source: mod_gnutls/test/test_ca.mk @ e2200db

asyncioproxy-ticket
Last change on this file since e2200db was ff039b1, checked in by Fiona Klute <fiona.klute@…>, 21 months ago

Test suite: Replace softhsm.bash with Python code

With this all test scripts only call runtest.py.

  • Property mode set to 100644
File size: 4.4 KB
RevLine 
[4b53371]1#!/usr/bin/make -f
[9a4d250]2# Authors:
3# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
[3c123cd]4# Fiona Klute <fiona.klute@gmx.de>
[4b53371]5
[9a4d250]6# General rules to set up a miniature CA & server & client environment
7# for the test suite
[4b53371]8
[f205c5f]9%/template: $(srcdir)/%/template.in
[a819501]10        @mkdir -m 0700 -p $(@D)
[4b53371]11        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
[7cfc02b]12        sed -i -e "s,__OCSP_URI__,$(OCSP_URI_TEMPLATE)$(dir $(*))," $@
[b47dc70]13        for i in $(patsubst [%],%,$(TEST_IP)); do \
14                IP_ADDRS="$${IP_ADDRS}\nip_address = $${i}"; \
[849b87e]15        done; \
[b47dc70]16        sed -i -e "s,__IP_ADDRESSES__,$${IP_ADDRS#\\n}," $@
[4b53371]17
[f205c5f]18%/uid: $(srcdir)/%/uid.in
[a819501]19        @mkdir -m 0700 -p $(@D)
[4b53371]20        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
21
[f205c5f]22%/secret.key:
[a819501]23        @mkdir -m 0700 -p $(@D)
[298dc66]24        certtool --outfile $@ --generate-privkey
[4b53371]25
[5b0dd3d]26.PRECIOUS: %/secret.key
27
[c91382d]28%/secret.pgp.raw: %/uid %/secret.key
[56c722f]29        PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@
[4b53371]30
[d70dd6e]31%/secret.pgp: %/secret.pgp.raw pgpcrc
32        (printf -- '-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: test\n\n' && \
33        base64 < $< && \
34        printf -- '=' && \
35        ./pgpcrc < $< | base64 && \
36        printf -- '-----END PGP PRIVATE KEY BLOCK-----\n' ) > $@
[3e800f9]37
[d70dd6e]38%/gpg.conf: %/secret.pgp
39        rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg $(dir $@)pubring.kbx $(dir $@)private-keys-v1.d/*.key
40        GNUPGHOME=$(dir $@) gpg --import $<
41        printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
42        printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
[3e800f9]43
[d70dd6e]44%/minimal.pgp: %/gpg.conf
[2b80754]45        if test -r $@; then rm $@; fi
[d70dd6e]46        GNUPGHOME=$(dir $@) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
[3e800f9]47
[d92899e]48# Import and signing modify the shared keyring, which leads to race
[04addef]49# conditions with parallel make. Locking avoids this problem. Building
50# authority/minimal.pgp (instead of just authority/gpg.conf) before
51# */cert.pgp avoids having to lock for all */minimal.pgp, too.
52%/cert.pgp: %/minimal.pgp authority/minimal.pgp
[2b80754]53        if test -r $@; then rm $@; fi
[ee94de5]54        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --import $<
55        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
56        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
[3e800f9]57
[6dab61d]58# special rule for root CAs
[b712429]59root_cert_rule = certtool --outfile $@ --generate-self-signed --load-privkey $(dir $@)secret.key --template $<
[f828974]60root_chain_rule = cp $< $@
[b712429]61authority/x509.pem rogueca/x509.pem: %/x509.pem: %/template %/secret.key
62        $(root_cert_rule)
[f828974]63authority/x509-chain.pem rogueca/x509-chain.pem: %/x509-chain.pem: %/x509.pem
64        $(root_chain_rule)
[4b53371]65
[6dab61d]66# generic rule for building non-root certificates, with the CA in the
67# parent directory
[b712429]68cert_rule = certtool --outfile $@ --generate-certificate --load-ca-certificate $(dir $@)../x509.pem --load-ca-privkey $(dir $@)../secret.key --load-privkey $(dir $@)secret.key --template $<
[f828974]69chain_rule = cat $< $(dir $@)../x509-chain.pem > $@
[b712429]70
[6dab61d]71# certificates signed by the test root CA
[a819501]72%/x509.pem: %/template %/secret.key authority/secret.key authority/x509.pem
[b712429]73        $(cert_rule)
[f828974]74%/x509-chain.pem: %/x509.pem authority/x509-chain.pem
75        $(chain_rule)
[4b53371]76
[c3aebe5]77# certificates signed by the test sub CA
78authority/subca/%/x509.pem: authority/subca/%/template authority/subca/%/secret.key authority/subca/x509.pem
79        $(cert_rule)
[f828974]80authority/subca/%/x509-chain.pem: authority/subca/%/x509.pem authority/subca/x509-chain.pem
81        $(chain_rule)
[c3aebe5]82
[6dab61d]83# certificates signed by rogue CA (for error cases)
84rogueca/%/x509.pem: rogueca/%/template rogueca/%/secret.key rogueca/x509.pem
85        $(cert_rule)
[c0bb823]86
[ff039b1]87%/softhsm2.db: %/x509.pem %/secret.key
[5725dca]88        SOFTHSM="$(SOFTHSM)" \
[ff039b1]89        $(PYTHON) $(srcdir)/softhsm-init.py --token-dir $@ --privkey $(dir $@)secret.key --certificate $(dir $@)x509.pem
[b0e5dae]90
[33af2b7]91# Generate CRL revoking a certain certificate. Currently used to
92# revoke the server certificate and check if setting the CRL as
93# GnuTLSProxyCRLFile causes the connection to the back end server to
94# fail.
[f205c5f]95%/crl.pem: %/x509.pem $(srcdir)/%/crl.template
[33af2b7]96        certtool --generate-crl \
[298dc66]97                --outfile $@ \
[33af2b7]98                --load-ca-privkey authority/secret.key \
99                --load-ca-certificate authority/x509.pem \
100                --load-certificate $< \
[f205c5f]101                --template "$(srcdir)/$(*)/crl.template"
Note: See TracBrowser for help on using the repository browser.