source: mod_gnutls/test/test_ca.mk @ d70dd6e

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since d70dd6e was d70dd6e, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

ensure cleanup of gpg v2.1 keyrings as well

depending on the version of gpg, the choices of secret keyrings, and
the behavior when exporting secret key material is different.

for example, see https://bugs.gnupg.org/gnupg/issue2324, and the fact
that secret keys are stored in different locations.

This change allows the test suite to work with all known major
versions of GnuPG.

  • Property mode set to 100644
File size: 4.2 KB
RevLine 
[4b53371]1#!/usr/bin/make -f
[9a4d250]2# Authors:
3# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
4# Thomas Klute <thomas2.klute@uni-dortmund.de>
[4b53371]5
[d70dd6e]6pgpcrc: pgpcrc.c
7        gcc -o $@ $<
8
[9a4d250]9# General rules to set up a miniature CA & server & client environment
10# for the test suite
[4b53371]11
[33af2b7]12%.template: $(srcdir)/%.template.in
[4b53371]13        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
14
[33af2b7]15%.uid: $(srcdir)/%.uid.in
[4b53371]16        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
17
18%/secret.key:
19        mkdir -p $(dir $@)
20        chmod 0700 $(dir $@)
21        certtool --generate-privkey > $@
22
[d70dd6e]23%/secret.pgp.raw: %.uid %/secret.key
24        PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@
[4b53371]25
[d70dd6e]26%/secret.pgp: %/secret.pgp.raw pgpcrc
27        (printf -- '-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: test\n\n' && \
28        base64 < $< && \
29        printf -- '=' && \
30        ./pgpcrc < $< | base64 && \
31        printf -- '-----END PGP PRIVATE KEY BLOCK-----\n' ) > $@
[3e800f9]32
[d70dd6e]33%/gpg.conf: %/secret.pgp
34        rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg $(dir $@)pubring.kbx $(dir $@)private-keys-v1.d/*.key
35        GNUPGHOME=$(dir $@) gpg --import $<
36        printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
37        printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
[3e800f9]38
[d70dd6e]39%/minimal.pgp: %/gpg.conf
40        GNUPGHOME=$(dir $@) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
[3e800f9]41
[d92899e]42# Import and signing modify the shared keyring, which leads to race
43# conditions with parallel make. Locking avoids this problem.
[3e800f9]44%/cert.pgp: %/minimal.pgp authority/gpg.conf
[5b6a5d9]45        GNUPGHOME=authority $(GPG_FLOCK) gpg --import $<
46        GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
[3e800f9]47        GNUPGHOME=authority gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
48
49# special cases for the authorities' root certs:
[4b53371]50authority/x509.pem: authority.template authority/secret.key
[c32240f]51        certtool --generate-self-signed --load-privkey authority/secret.key --template authority.template > $@
[33af2b7]52rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key
53        certtool --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template > $@
[4b53371]54
[a63301f]55%/cert-request: %.template %/secret.key
[c32240f]56        certtool --generate-request --load-privkey $(dir $@)secret.key --template $< > $@
[4b53371]57
[c0bb823]58# normal case: certificates signed by test CA
[a63301f]59%/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem
[c32240f]60        certtool --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@
[4b53371]61
[c0bb823]62# error case: certificates signed by rogue CA
63rogue%/x509.pem: rogue%.template rogue%/cert-request rogueca/x509.pem
64        certtool --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $< > $@
65
[6f644fa]66%/softhsm.conf: %/secret.key
67        echo "0:$(dir $@)softhsm.db" > $@
68
69%/softhsm.db: %/x509.pem %/secret.key %/softhsm.conf
[5eb4544]70        SOFTHSM="$(SOFTHSM)" \
[6f644fa]71        SOFTHSM_CONF="$(dir $@)softhsm.conf" \
72        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
[33af2b7]73
[b0e5dae]74%/softhsm2.conf: %/secret.key
75        echo "objectstore.backend = file" > $@
76        echo "directories.tokendir = $(dir $@)softhsm2.db" >> $@
77
78%/softhsm2.db: %/x509.pem %/secret.key %/softhsm2.conf
79        mkdir -p $@
[5725dca]80        SOFTHSM="$(SOFTHSM)" \
[b0e5dae]81        SOFTHSM2_CONF="$(dir $@)softhsm2.conf" \
82        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
83
[33af2b7]84# Generate CRL revoking a certain certificate. Currently used to
85# revoke the server certificate and check if setting the CRL as
86# GnuTLSProxyCRLFile causes the connection to the back end server to
87# fail.
88%/crl.pem: %/x509.pem ${srcdir}/%-crl.template
89        certtool --generate-crl \
90                --load-ca-privkey authority/secret.key \
91                --load-ca-certificate authority/x509.pem \
92                --load-certificate $< \
93                --template "${srcdir}/$(*)-crl.template" \
94                > $@
Note: See TracBrowser for help on using the repository browser.