1 | #!/usr/bin/make -f |
---|
2 | |
---|
3 | # Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> |
---|
4 | |
---|
5 | # run these tests to ensure that mod_gnutls can handle a range of |
---|
6 | # simple configuration choices. |
---|
7 | |
---|
8 | export srcdir ?= . |
---|
9 | # If the Apache binary is not set, try to find apache2 in default PATH |
---|
10 | # (should only happen when the test script is run manually) |
---|
11 | export APACHE2 ?= apache2 |
---|
12 | |
---|
13 | export TEST_HOST ?= localhost |
---|
14 | export TEST_IP ?= ::1 |
---|
15 | # chosen at random: |
---|
16 | export TEST_PORT ?= 9932 |
---|
17 | export MSVA_PORT ?= 9933 |
---|
18 | |
---|
19 | export TEST_GAP ?= 0.4 |
---|
20 | export TEST_MSVA_MAX_WAIT ?= 10 |
---|
21 | export TEST_QUERY_DELAY ?= 30 |
---|
22 | |
---|
23 | TEST_LOCK := ./test.lock |
---|
24 | |
---|
25 | all: setup.done |
---|
26 | TEST_LOCK=$(TEST_LOCK) $(srcdir)/runtests |
---|
27 | |
---|
28 | t-%: setup.done |
---|
29 | TEST_LOCK=$(TEST_LOCK) $(srcdir)/runtests $@ |
---|
30 | |
---|
31 | |
---|
32 | |
---|
33 | |
---|
34 | |
---|
35 | ### for setting up a little miniature CA + server + client environment: |
---|
36 | identities := server authority client imposter rogueca |
---|
37 | tokens := x509.pem secring.gpg secret.key cert.pgp secret.pgp |
---|
38 | all_tokens := $(foreach id,$(identities),$(foreach token,$(tokens),$(id)/$(token))) |
---|
39 | |
---|
40 | %.template: $(srcdir)/%.template.in |
---|
41 | sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@ |
---|
42 | |
---|
43 | %.uid: $(srcdir)/%.uid.in |
---|
44 | sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@ |
---|
45 | |
---|
46 | %/secret.key: |
---|
47 | mkdir -p $(dir $@) |
---|
48 | chmod 0700 $(dir $@) |
---|
49 | certtool --generate-privkey > $@ |
---|
50 | |
---|
51 | %/secring.gpg: %.uid %/secret.key |
---|
52 | rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg |
---|
53 | PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key | GNUPGHOME=$(dir $@) gpg --import |
---|
54 | printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust |
---|
55 | |
---|
56 | %/gpg.conf: %/secring.gpg |
---|
57 | printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@ |
---|
58 | |
---|
59 | %/secret.pgp: %/secring.gpg |
---|
60 | GNUPGHOME=$(dir $@) gpg --armor --batch --no-tty --yes --export-secret-key "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@ |
---|
61 | |
---|
62 | %/minimal.pgp: %/secring.gpg |
---|
63 | GNUPGHOME=$(dir $@) gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@ |
---|
64 | |
---|
65 | # Import and signing modify the shared keyring, which leads to race |
---|
66 | # conditions with parallel make. Locking avoids this problem. |
---|
67 | %/cert.pgp: %/minimal.pgp authority/gpg.conf |
---|
68 | GNUPGHOME=authority flock authority/lock gpg --import $< |
---|
69 | GNUPGHOME=authority flock authority/lock gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" |
---|
70 | GNUPGHOME=authority gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@ |
---|
71 | |
---|
72 | # special cases for the authorities' root certs: |
---|
73 | authority/x509.pem: authority.template authority/secret.key |
---|
74 | certtool --generate-self-signed --load-privkey authority/secret.key --template authority.template > $@ |
---|
75 | rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key |
---|
76 | certtool --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template > $@ |
---|
77 | |
---|
78 | %/cert-request: %.template %/secret.key |
---|
79 | certtool --generate-request --load-privkey $(dir $@)secret.key --template $< > $@ |
---|
80 | |
---|
81 | %/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem |
---|
82 | certtool --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@ |
---|
83 | |
---|
84 | %/softhsm.db: %/x509.pem %/secret.key |
---|
85 | SOFTHSM_CONF="$(srcdir)/$(*)-softhsm.conf" $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem |
---|
86 | |
---|
87 | # Generate CRL revoking a certain certificate. Currently used to |
---|
88 | # revoke the server certificate and check if setting the CRL as |
---|
89 | # GnuTLSProxyCRLFile causes the connection to the back end server to |
---|
90 | # fail. |
---|
91 | %/crl.pem: %/x509.pem ${srcdir}/%-crl.template |
---|
92 | certtool --generate-crl \ |
---|
93 | --load-ca-privkey authority/secret.key \ |
---|
94 | --load-ca-certificate authority/x509.pem \ |
---|
95 | --load-certificate $< \ |
---|
96 | --template "${srcdir}/$(*)-crl.template" \ |
---|
97 | > $@ |
---|
98 | |
---|
99 | msva.gnupghome/trustdb.gpg: authority/minimal.pgp client/cert.pgp |
---|
100 | mkdir -p -m 0700 $(dir $@) |
---|
101 | GNUPGHOME=$(dir $@) gpg --import < $< |
---|
102 | printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust |
---|
103 | GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp |
---|
104 | printf "keyserver does-not-exist.example\n" > msva.gnupghome/gpg.conf |
---|
105 | |
---|
106 | |
---|
107 | setup.done: $(all_tokens) msva.gnupghome/trustdb.gpg client.uid |
---|
108 | mkdir -p logs cache outputs |
---|
109 | touch setup.done |
---|
110 | |
---|
111 | |
---|
112 | clean: |
---|
113 | rm -rf server client authority logs cache outputs setup.done \ |
---|
114 | server.template imposter.template msva.gnupghome \ |
---|
115 | */*.pgp */*.gpg */*.gpg~ */*.pem */*.key authority.template \ |
---|
116 | client.template client.uid server.uid *.lock tests/*/*.pem |
---|
117 | rmdir imposter rogueca || true |
---|
118 | |
---|
119 | .PHONY: all clean |
---|