source: mod_gnutls/test/Makefile.am @ 65c84e5

asyncioproxy-ticket
Last change on this file since 65c84e5 was 7cfc02b, checked in by Fiona Klute <fiona.klute@…>, 2 years ago

Test suite: Add an OCSP responder for the sub CA

All CAs use the same server as their OCSP responders. The OCSP URI now
includes the CA identity so the server can select the correct CA when
generating the response.

  • Property mode set to 100644
File size: 11.6 KB
RevLine 
[33af2b7]1SUBDIRS = tests
2
3dist_check_SCRIPTS = test-00_basic.bash \
[c51e33a]4        test-01_serverwide_priorities.bash \
5        test-02_cache_in_vhost.bash \
6        test-03_cachetimeout_in_vhost.bash \
7        test-04_basic_nosni.bash \
8        test-05_mismatched-priorities.bash \
9        test-06_verify_sni_a.bash \
10        test-07_verify_sni_b.bash \
11        test-08_verify_no_sni_fallback_to_first_vhost.bash \
12        test-09_verify_no_sni_fails_with_wrong_order.bash \
13        test-10_basic_client_verification.bash \
14        test-11_basic_client_verification_fail.bash \
15        test-12_cgi_variables.bash \
16        test-13_cgi_variables_no_client_cert.bash \
[6c5c2ec]17        test-14_resume_session.bash
[65c18ce]18if USE_MSVA
[33af2b7]19dist_check_SCRIPTS += test-15_basic_msva.bash
[65c18ce]20endif
[33af2b7]21dist_check_SCRIPTS += test-16_view-status.bash \
[eea8a16]22        test-17_cgi_vars_large_cert.bash \
[6e6a4e4]23        test-18_client_verification_wrong_cert.bash \
[ed82a6a]24        test-19_TLS_reverse_proxy.bash \
25        test-20_TLS_reverse_proxy_client_auth.bash \
[907ae8f]26        test-21_TLS_reverse_proxy_wrong_cert.bash \
[f030883]27        test-22_TLS_reverse_proxy_crl_revoke.bash \
[3f00958]28        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
[29d3311]29        test-24_pkcs11_cert.bash \
[8ac7c0d]30        test-25_Disable_TLS_1.0.bash \
[c4d6e77]31        test-26_redirect_HTTP_to_HTTPS.bash \
[d50dac5]32        test-27_OCSP_server.bash \
[359f009]33        test-28_HTTP2_support.bash \
[0062ede]34        test-29_force_handshake_vhost.bash \
[5cf8e99]35        test-30_ip_based_vhosts.bash \
36        test-31_vhost_SNI_serveralias_match.bash \
[dcc053e]37        test-32_vhost_SNI_serveralias_mismatch.bash \
[f674424]38        test-33_vhost_SNI_serveralias_missinghost.bash \
39        test-34_TLS_reverse_proxy_h2.bash
[5951102]40
[339a49d]41TEST_EXTENSIONS = .bash
[33af2b7]42TESTS = $(dist_check_SCRIPTS)
[8f90bf4]43
[7921dc7]44check_PROGRAMS = pgpcrc
[42829ae]45pgpcrc_SOURCES = pgpcrc.c
46
[42bee37]47# build OCSP database tool
48if ENABLE_OCSP_TEST
[b674e95]49check_PROGRAMS += gen_ocsp_index
[42bee37]50gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
[439005a]51gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS)
[6c44ed2]52gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS)
[42bee37]53noinst_HEADERS = cert_helper.h
54endif
55
[9a4d250]56# Identities in the miniature CA, server, and client environment for
57# the test suite
[e5546be]58shared_identities = authority authority/client
[c0bb823]59pgp_identities = $(shared_identities)
[c3aebe5]60x509_only_identities = authority/server authority/imposter \
61        authority/subca authority/subca/server \
62        rogueca rogueca/rogueclient
[a03f94e]63if ENABLE_OCSP_TEST
[7cfc02b]64x509_only_identities += authority/ocsp-responder authority/subca/ocsp-responder
[a03f94e]65endif
[c0bb823]66x509_identities = $(shared_identities) $(x509_only_identities)
67identities = $(shared_identities) $(x509_only_identities)
[9a4d250]68# Append strings after ":=" to each identity to generate a list of
69# necessary files
[d70dd6e]70pgp_tokens = $(pgp_identities:=/cert.pgp) \
[c0bb823]71        $(pgp_identities:=/secret.pgp)
72x509_keys = $(x509_identities:=/secret.key)
73x509_certs = $(x509_identities:=/x509.pem)
[9a4d250]74x509_tokens = $(x509_certs) $(x509_keys)
[39a27cf]75tokens = $(x509_tokens)
76if USE_MSVA
77tokens += $(pgp_tokens)
78endif
[9a4d250]79
[5b6a5d9]80if !DISABLE_FLOCK
81# flock command for write access to the authority keyring
[5725dca]82GPG_FLOCK = @FLOCK@ authority/lock
[5b6a5d9]83endif
84
[fc8e463b]85include $(srcdir)/test_ca.mk
[9a4d250]86
[39bd695]87# Test cases trying to create keys and certificates in parallel causes
88# race conditions. Ensure that all keys and certificates are generated
89# before tests get to run.
90#
91# NOTE: Once the support files have been generated, test cases can be
92# run with multiple jobs, but real parallelization would require
93# dynamic port assignments. At the moment, lock files ensure that only
94# one Apache instance (possibly plus a proxy back end instance) is
95# running at any time, so test cases actually have to wait for each
96# other - just not in any particular order.
[c825c3a]97check_DATA = $(tokens) authority/server/crl.pem
[39bd695]98
[c825c3a]99MOSTLYCLEANFILES = cache/* logs/* outputs/* authority/server/crl.pem
[6ce02e2]100
[e5546be]101cert_templates = authority/template.in authority/client/template.in \
[e8498bf]102        authority/imposter/template.in authority/ocsp-responder/template \
[6dab61d]103        authority/server/template.in \
[c3aebe5]104        authority/subca/template.in authority/subca/server/template.in \
[7cfc02b]105        authority/subca/ocsp-responder/template \
[6dab61d]106        rogueca/template rogueca/rogueclient/template.in
[e5546be]107generated_templates = authority/template authority/client/template \
[6dab61d]108        authority/imposter/template rogueca/rogueclient/template \
[59afe51]109        authority/server/template
[90a31a4]110
[9a4d250]111# Delete X.509 private keys on full clean. Note that unless you need
112# to generate fresh keys, the "mostlyclean" target should be
113# sufficient (see below).
114CLEANFILES = $(x509_keys)
115
[90a31a4]116# Delete X.509 certificates and generated templates on "mostlyclean"
117# target. Certificates can be rebuilt without generating new key
118# pairs, and regenerating them makes it possible to change identities
[7aeabcb]119# (e.g. host names) without wasting time on new keys (which would
[90a31a4]120# happen after "clean").
[e5546be]121MOSTLYCLEANFILES += $(x509_certs) $(generated_templates) $(identities:=/uid)
[9a4d250]122
[90a31a4]123
[6ce02e2]124# Delete PGP keyrings on "mostlyclean" target. They are created from
125# the X.509 private keys and certificates with an expiration time of
126# one day, so regenerating them is both fast and frequently
127# necessary.
[e5546be]128pgp_patterns = /*.pgp /*.pgp.raw /*.gpg /*.gpg~ /gpg.conf \
129        /*.kbx /*.kbx~ /S.gpg-agent /private-keys-v1.d/*
130MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(pgp_identities:=$(pat))) \
131        authority/lock authority/tofu.db
[9a4d250]132# GnuPG random pool, no need to regenerate on every build
133CLEANFILES += authority/random_seed
[1708045]134
[ee94de5]135# GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP
136# identity) while creating the PGP certificates. This target is called
137# by both "check-local" and "mostlyclean-local": The former because
138# agent processes are started while preparing for "check" and are no
139# longer needed afterwards, the latter to make sure they are gone
140# along with their certificates.
141stop-gnupg-agent:
142        for id in $(pgp_identities) $(msva_home); do \
143                GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \
144        done
145
146check-local: stop-gnupg-agent
147
[9a4d250]148# Delete lock files for test servers on "mostlyclean" target.
149MOSTLYCLEANFILES += *.lock
150
151# rule to build MSVA trust database
152if USE_MSVA
153msva_home = msva.gnupghome
[e5546be]154check_DATA += $(msva_home)/trustdb.gpg authority/client/uid
155MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(msva_home)$(pat))
156$(msva_home)/trustdb.gpg: authority/minimal.pgp authority/client/cert.pgp
[9a4d250]157        mkdir -p -m 0700 $(dir $@)
158        GNUPGHOME=$(dir $@) gpg --import < $<
[ee94de5]159        printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
[e5546be]160        GNUPGHOME=$(dir $@) gpg --import < authority/client/cert.pgp
[9a4d250]161        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
162endif
[3f00958]163
[ea99ffe]164if ENABLE_OCSP_TEST
[20f8e99]165# rules to build OCSP database
[7cfc02b]166ocsp_index_data = authority/ocsp_index.txt authority/ocsp_index.txt.attr \
167        authority/subca/ocsp_index.txt authority/subca/ocsp_index.txt.attr
168check_DATA += $(ocsp_index_data)
169MOSTLYCLEANFILES += $(ocsp_index_data)
170
171# The "find" command builds a list of all certificates directly below
172# the CA that aren't for the ocsp-responder.
173%/ocsp_index.txt: $(x509_tokens) gen_ocsp_index
174        ./gen_ocsp_index $$(find $(*) -mindepth 2 -maxdepth 2 ! -path '*/ocsp-responder/*' -name x509.pem) > $@
175
176%/ocsp_index.txt.attr:
177        @mkdir -m 0700 -p $(dir $@)
[ea99ffe]178        echo "unique_subject = no" > $@
[20f8e99]179
[f828974]180# Build certificate chain files. Note that intermediate tokens must be
181# listed explicitly, or the dependency chain will be broken because
182# the higher level pattern matches, too.
183chain_tokens = authority/server/x509-chain.pem \
184        authority/subca/x509-chain.pem \
185        authority/subca/server/x509-chain.pem
186check_DATA += $(chain_tokens)
[7cfc02b]187MOSTLYCLEANFILES += $(chain_tokens) authority/x509-chain.pem
[ea99ffe]188endif
[9a4d250]189
[b0e5dae]190# SoftHSM tokens. Note that the SoftHSM 2 token is a directory and
191# hence has to be treated slightly differently.
[c825c3a]192SOFTHSM_TOKEN = authority/server/softhsm.db
193SOFTHSM2_TOKEN = authority/server/softhsm2.db
[b0e5dae]194
195# Tokens should be cleaned whether or not the matching SoftHSM version
196# was detected on the last ./configure run.
197MOSTLYCLEANFILES += $(SOFTHSM_TOKEN)
198# included in mostlyclean-local below
199clean-softhsm2-db:
200        -rm -rf $(SOFTHSM2_TOKEN)
201
202if HAVE_SOFTHSM1
203check_DATA += $(SOFTHSM_TOKEN)
204endif HAVE_SOFTHSM1
205
206if HAVE_SOFTHSM2
207check_DATA += $(SOFTHSM2_TOKEN)
208endif HAVE_SOFTHSM2
[9a4d250]209
210check_DATA += make-test-dirs
211extra_dirs = logs cache outputs
212make-test-dirs:
213        mkdir -p $(extra_dirs)
[b0e5dae]214
[ee94de5]215.PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent
216
[b0e5dae]217
[ee94de5]218mostlyclean-local: clean-softhsm2-db stop-gnupg-agent
[42829ae]219        -rmdir $(pgp_identities:=/private-keys-v1.d) || true
220if USE_MSVA
221        -rmdir $(msva_home)/private-keys-v1.d || true
222endif
[3f00958]223
[acea635]224# Delete test data directories, and wait for test services to
225# exit. The reason for the wait is that Apache instances may take some
226# time to exit and delete their PID files. Occasionally some PID files
227# where still around during "distcheck" runs by the time the target
228# checked if the build directory was really empty after "distclean",
229# breaking the build. Delaying "clean-local" until PID files are gone
230# avoids this issue, and the timeout will expose actually unclean
231# stops.
[9a4d250]232clean-local:
233        -rmdir $(extra_dirs) || true
234if USE_MSVA
235        -rmdir $(msva_home) || true
236endif
[acea635]237        wait=0; \
238        while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \
239                wait=$$(($$wait + 1)); \
240                echo "waiting for test services to exit ($$wait seconds)"; \
241                sleep 1; \
242        done
[33af2b7]243
[9a4d250]244# Apache configuration and data files
[b674e95]245apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \
[b8b1990]246        data/secret.txt data/test.txt ffdhe3072.pem mime.types \
[94430e6]247        proxy_mods.conf
[33af2b7]248
[c91382d]249EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=/uid.in) \
[c825c3a]250        apache_service.bash common.bash runtests authority/server/crl.template \
[0bda20f]251        softhsm.bash
[52c3f68]252
[34e5dc7]253# Lockfile for the main Apache process
254test_lockfile = ./test.lock
[412ee84]255# Lockfile for the proxy backend Apache process (if any)
256backend_lockfile = ./backend.lock
[94430e6]257# Lockfile for the OCSP server Apache process (if any)
258ocsp_lockfile = ./ocsp.lock
[50eab8e]259
[34e5dc7]260# port for the main Apache server
261TEST_PORT ?= 9932
262# port for MSVA in test cases that use it
263MSVA_PORT ?= 9933
[97d7c63]264# port for TLS proxy backend server
265BACKEND_PORT ?= 9934
266# port for the OCSP responder
[21181b2]267if ENABLE_OCSP_TEST
268OCSP_PORT ?= 9936
[b47dc70]269OCSP_URI_TEMPLATE = ocsp_uri = http://$(TEST_HOST):$(OCSP_PORT)/ocsp/
[21181b2]270endif
[a61edfd]271# maximum time to wait for MSVA startup (milliseconds)
[4fb510d]272TEST_SERVICE_MAX_WAIT ?= 10000
[a61edfd]273# wait loop time for MSVA startup (milliseconds)
[4fb510d]274TEST_SERVICE_WAIT ?= 400
[34e5dc7]275
[5725dca]276AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
277        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
[6c030c1]278        export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \
[849b87e]279        export TEST_IP="@TEST_IP@"; \
[5725dca]280        export TEST_HOST="@TEST_HOST@"; \
[34e5dc7]281        export TEST_PORT="$(TEST_PORT)"; \
282        export MSVA_PORT="$(MSVA_PORT)"; \
[4fb510d]283        export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \
284        export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \
[6c030c1]285        export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \
[5725dca]286        export BACKEND_HOST="@TEST_HOST@"; \
[97d7c63]287        export BACKEND_PORT="$(BACKEND_PORT)"; \
[67f2f58]288        export HTTP_CLI="@HTTP_CLI@";
[f9f184f]289
[5eb4544]290if HAVE_SOFTHSM
[74772b2]291AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
[aeaf28b]292        export SOFTHSM_MAJOR_VERSION="@SOFTHSM_MAJOR_VERSION@"; \
293        export SOFTHSM_LIB="@SOFTHSM_LIB@"
[5eb4544]294endif
295
[21181b2]296if ENABLE_OCSP_TEST
297AM_TESTS_ENVIRONMENT += export OPENSSL="@OPENSSL@"; \
298        export OCSP_PORT="$(OCSP_PORT)";
299endif
300
[cf4e708]301if ENABLE_NETNS
[5725dca]302AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
[cf4e708]303        export USE_TEST_NAMESPACE=1;
304endif
[94430e6]305# Without flock tests must not run in parallel, and PID files are used
306# to prevent conflicts between server instances. Otherwise set lock
307# files for flock.
[412ee84]308if DISABLE_FLOCK
[94430e6]309AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \
310        export BACKEND_LOCK="backend.pid"; \
311        export OCSP_LOCK="ocsp.pid";
[412ee84]312.NOTPARALLEL:
313else
[5725dca]314AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
[412ee84]315        export TEST_LOCK="$(test_lockfile)"; \
[94430e6]316        export BACKEND_LOCK="$(backend_lockfile)"; \
317        export OCSP_LOCK="$(ocsp_lockfile)";
[412ee84]318endif
319
[f9f184f]320# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
321# you want to manually run an Apache instance with Valgrind using the
322# same configuration as a test case.
323show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
324show-test-env:
325        @echo "$${TEST_ENV}"
Note: See TracBrowser for help on using the repository browser.