source: mod_gnutls/test/test_ca.mk @ 0831437

debian/masterdebian/stretch-backportsupstream
Last change on this file since 0831437 was b674e95, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Merge version 0.7.5 into ocsp branch

  • Property mode set to 100644
File size: 4.4 KB
RevLine 
[4b53371]1#!/usr/bin/make -f
[9a4d250]2# Authors:
3# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
4# Thomas Klute <thomas2.klute@uni-dortmund.de>
[4b53371]5
[9a4d250]6# General rules to set up a miniature CA & server & client environment
7# for the test suite
[4b53371]8
[33af2b7]9%.template: $(srcdir)/%.template.in
[4b53371]10        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
[a0161fe]11        if test -n "$(OCSP_PORT)"; then \
12                sed -i -e 's/^### ocsp/ocsp/' \
13                        -e s/__OCSP_PORT__/$(OCSP_PORT)/ $@; \
14        fi
[4b53371]15
[33af2b7]16%.uid: $(srcdir)/%.uid.in
[4b53371]17        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
18
19%/secret.key:
20        mkdir -p $(dir $@)
21        chmod 0700 $(dir $@)
[298dc66]22        certtool --outfile $@ --generate-privkey
[4b53371]23
[d70dd6e]24%/secret.pgp.raw: %.uid %/secret.key
25        PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@
[4b53371]26
[d70dd6e]27%/secret.pgp: %/secret.pgp.raw pgpcrc
28        (printf -- '-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: test\n\n' && \
29        base64 < $< && \
30        printf -- '=' && \
31        ./pgpcrc < $< | base64 && \
32        printf -- '-----END PGP PRIVATE KEY BLOCK-----\n' ) > $@
[3e800f9]33
[d70dd6e]34%/gpg.conf: %/secret.pgp
35        rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg $(dir $@)pubring.kbx $(dir $@)private-keys-v1.d/*.key
36        GNUPGHOME=$(dir $@) gpg --import $<
37        printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
38        printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
[3e800f9]39
[d70dd6e]40%/minimal.pgp: %/gpg.conf
[2b80754]41        if test -r $@; then rm $@; fi
[d70dd6e]42        GNUPGHOME=$(dir $@) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
[3e800f9]43
[d92899e]44# Import and signing modify the shared keyring, which leads to race
45# conditions with parallel make. Locking avoids this problem.
[3e800f9]46%/cert.pgp: %/minimal.pgp authority/gpg.conf
[2b80754]47        if test -r $@; then rm $@; fi
[5b6a5d9]48        GNUPGHOME=authority $(GPG_FLOCK) gpg --import $<
49        GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
[298dc66]50        GNUPGHOME=authority gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
[3e800f9]51
52# special cases for the authorities' root certs:
[4b53371]53authority/x509.pem: authority.template authority/secret.key
[298dc66]54        certtool --outfile $@ --generate-self-signed --load-privkey authority/secret.key --template authority.template
[33af2b7]55rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key
[298dc66]56        certtool --outfile $@ --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template
[4b53371]57
[a63301f]58%/cert-request: %.template %/secret.key
[298dc66]59        certtool --outfile $@ --generate-request --load-privkey $(dir $@)secret.key --template $<
[4b53371]60
[c0bb823]61# normal case: certificates signed by test CA
[a63301f]62%/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem
[42829ae]63        certtool --outfile $@ --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $<
[4b53371]64
[c0bb823]65# error case: certificates signed by rogue CA
66rogue%/x509.pem: rogue%.template rogue%/cert-request rogueca/x509.pem
[298dc66]67        certtool --outfile $@ --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $<
[c0bb823]68
[6f644fa]69%/softhsm.conf: %/secret.key
70        echo "0:$(dir $@)softhsm.db" > $@
71
72%/softhsm.db: %/x509.pem %/secret.key %/softhsm.conf
[5eb4544]73        SOFTHSM="$(SOFTHSM)" \
[6f644fa]74        SOFTHSM_CONF="$(dir $@)softhsm.conf" \
75        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
[33af2b7]76
[b0e5dae]77%/softhsm2.conf: %/secret.key
78        echo "objectstore.backend = file" > $@
79        echo "directories.tokendir = $(dir $@)softhsm2.db" >> $@
80
81%/softhsm2.db: %/x509.pem %/secret.key %/softhsm2.conf
82        mkdir -p $@
[5725dca]83        SOFTHSM="$(SOFTHSM)" \
[b0e5dae]84        SOFTHSM2_CONF="$(dir $@)softhsm2.conf" \
85        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
86
[33af2b7]87# Generate CRL revoking a certain certificate. Currently used to
88# revoke the server certificate and check if setting the CRL as
89# GnuTLSProxyCRLFile causes the connection to the back end server to
90# fail.
91%/crl.pem: %/x509.pem ${srcdir}/%-crl.template
92        certtool --generate-crl \
[298dc66]93                --outfile $@ \
[33af2b7]94                --load-ca-privkey authority/secret.key \
95                --load-ca-certificate authority/x509.pem \
96                --load-certificate $< \
[298dc66]97                --template "${srcdir}/$(*)-crl.template"
Note: See TracBrowser for help on using the repository browser.