source: mod_gnutls/test/test_ca.mk @ 0e55076

debian/masterproxy-ticket
Last change on this file since 0e55076 was 5b0dd3d, checked in by Fiona Klute <fiona.klute@…>, 2 years ago

Test CA: Keep private keys after certificate by default

This does not affect the test suite, where the keys are explicitly
listed as targets, but makes using the Test CA for manual certificate
generation more convenient, e.g:

[create test_cert.template]
$ make test_cert/x509.pem

Previously make would have deleted the test_cert/secret.key file as
intermediate data, unless it was explicitly listed on the command
line.

  • Property mode set to 100644
File size: 4.6 KB
RevLine 
[4b53371]1#!/usr/bin/make -f
[9a4d250]2# Authors:
3# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
[3c123cd]4# Fiona Klute <fiona.klute@gmx.de>
[4b53371]5
[9a4d250]6# General rules to set up a miniature CA & server & client environment
7# for the test suite
[4b53371]8
[33af2b7]9%.template: $(srcdir)/%.template.in
[4b53371]10        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
[b47dc70]11        sed -i -e "s,__OCSP_URI__,$(OCSP_URI_TEMPLATE)," $@
12        for i in $(patsubst [%],%,$(TEST_IP)); do \
13                IP_ADDRS="$${IP_ADDRS}\nip_address = $${i}"; \
[849b87e]14        done; \
[b47dc70]15        sed -i -e "s,__IP_ADDRESSES__,$${IP_ADDRS#\\n}," $@
[4b53371]16
[33af2b7]17%.uid: $(srcdir)/%.uid.in
[4b53371]18        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
19
20%/secret.key:
21        mkdir -p $(dir $@)
22        chmod 0700 $(dir $@)
[298dc66]23        certtool --outfile $@ --generate-privkey
[4b53371]24
[5b0dd3d]25.PRECIOUS: %/secret.key
26
[d70dd6e]27%/secret.pgp.raw: %.uid %/secret.key
[56c722f]28        PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@
[4b53371]29
[d70dd6e]30%/secret.pgp: %/secret.pgp.raw pgpcrc
31        (printf -- '-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: test\n\n' && \
32        base64 < $< && \
33        printf -- '=' && \
34        ./pgpcrc < $< | base64 && \
35        printf -- '-----END PGP PRIVATE KEY BLOCK-----\n' ) > $@
[3e800f9]36
[d70dd6e]37%/gpg.conf: %/secret.pgp
38        rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg $(dir $@)pubring.kbx $(dir $@)private-keys-v1.d/*.key
39        GNUPGHOME=$(dir $@) gpg --import $<
40        printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
41        printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
[3e800f9]42
[d70dd6e]43%/minimal.pgp: %/gpg.conf
[2b80754]44        if test -r $@; then rm $@; fi
[d70dd6e]45        GNUPGHOME=$(dir $@) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
[3e800f9]46
[d92899e]47# Import and signing modify the shared keyring, which leads to race
[04addef]48# conditions with parallel make. Locking avoids this problem. Building
49# authority/minimal.pgp (instead of just authority/gpg.conf) before
50# */cert.pgp avoids having to lock for all */minimal.pgp, too.
51%/cert.pgp: %/minimal.pgp authority/minimal.pgp
[2b80754]52        if test -r $@; then rm $@; fi
[ee94de5]53        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --import $<
54        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
55        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
[3e800f9]56
57# special cases for the authorities' root certs:
[4b53371]58authority/x509.pem: authority.template authority/secret.key
[298dc66]59        certtool --outfile $@ --generate-self-signed --load-privkey authority/secret.key --template authority.template
[33af2b7]60rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key
[298dc66]61        certtool --outfile $@ --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template
[4b53371]62
[a63301f]63%/cert-request: %.template %/secret.key
[298dc66]64        certtool --outfile $@ --generate-request --load-privkey $(dir $@)secret.key --template $<
[4b53371]65
[c0bb823]66# normal case: certificates signed by test CA
[a63301f]67%/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem
[42829ae]68        certtool --outfile $@ --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $<
[4b53371]69
[c0bb823]70# error case: certificates signed by rogue CA
71rogue%/x509.pem: rogue%.template rogue%/cert-request rogueca/x509.pem
[298dc66]72        certtool --outfile $@ --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $<
[c0bb823]73
[6f644fa]74%/softhsm.conf: %/secret.key
75        echo "0:$(dir $@)softhsm.db" > $@
76
77%/softhsm.db: %/x509.pem %/secret.key %/softhsm.conf
[5eb4544]78        SOFTHSM="$(SOFTHSM)" \
[6f644fa]79        SOFTHSM_CONF="$(dir $@)softhsm.conf" \
80        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
[33af2b7]81
[b0e5dae]82%/softhsm2.conf: %/secret.key
83        echo "objectstore.backend = file" > $@
84        echo "directories.tokendir = $(dir $@)softhsm2.db" >> $@
85
86%/softhsm2.db: %/x509.pem %/secret.key %/softhsm2.conf
87        mkdir -p $@
[5725dca]88        SOFTHSM="$(SOFTHSM)" \
[b0e5dae]89        SOFTHSM2_CONF="$(dir $@)softhsm2.conf" \
90        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
91
[33af2b7]92# Generate CRL revoking a certain certificate. Currently used to
93# revoke the server certificate and check if setting the CRL as
94# GnuTLSProxyCRLFile causes the connection to the back end server to
95# fail.
96%/crl.pem: %/x509.pem ${srcdir}/%-crl.template
97        certtool --generate-crl \
[298dc66]98                --outfile $@ \
[33af2b7]99                --load-ca-privkey authority/secret.key \
100                --load-ca-certificate authority/x509.pem \
101                --load-certificate $< \
[298dc66]102                --template "${srcdir}/$(*)-crl.template"
Note: See TracBrowser for help on using the repository browser.