source: mod_gnutls/test/Makefile.am @ 096859f

asyncioproxy-ticket
Last change on this file since 096859f was 7cfc02b, checked in by Fiona Klute <fiona.klute@…>, 22 months ago

Test suite: Add an OCSP responder for the sub CA

All CAs use the same server as their OCSP responders. The OCSP URI now
includes the CA identity so the server can select the correct CA when
generating the response.

  • Property mode set to 100644
File size: 11.6 KB
Line 
1SUBDIRS = tests
2
3dist_check_SCRIPTS = test-00_basic.bash \
4        test-01_serverwide_priorities.bash \
5        test-02_cache_in_vhost.bash \
6        test-03_cachetimeout_in_vhost.bash \
7        test-04_basic_nosni.bash \
8        test-05_mismatched-priorities.bash \
9        test-06_verify_sni_a.bash \
10        test-07_verify_sni_b.bash \
11        test-08_verify_no_sni_fallback_to_first_vhost.bash \
12        test-09_verify_no_sni_fails_with_wrong_order.bash \
13        test-10_basic_client_verification.bash \
14        test-11_basic_client_verification_fail.bash \
15        test-12_cgi_variables.bash \
16        test-13_cgi_variables_no_client_cert.bash \
17        test-14_resume_session.bash
18if USE_MSVA
19dist_check_SCRIPTS += test-15_basic_msva.bash
20endif
21dist_check_SCRIPTS += test-16_view-status.bash \
22        test-17_cgi_vars_large_cert.bash \
23        test-18_client_verification_wrong_cert.bash \
24        test-19_TLS_reverse_proxy.bash \
25        test-20_TLS_reverse_proxy_client_auth.bash \
26        test-21_TLS_reverse_proxy_wrong_cert.bash \
27        test-22_TLS_reverse_proxy_crl_revoke.bash \
28        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
29        test-24_pkcs11_cert.bash \
30        test-25_Disable_TLS_1.0.bash \
31        test-26_redirect_HTTP_to_HTTPS.bash \
32        test-27_OCSP_server.bash \
33        test-28_HTTP2_support.bash \
34        test-29_force_handshake_vhost.bash \
35        test-30_ip_based_vhosts.bash \
36        test-31_vhost_SNI_serveralias_match.bash \
37        test-32_vhost_SNI_serveralias_mismatch.bash \
38        test-33_vhost_SNI_serveralias_missinghost.bash \
39        test-34_TLS_reverse_proxy_h2.bash
40
41TEST_EXTENSIONS = .bash
42TESTS = $(dist_check_SCRIPTS)
43
44check_PROGRAMS = pgpcrc
45pgpcrc_SOURCES = pgpcrc.c
46
47# build OCSP database tool
48if ENABLE_OCSP_TEST
49check_PROGRAMS += gen_ocsp_index
50gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
51gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS)
52gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS)
53noinst_HEADERS = cert_helper.h
54endif
55
56# Identities in the miniature CA, server, and client environment for
57# the test suite
58shared_identities = authority authority/client
59pgp_identities = $(shared_identities)
60x509_only_identities = authority/server authority/imposter \
61        authority/subca authority/subca/server \
62        rogueca rogueca/rogueclient
63if ENABLE_OCSP_TEST
64x509_only_identities += authority/ocsp-responder authority/subca/ocsp-responder
65endif
66x509_identities = $(shared_identities) $(x509_only_identities)
67identities = $(shared_identities) $(x509_only_identities)
68# Append strings after ":=" to each identity to generate a list of
69# necessary files
70pgp_tokens = $(pgp_identities:=/cert.pgp) \
71        $(pgp_identities:=/secret.pgp)
72x509_keys = $(x509_identities:=/secret.key)
73x509_certs = $(x509_identities:=/x509.pem)
74x509_tokens = $(x509_certs) $(x509_keys)
75tokens = $(x509_tokens)
76if USE_MSVA
77tokens += $(pgp_tokens)
78endif
79
80if !DISABLE_FLOCK
81# flock command for write access to the authority keyring
82GPG_FLOCK = @FLOCK@ authority/lock
83endif
84
85include $(srcdir)/test_ca.mk
86
87# Test cases trying to create keys and certificates in parallel causes
88# race conditions. Ensure that all keys and certificates are generated
89# before tests get to run.
90#
91# NOTE: Once the support files have been generated, test cases can be
92# run with multiple jobs, but real parallelization would require
93# dynamic port assignments. At the moment, lock files ensure that only
94# one Apache instance (possibly plus a proxy back end instance) is
95# running at any time, so test cases actually have to wait for each
96# other - just not in any particular order.
97check_DATA = $(tokens) authority/server/crl.pem
98
99MOSTLYCLEANFILES = cache/* logs/* outputs/* authority/server/crl.pem
100
101cert_templates = authority/template.in authority/client/template.in \
102        authority/imposter/template.in authority/ocsp-responder/template \
103        authority/server/template.in \
104        authority/subca/template.in authority/subca/server/template.in \
105        authority/subca/ocsp-responder/template \
106        rogueca/template rogueca/rogueclient/template.in
107generated_templates = authority/template authority/client/template \
108        authority/imposter/template rogueca/rogueclient/template \
109        authority/server/template
110
111# Delete X.509 private keys on full clean. Note that unless you need
112# to generate fresh keys, the "mostlyclean" target should be
113# sufficient (see below).
114CLEANFILES = $(x509_keys)
115
116# Delete X.509 certificates and generated templates on "mostlyclean"
117# target. Certificates can be rebuilt without generating new key
118# pairs, and regenerating them makes it possible to change identities
119# (e.g. host names) without wasting time on new keys (which would
120# happen after "clean").
121MOSTLYCLEANFILES += $(x509_certs) $(generated_templates) $(identities:=/uid)
122
123
124# Delete PGP keyrings on "mostlyclean" target. They are created from
125# the X.509 private keys and certificates with an expiration time of
126# one day, so regenerating them is both fast and frequently
127# necessary.
128pgp_patterns = /*.pgp /*.pgp.raw /*.gpg /*.gpg~ /gpg.conf \
129        /*.kbx /*.kbx~ /S.gpg-agent /private-keys-v1.d/*
130MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(pgp_identities:=$(pat))) \
131        authority/lock authority/tofu.db
132# GnuPG random pool, no need to regenerate on every build
133CLEANFILES += authority/random_seed
134
135# GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP
136# identity) while creating the PGP certificates. This target is called
137# by both "check-local" and "mostlyclean-local": The former because
138# agent processes are started while preparing for "check" and are no
139# longer needed afterwards, the latter to make sure they are gone
140# along with their certificates.
141stop-gnupg-agent:
142        for id in $(pgp_identities) $(msva_home); do \
143                GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \
144        done
145
146check-local: stop-gnupg-agent
147
148# Delete lock files for test servers on "mostlyclean" target.
149MOSTLYCLEANFILES += *.lock
150
151# rule to build MSVA trust database
152if USE_MSVA
153msva_home = msva.gnupghome
154check_DATA += $(msva_home)/trustdb.gpg authority/client/uid
155MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(msva_home)$(pat))
156$(msva_home)/trustdb.gpg: authority/minimal.pgp authority/client/cert.pgp
157        mkdir -p -m 0700 $(dir $@)
158        GNUPGHOME=$(dir $@) gpg --import < $<
159        printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
160        GNUPGHOME=$(dir $@) gpg --import < authority/client/cert.pgp
161        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
162endif
163
164if ENABLE_OCSP_TEST
165# rules to build OCSP database
166ocsp_index_data = authority/ocsp_index.txt authority/ocsp_index.txt.attr \
167        authority/subca/ocsp_index.txt authority/subca/ocsp_index.txt.attr
168check_DATA += $(ocsp_index_data)
169MOSTLYCLEANFILES += $(ocsp_index_data)
170
171# The "find" command builds a list of all certificates directly below
172# the CA that aren't for the ocsp-responder.
173%/ocsp_index.txt: $(x509_tokens) gen_ocsp_index
174        ./gen_ocsp_index $$(find $(*) -mindepth 2 -maxdepth 2 ! -path '*/ocsp-responder/*' -name x509.pem) > $@
175
176%/ocsp_index.txt.attr:
177        @mkdir -m 0700 -p $(dir $@)
178        echo "unique_subject = no" > $@
179
180# Build certificate chain files. Note that intermediate tokens must be
181# listed explicitly, or the dependency chain will be broken because
182# the higher level pattern matches, too.
183chain_tokens = authority/server/x509-chain.pem \
184        authority/subca/x509-chain.pem \
185        authority/subca/server/x509-chain.pem
186check_DATA += $(chain_tokens)
187MOSTLYCLEANFILES += $(chain_tokens) authority/x509-chain.pem
188endif
189
190# SoftHSM tokens. Note that the SoftHSM 2 token is a directory and
191# hence has to be treated slightly differently.
192SOFTHSM_TOKEN = authority/server/softhsm.db
193SOFTHSM2_TOKEN = authority/server/softhsm2.db
194
195# Tokens should be cleaned whether or not the matching SoftHSM version
196# was detected on the last ./configure run.
197MOSTLYCLEANFILES += $(SOFTHSM_TOKEN)
198# included in mostlyclean-local below
199clean-softhsm2-db:
200        -rm -rf $(SOFTHSM2_TOKEN)
201
202if HAVE_SOFTHSM1
203check_DATA += $(SOFTHSM_TOKEN)
204endif HAVE_SOFTHSM1
205
206if HAVE_SOFTHSM2
207check_DATA += $(SOFTHSM2_TOKEN)
208endif HAVE_SOFTHSM2
209
210check_DATA += make-test-dirs
211extra_dirs = logs cache outputs
212make-test-dirs:
213        mkdir -p $(extra_dirs)
214
215.PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent
216
217
218mostlyclean-local: clean-softhsm2-db stop-gnupg-agent
219        -rmdir $(pgp_identities:=/private-keys-v1.d) || true
220if USE_MSVA
221        -rmdir $(msva_home)/private-keys-v1.d || true
222endif
223
224# Delete test data directories, and wait for test services to
225# exit. The reason for the wait is that Apache instances may take some
226# time to exit and delete their PID files. Occasionally some PID files
227# where still around during "distcheck" runs by the time the target
228# checked if the build directory was really empty after "distclean",
229# breaking the build. Delaying "clean-local" until PID files are gone
230# avoids this issue, and the timeout will expose actually unclean
231# stops.
232clean-local:
233        -rmdir $(extra_dirs) || true
234if USE_MSVA
235        -rmdir $(msva_home) || true
236endif
237        wait=0; \
238        while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \
239                wait=$$(($$wait + 1)); \
240                echo "waiting for test services to exit ($$wait seconds)"; \
241                sleep 1; \
242        done
243
244# Apache configuration and data files
245apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \
246        data/secret.txt data/test.txt ffdhe3072.pem mime.types \
247        proxy_mods.conf
248
249EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=/uid.in) \
250        apache_service.bash common.bash runtests authority/server/crl.template \
251        softhsm.bash
252
253# Lockfile for the main Apache process
254test_lockfile = ./test.lock
255# Lockfile for the proxy backend Apache process (if any)
256backend_lockfile = ./backend.lock
257# Lockfile for the OCSP server Apache process (if any)
258ocsp_lockfile = ./ocsp.lock
259
260# port for the main Apache server
261TEST_PORT ?= 9932
262# port for MSVA in test cases that use it
263MSVA_PORT ?= 9933
264# port for TLS proxy backend server
265BACKEND_PORT ?= 9934
266# port for the OCSP responder
267if ENABLE_OCSP_TEST
268OCSP_PORT ?= 9936
269OCSP_URI_TEMPLATE = ocsp_uri = http://$(TEST_HOST):$(OCSP_PORT)/ocsp/
270endif
271# maximum time to wait for MSVA startup (milliseconds)
272TEST_SERVICE_MAX_WAIT ?= 10000
273# wait loop time for MSVA startup (milliseconds)
274TEST_SERVICE_WAIT ?= 400
275
276AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
277        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
278        export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \
279        export TEST_IP="@TEST_IP@"; \
280        export TEST_HOST="@TEST_HOST@"; \
281        export TEST_PORT="$(TEST_PORT)"; \
282        export MSVA_PORT="$(MSVA_PORT)"; \
283        export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \
284        export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \
285        export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \
286        export BACKEND_HOST="@TEST_HOST@"; \
287        export BACKEND_PORT="$(BACKEND_PORT)"; \
288        export HTTP_CLI="@HTTP_CLI@";
289
290if HAVE_SOFTHSM
291AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
292        export SOFTHSM_MAJOR_VERSION="@SOFTHSM_MAJOR_VERSION@"; \
293        export SOFTHSM_LIB="@SOFTHSM_LIB@"
294endif
295
296if ENABLE_OCSP_TEST
297AM_TESTS_ENVIRONMENT += export OPENSSL="@OPENSSL@"; \
298        export OCSP_PORT="$(OCSP_PORT)";
299endif
300
301if ENABLE_NETNS
302AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
303        export USE_TEST_NAMESPACE=1;
304endif
305# Without flock tests must not run in parallel, and PID files are used
306# to prevent conflicts between server instances. Otherwise set lock
307# files for flock.
308if DISABLE_FLOCK
309AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \
310        export BACKEND_LOCK="backend.pid"; \
311        export OCSP_LOCK="ocsp.pid";
312.NOTPARALLEL:
313else
314AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
315        export TEST_LOCK="$(test_lockfile)"; \
316        export BACKEND_LOCK="$(backend_lockfile)"; \
317        export OCSP_LOCK="$(ocsp_lockfile)";
318endif
319
320# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
321# you want to manually run an Apache instance with Valgrind using the
322# same configuration as a test case.
323show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
324show-test-env:
325        @echo "$${TEST_ENV}"
Note: See TracBrowser for help on using the repository browser.