source: mod_gnutls/test/test_ca.mk @ 143bd98

proxy-ticket
Last change on this file since 143bd98 was 143bd98, checked in by Fiona Klute <fiona.klute@…>, 17 months ago

Build test certificates without intermediate certificate request files

  • Property mode set to 100644
File size: 4.5 KB
RevLine 
[4b53371]1#!/usr/bin/make -f
[9a4d250]2# Authors:
3# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
[3c123cd]4# Fiona Klute <fiona.klute@gmx.de>
[4b53371]5
[9a4d250]6# General rules to set up a miniature CA & server & client environment
7# for the test suite
[4b53371]8
[33af2b7]9%.template: $(srcdir)/%.template.in
[4b53371]10        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
[b47dc70]11        sed -i -e "s,__OCSP_URI__,$(OCSP_URI_TEMPLATE)," $@
12        for i in $(patsubst [%],%,$(TEST_IP)); do \
13                IP_ADDRS="$${IP_ADDRS}\nip_address = $${i}"; \
[849b87e]14        done; \
[b47dc70]15        sed -i -e "s,__IP_ADDRESSES__,$${IP_ADDRS#\\n}," $@
[4b53371]16
[33af2b7]17%.uid: $(srcdir)/%.uid.in
[4b53371]18        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
19
20%/secret.key:
21        mkdir -p $(dir $@)
22        chmod 0700 $(dir $@)
[298dc66]23        certtool --outfile $@ --generate-privkey
[4b53371]24
[5b0dd3d]25.PRECIOUS: %/secret.key
26
[d70dd6e]27%/secret.pgp.raw: %.uid %/secret.key
[56c722f]28        PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@
[4b53371]29
[d70dd6e]30%/secret.pgp: %/secret.pgp.raw pgpcrc
31        (printf -- '-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: test\n\n' && \
32        base64 < $< && \
33        printf -- '=' && \
34        ./pgpcrc < $< | base64 && \
35        printf -- '-----END PGP PRIVATE KEY BLOCK-----\n' ) > $@
[3e800f9]36
[d70dd6e]37%/gpg.conf: %/secret.pgp
38        rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg $(dir $@)pubring.kbx $(dir $@)private-keys-v1.d/*.key
39        GNUPGHOME=$(dir $@) gpg --import $<
40        printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
41        printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
[3e800f9]42
[d70dd6e]43%/minimal.pgp: %/gpg.conf
[2b80754]44        if test -r $@; then rm $@; fi
[d70dd6e]45        GNUPGHOME=$(dir $@) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
[3e800f9]46
[d92899e]47# Import and signing modify the shared keyring, which leads to race
[04addef]48# conditions with parallel make. Locking avoids this problem. Building
49# authority/minimal.pgp (instead of just authority/gpg.conf) before
50# */cert.pgp avoids having to lock for all */minimal.pgp, too.
51%/cert.pgp: %/minimal.pgp authority/minimal.pgp
[2b80754]52        if test -r $@; then rm $@; fi
[ee94de5]53        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --import $<
54        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
55        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
[3e800f9]56
57# special cases for the authorities' root certs:
[4b53371]58authority/x509.pem: authority.template authority/secret.key
[298dc66]59        certtool --outfile $@ --generate-self-signed --load-privkey authority/secret.key --template authority.template
[33af2b7]60rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key
[298dc66]61        certtool --outfile $@ --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template
[4b53371]62
[c0bb823]63# normal case: certificates signed by test CA
[143bd98]64%/x509.pem: %.template %/secret.key authority/secret.key authority/x509.pem
65        certtool --outfile $@ --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-privkey $(dir $@)secret.key --template $<
[4b53371]66
[c0bb823]67# error case: certificates signed by rogue CA
[143bd98]68rogue%/x509.pem: rogue%.template rogue%/secret.key rogueca/x509.pem
69        certtool --outfile $@ --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-privkey $(dir $@)secret.key --template $<
[c0bb823]70
[6f644fa]71%/softhsm.conf: %/secret.key
72        echo "0:$(dir $@)softhsm.db" > $@
73
74%/softhsm.db: %/x509.pem %/secret.key %/softhsm.conf
[5eb4544]75        SOFTHSM="$(SOFTHSM)" \
[6f644fa]76        SOFTHSM_CONF="$(dir $@)softhsm.conf" \
77        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
[33af2b7]78
[b0e5dae]79%/softhsm2.conf: %/secret.key
80        echo "objectstore.backend = file" > $@
81        echo "directories.tokendir = $(dir $@)softhsm2.db" >> $@
82
83%/softhsm2.db: %/x509.pem %/secret.key %/softhsm2.conf
[6519eb9]84        rm -rf $@
[b0e5dae]85        mkdir -p $@
[5725dca]86        SOFTHSM="$(SOFTHSM)" \
[b0e5dae]87        SOFTHSM2_CONF="$(dir $@)softhsm2.conf" \
88        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
89
[33af2b7]90# Generate CRL revoking a certain certificate. Currently used to
91# revoke the server certificate and check if setting the CRL as
92# GnuTLSProxyCRLFile causes the connection to the back end server to
93# fail.
94%/crl.pem: %/x509.pem ${srcdir}/%-crl.template
95        certtool --generate-crl \
[298dc66]96                --outfile $@ \
[33af2b7]97                --load-ca-privkey authority/secret.key \
98                --load-ca-certificate authority/x509.pem \
99                --load-certificate $< \
[298dc66]100                --template "${srcdir}/$(*)-crl.template"
Note: See TracBrowser for help on using the repository browser.