source: mod_gnutls/test/test_ca.mk @ 5d9f34e

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since 5d9f34e was c0bb823, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Test suite: Create rogue client certificate for client auth test

Test case 18 (verification of a client certificate not issued by the
accepted CA) used the Rogue CA certificate as a client
certificate. However, recent gnutls-cli (from GnuTLS git at the time
of this commit) detects the constraint violation and rejects the
certificate, so the test fails before mod_gnutls can check the
certificate. Create a rougue client certificate with correct
constraints to make the test work as expected.

  • Property mode set to 100644
File size: 3.6 KB
RevLine 
[4b53371]1#!/usr/bin/make -f
[9a4d250]2# Authors:
3# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
4# Thomas Klute <thomas2.klute@uni-dortmund.de>
[4b53371]5
[9a4d250]6# General rules to set up a miniature CA & server & client environment
7# for the test suite
[4b53371]8
[33af2b7]9%.template: $(srcdir)/%.template.in
[4b53371]10        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
11
[33af2b7]12%.uid: $(srcdir)/%.uid.in
[4b53371]13        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
14
15%/secret.key:
16        mkdir -p $(dir $@)
17        chmod 0700 $(dir $@)
18        certtool --generate-privkey > $@
19
[3e800f9]20%/secring.gpg: %.uid %/secret.key
[4b53371]21        rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg
[c25fc5d]22        PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key | GNUPGHOME=$(dir $@) gpg --import
[4b53371]23        printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
24
[3e800f9]25%/gpg.conf: %/secring.gpg
26        printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
27
28%/secret.pgp: %/secring.gpg
29        GNUPGHOME=$(dir $@) gpg --armor --batch --no-tty --yes --export-secret-key "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
30
31%/minimal.pgp: %/secring.gpg
32        GNUPGHOME=$(dir $@) gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
33
[d92899e]34# Import and signing modify the shared keyring, which leads to race
35# conditions with parallel make. Locking avoids this problem.
[3e800f9]36%/cert.pgp: %/minimal.pgp authority/gpg.conf
[5b6a5d9]37        GNUPGHOME=authority $(GPG_FLOCK) gpg --import $<
38        GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
[3e800f9]39        GNUPGHOME=authority gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
40
41# special cases for the authorities' root certs:
[4b53371]42authority/x509.pem: authority.template authority/secret.key
[c32240f]43        certtool --generate-self-signed --load-privkey authority/secret.key --template authority.template > $@
[33af2b7]44rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key
45        certtool --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template > $@
[4b53371]46
[a63301f]47%/cert-request: %.template %/secret.key
[c32240f]48        certtool --generate-request --load-privkey $(dir $@)secret.key --template $< > $@
[4b53371]49
[c0bb823]50# normal case: certificates signed by test CA
[a63301f]51%/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem
[c32240f]52        certtool --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@
[4b53371]53
[c0bb823]54# error case: certificates signed by rogue CA
55rogue%/x509.pem: rogue%.template rogue%/cert-request rogueca/x509.pem
56        certtool --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $< > $@
57
[3f00958]58%/softhsm.db: %/x509.pem %/secret.key
[33af2b7]59        SOFTHSM_CONF="$(srcdir)/$(*)-softhsm.conf" $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
60
61# Generate CRL revoking a certain certificate. Currently used to
62# revoke the server certificate and check if setting the CRL as
63# GnuTLSProxyCRLFile causes the connection to the back end server to
64# fail.
65%/crl.pem: %/x509.pem ${srcdir}/%-crl.template
66        certtool --generate-crl \
67                --load-ca-privkey authority/secret.key \
68                --load-ca-certificate authority/x509.pem \
69                --load-certificate $< \
70                --template "${srcdir}/$(*)-crl.template" \
71                > $@
Note: See TracBrowser for help on using the repository browser.