[4b53371] | 1 | #!/usr/bin/make -f |
---|
[9a4d250] | 2 | # Authors: |
---|
| 3 | # Daniel Kahn Gillmor <dkg@fifthhorseman.net> |
---|
| 4 | # Thomas Klute <thomas2.klute@uni-dortmund.de> |
---|
[4b53371] | 5 | |
---|
[9a4d250] | 6 | # General rules to set up a miniature CA & server & client environment |
---|
| 7 | # for the test suite |
---|
[4b53371] | 8 | |
---|
[33af2b7] | 9 | %.template: $(srcdir)/%.template.in |
---|
[4b53371] | 10 | sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@ |
---|
| 11 | |
---|
[33af2b7] | 12 | %.uid: $(srcdir)/%.uid.in |
---|
[4b53371] | 13 | sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@ |
---|
| 14 | |
---|
| 15 | %/secret.key: |
---|
| 16 | mkdir -p $(dir $@) |
---|
| 17 | chmod 0700 $(dir $@) |
---|
[298dc66] | 18 | certtool --outfile $@ --generate-privkey |
---|
[4b53371] | 19 | |
---|
[d70dd6e] | 20 | %/secret.pgp.raw: %.uid %/secret.key |
---|
| 21 | PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@ |
---|
[4b53371] | 22 | |
---|
[d70dd6e] | 23 | %/secret.pgp: %/secret.pgp.raw pgpcrc |
---|
| 24 | (printf -- '-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: test\n\n' && \ |
---|
| 25 | base64 < $< && \ |
---|
| 26 | printf -- '=' && \ |
---|
| 27 | ./pgpcrc < $< | base64 && \ |
---|
| 28 | printf -- '-----END PGP PRIVATE KEY BLOCK-----\n' ) > $@ |
---|
[3e800f9] | 29 | |
---|
[d70dd6e] | 30 | %/gpg.conf: %/secret.pgp |
---|
| 31 | rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg $(dir $@)pubring.kbx $(dir $@)private-keys-v1.d/*.key |
---|
| 32 | GNUPGHOME=$(dir $@) gpg --import $< |
---|
| 33 | printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust |
---|
| 34 | printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@ |
---|
[3e800f9] | 35 | |
---|
[d70dd6e] | 36 | %/minimal.pgp: %/gpg.conf |
---|
| 37 | GNUPGHOME=$(dir $@) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" |
---|
[3e800f9] | 38 | |
---|
[d92899e] | 39 | # Import and signing modify the shared keyring, which leads to race |
---|
| 40 | # conditions with parallel make. Locking avoids this problem. |
---|
[3e800f9] | 41 | %/cert.pgp: %/minimal.pgp authority/gpg.conf |
---|
[5b6a5d9] | 42 | GNUPGHOME=authority $(GPG_FLOCK) gpg --import $< |
---|
| 43 | GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" |
---|
[298dc66] | 44 | GNUPGHOME=authority gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" |
---|
[3e800f9] | 45 | |
---|
| 46 | # special cases for the authorities' root certs: |
---|
[4b53371] | 47 | authority/x509.pem: authority.template authority/secret.key |
---|
[298dc66] | 48 | certtool --outfile $@ --generate-self-signed --load-privkey authority/secret.key --template authority.template |
---|
[33af2b7] | 49 | rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key |
---|
[298dc66] | 50 | certtool --outfile $@ --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template |
---|
[4b53371] | 51 | |
---|
[a63301f] | 52 | %/cert-request: %.template %/secret.key |
---|
[298dc66] | 53 | certtool --outfile $@ --generate-request --load-privkey $(dir $@)secret.key --template $< |
---|
[4b53371] | 54 | |
---|
[c0bb823] | 55 | # normal case: certificates signed by test CA |
---|
[a63301f] | 56 | %/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem |
---|
[42829ae] | 57 | certtool --outfile $@ --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< |
---|
[4b53371] | 58 | |
---|
[c0bb823] | 59 | # error case: certificates signed by rogue CA |
---|
| 60 | rogue%/x509.pem: rogue%.template rogue%/cert-request rogueca/x509.pem |
---|
[298dc66] | 61 | certtool --outfile $@ --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $< |
---|
[c0bb823] | 62 | |
---|
[6f644fa] | 63 | %/softhsm.conf: %/secret.key |
---|
| 64 | echo "0:$(dir $@)softhsm.db" > $@ |
---|
| 65 | |
---|
| 66 | %/softhsm.db: %/x509.pem %/secret.key %/softhsm.conf |
---|
[5eb4544] | 67 | SOFTHSM="$(SOFTHSM)" \ |
---|
[6f644fa] | 68 | SOFTHSM_CONF="$(dir $@)softhsm.conf" \ |
---|
| 69 | $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem |
---|
[33af2b7] | 70 | |
---|
[b0e5dae] | 71 | %/softhsm2.conf: %/secret.key |
---|
| 72 | echo "objectstore.backend = file" > $@ |
---|
| 73 | echo "directories.tokendir = $(dir $@)softhsm2.db" >> $@ |
---|
| 74 | |
---|
| 75 | %/softhsm2.db: %/x509.pem %/secret.key %/softhsm2.conf |
---|
| 76 | mkdir -p $@ |
---|
[5725dca] | 77 | SOFTHSM="$(SOFTHSM)" \ |
---|
[b0e5dae] | 78 | SOFTHSM2_CONF="$(dir $@)softhsm2.conf" \ |
---|
| 79 | $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem |
---|
| 80 | |
---|
[33af2b7] | 81 | # Generate CRL revoking a certain certificate. Currently used to |
---|
| 82 | # revoke the server certificate and check if setting the CRL as |
---|
| 83 | # GnuTLSProxyCRLFile causes the connection to the back end server to |
---|
| 84 | # fail. |
---|
| 85 | %/crl.pem: %/x509.pem ${srcdir}/%-crl.template |
---|
| 86 | certtool --generate-crl \ |
---|
[298dc66] | 87 | --outfile $@ \ |
---|
[33af2b7] | 88 | --load-ca-privkey authority/secret.key \ |
---|
| 89 | --load-ca-certificate authority/x509.pem \ |
---|
| 90 | --load-certificate $< \ |
---|
[298dc66] | 91 | --template "${srcdir}/$(*)-crl.template" |
---|