source: mod_gnutls/test/test_ca.mk

Last change on this file was 6dab61d, checked in by Fiona Klute <fiona.klute@…>, 4 months ago

Test suite: Move rogueclient ID into rogueca dir, share recipe with good certs

  • Property mode set to 100644
File size: 4.3 KB
Line 
1#!/usr/bin/make -f
2# Authors:
3# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
4# Fiona Klute <fiona.klute@gmx.de>
5
6# General rules to set up a miniature CA & server & client environment
7# for the test suite
8
9%/template: $(srcdir)/%/template.in
10        @mkdir -m 0700 -p $(@D)
11        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
12        sed -i -e "s,__OCSP_URI__,$(OCSP_URI_TEMPLATE)," $@
13        for i in $(patsubst [%],%,$(TEST_IP)); do \
14                IP_ADDRS="$${IP_ADDRS}\nip_address = $${i}"; \
15        done; \
16        sed -i -e "s,__IP_ADDRESSES__,$${IP_ADDRS#\\n}," $@
17
18%/uid: $(srcdir)/%/uid.in
19        @mkdir -m 0700 -p $(@D)
20        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
21
22%/secret.key:
23        @mkdir -m 0700 -p $(@D)
24        certtool --outfile $@ --generate-privkey
25
26.PRECIOUS: %/secret.key
27
28%/secret.pgp.raw: %/uid %/secret.key
29        PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@
30
31%/secret.pgp: %/secret.pgp.raw pgpcrc
32        (printf -- '-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: test\n\n' && \
33        base64 < $< && \
34        printf -- '=' && \
35        ./pgpcrc < $< | base64 && \
36        printf -- '-----END PGP PRIVATE KEY BLOCK-----\n' ) > $@
37
38%/gpg.conf: %/secret.pgp
39        rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg $(dir $@)pubring.kbx $(dir $@)private-keys-v1.d/*.key
40        GNUPGHOME=$(dir $@) gpg --import $<
41        printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
42        printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
43
44%/minimal.pgp: %/gpg.conf
45        if test -r $@; then rm $@; fi
46        GNUPGHOME=$(dir $@) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
47
48# Import and signing modify the shared keyring, which leads to race
49# conditions with parallel make. Locking avoids this problem. Building
50# authority/minimal.pgp (instead of just authority/gpg.conf) before
51# */cert.pgp avoids having to lock for all */minimal.pgp, too.
52%/cert.pgp: %/minimal.pgp authority/minimal.pgp
53        if test -r $@; then rm $@; fi
54        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --import $<
55        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
56        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
57
58# special rule for root CAs
59root_cert_rule = certtool --outfile $@ --generate-self-signed --load-privkey $(dir $@)secret.key --template $<
60authority/x509.pem rogueca/x509.pem: %/x509.pem: %/template %/secret.key
61        $(root_cert_rule)
62
63# generic rule for building non-root certificates, with the CA in the
64# parent directory
65cert_rule = certtool --outfile $@ --generate-certificate --load-ca-certificate $(dir $@)../x509.pem --load-ca-privkey $(dir $@)../secret.key --load-privkey $(dir $@)secret.key --template $<
66
67# certificates signed by the test root CA
68%/x509.pem: %/template %/secret.key authority/secret.key authority/x509.pem
69        $(cert_rule)
70
71# certificates signed by rogue CA (for error cases)
72rogueca/%/x509.pem: rogueca/%/template rogueca/%/secret.key rogueca/x509.pem
73        $(cert_rule)
74
75%/softhsm.conf: %/secret.key
76        echo "0:$(dir $@)softhsm.db" > $@
77
78%/softhsm.db: %/x509.pem %/secret.key %/softhsm.conf
79        SOFTHSM="$(SOFTHSM)" \
80        SOFTHSM_CONF="$(dir $@)softhsm.conf" \
81        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
82
83%/softhsm2.conf: %/secret.key
84        echo "objectstore.backend = file" > $@
85        echo "directories.tokendir = $(dir $@)softhsm2.db" >> $@
86
87%/softhsm2.db: %/x509.pem %/secret.key %/softhsm2.conf
88        rm -rf $@
89        mkdir -p $@
90        SOFTHSM="$(SOFTHSM)" \
91        SOFTHSM2_CONF="$(dir $@)softhsm2.conf" \
92        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
93
94# Generate CRL revoking a certain certificate. Currently used to
95# revoke the server certificate and check if setting the CRL as
96# GnuTLSProxyCRLFile causes the connection to the back end server to
97# fail.
98%/crl.pem: %/x509.pem $(srcdir)/%/crl.template
99        certtool --generate-crl \
100                --outfile $@ \
101                --load-ca-privkey authority/secret.key \
102                --load-ca-certificate authority/x509.pem \
103                --load-certificate $< \
104                --template "$(srcdir)/$(*)/crl.template"
Note: See TracBrowser for help on using the repository browser.