39bd695]68
[98ab9db]69MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem
[6ce02e2]70
[90a31a4]71cert_templates = authority.template.in client.template.in \
72        imposter.template.in rogueca.template server.template.in
73generated_templates = authority.template client.template \
74        imposter.template server.template
75
[9a4d250]76# Delete X.509 private keys on full clean. Note that unless you need
77# to generate fresh keys, the "mostlyclean" target should be
78# sufficient (see below).
79CLEANFILES = $(x509_keys)
80
[90a31a4]81# Delete X.509 certificates and generated templates on "mostlyclean"
82# target. Certificates can be rebuilt without generating new key
83# pairs, and regenerating them makes it possible to change identities
84# (e.g. host names) without wasting entropy on new keys (which would
85# happen after "clean").
[9a4d250]86MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid
87
[90a31a4]88
[6ce02e2]89# Delete PGP keyrings on "mostlyclean" target. They are created from
90# the X.509 private keys and certificates with an expiration time of
91# one day, so regenerating them is both fast and frequently
92# necessary.
[9a4d250]93MOSTLYCLEANFILES += */*.pgp */*.gpg */*.gpg~ */gpg.conf authority/lock
94# GnuPG random pool, no need to regenerate on every build
95CLEANFILES += authority/random_seed
[1708045]96
[9a4d250]97# Delete lock files for test servers on "mostlyclean" target.
98MOSTLYCLEANFILES += *.lock
99
100# rule to build MSVA trust database
101if USE_MSVA
102msva_home = msva.gnupghome
103check_DATA += $(msva_home)/trustdb.gpg client.uid
104MOSTLYCLEANFILES += $(msva_home)/trustdb.gpg
105$(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp
106        mkdir -p -m 0700 $(dir $@)
107        GNUPGHOME=$(dir $@) gpg --import < $<
108        printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
109        GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
110        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
111endif
[3f00958]112
[349fd6e]113# SoftHSM files
[3f00958]114check_DATA += server/softhsm.db
[9a4d250]115MOSTLYCLEANFILES += tests/24_pkcs11_cert/softhsm.conf server/softhsm.db
116
117
118check_DATA += make-test-dirs
119extra_dirs = logs cache outputs
120make-test-dirs:
121        mkdir -p $(extra_dirs)
122.PHONY: make-test-dirs
[3f00958]123
[9a4d250]124clean-local:
125        -rmdir $(identities) || true
126        -rmdir $(extra_dirs) || true
127if USE_MSVA
128        -rmdir $(msva_home) || true
129endif
[33af2b7]130
[9a4d250]131# Apache configuration and data files
[af7da2d]132apache_data = base_apache.conf cgi_module.conf data/* mime.types proxy_mods.conf
[33af2b7]133
[3ccceed]134EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in common.bash \
135        proxy_backend.bash runtests server-crl.template server-softhsm.conf \
136        softhsm.bash
[52c3f68]137
[34e5dc7]138# Lockfile for the main Apache process
139test_lockfile = ./test.lock
[412ee84]140# Lockfile for the proxy backend Apache process (if any)
141backend_lockfile = ./backend.lock
142# Maximum wait time in seconds for flock to aquire instance lock
143# files, or Apache to remove its PID file
[50eab8e]144lock_wait = 30
145
[34e5dc7]146# port for the main Apache server
147TEST_PORT ?= 9932
148# port for MSVA in test cases that use it
149MSVA_PORT ?= 9933
[a61edfd]150# maximum time to wait for MSVA startup (milliseconds)
151TEST_MSVA_MAX_WAIT ?= 10000
152# wait loop time for MSVA startup (milliseconds)
153TEST_MSVA_WAIT ?= 400
[34e5dc7]154# seconds for the HTTP request to be sent and responded to
155TEST_QUERY_DELAY ?= 30
156
[af7da2d]157AM_TESTS_ENVIRONMENT = export APACHE2=$(APACHE2); \
[26081ce]158        export AP_LIBEXECDIR=$(AP_LIBEXECDIR); \
[34e5dc7]159        export TEST_LOCK_WAIT="$(lock_wait)"; \
[26081ce]160        export TEST_HOST="$(TEST_HOST)"; \
[34e5dc7]161        export TEST_PORT="$(TEST_PORT)"; \
162        export MSVA_PORT="$(MSVA_PORT)"; \
163        export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \
164        export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
165        export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
[a08b25e]166        export BACKEND_HOST="$(TEST_HOST)";
[f9f184f]167
[cf4e708]168if ENABLE_NETNS
169AM_TESTS_ENVIRONMENT += export UNSHARE="$(UNSHARE)"; \
170        export USE_TEST_NAMESPACE=1;
171endif
[412ee84]172# Without flock tests must not run in parallel. Otherwise set lock files.
173if DISABLE_FLOCK
174.NOTPARALLEL:
175else
176AM_TESTS_ENVIRONMENT += export FLOCK="$(FLOCK)"; \
177        export TEST_LOCK="$(test_lockfile)"; \
178        export BACKEND_LOCK="$(backend_lockfile)";
179endif
180
[f9f184f]181# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
182# you want to manually run an Apache instance with Valgrind using the
183# same configuration as a test case.
184show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
185show-test-env:
186        @echo "$${TEST_ENV}"
Note: See TracBrowser for help on using the repository browser.