source: mod_gnutls/test/test_ca.mk @ 298dc66

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since 298dc66 was 298dc66, checked in by Thomas Klute <thomas2.klute@…>, 3 years ago

use --outfile instead of stdio redirection

This way, when a command fails, it shouldn't create files that make
could get confused by.

  • Property mode set to 100644
File size: 4.2 KB
Line 
1#!/usr/bin/make -f
2# Authors:
3# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
4# Thomas Klute <thomas2.klute@uni-dortmund.de>
5
6pgpcrc: pgpcrc.c
7        gcc -o $@ $<
8
9# General rules to set up a miniature CA & server & client environment
10# for the test suite
11
12%.template: $(srcdir)/%.template.in
13        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
14
15%.uid: $(srcdir)/%.uid.in
16        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
17
18%/secret.key:
19        mkdir -p $(dir $@)
20        chmod 0700 $(dir $@)
21        certtool --outfile $@ --generate-privkey
22
23%/secret.pgp.raw: %.uid %/secret.key
24        PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@
25
26%/secret.pgp: %/secret.pgp.raw pgpcrc
27        (printf -- '-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: test\n\n' && \
28        base64 < $< && \
29        printf -- '=' && \
30        ./pgpcrc < $< | base64 && \
31        printf -- '-----END PGP PRIVATE KEY BLOCK-----\n' ) > $@
32
33%/gpg.conf: %/secret.pgp
34        rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg $(dir $@)pubring.kbx $(dir $@)private-keys-v1.d/*.key
35        GNUPGHOME=$(dir $@) gpg --import $<
36        printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
37        printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
38
39%/minimal.pgp: %/gpg.conf
40        GNUPGHOME=$(dir $@) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
41
42# Import and signing modify the shared keyring, which leads to race
43# conditions with parallel make. Locking avoids this problem.
44%/cert.pgp: %/minimal.pgp authority/gpg.conf
45        GNUPGHOME=authority $(GPG_FLOCK) gpg --import $<
46        GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
47        GNUPGHOME=authority gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
48
49# special cases for the authorities' root certs:
50authority/x509.pem: authority.template authority/secret.key
51        certtool --outfile $@ --generate-self-signed --load-privkey authority/secret.key --template authority.template
52rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key
53        certtool --outfile $@ --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template
54
55%/cert-request: %.template %/secret.key
56        certtool --outfile $@ --generate-request --load-privkey $(dir $@)secret.key --template $<
57
58# normal case: certificates signed by test CA
59%/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem
60        certtool --outfile $@ --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $<
61
62# error case: certificates signed by rogue CA
63rogue%/x509.pem: rogue%.template rogue%/cert-request rogueca/x509.pem
64        certtool --outfile $@ --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $<
65
66%/softhsm.conf: %/secret.key
67        echo "0:$(dir $@)softhsm.db" > $@
68
69%/softhsm.db: %/x509.pem %/secret.key %/softhsm.conf
70        SOFTHSM="$(SOFTHSM)" \
71        SOFTHSM_CONF="$(dir $@)softhsm.conf" \
72        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
73
74%/softhsm2.conf: %/secret.key
75        echo "objectstore.backend = file" > $@
76        echo "directories.tokendir = $(dir $@)softhsm2.db" >> $@
77
78%/softhsm2.db: %/x509.pem %/secret.key %/softhsm2.conf
79        mkdir -p $@
80        SOFTHSM="$(SOFTHSM)" \
81        SOFTHSM2_CONF="$(dir $@)softhsm2.conf" \
82        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
83
84# Generate CRL revoking a certain certificate. Currently used to
85# revoke the server certificate and check if setting the CRL as
86# GnuTLSProxyCRLFile causes the connection to the back end server to
87# fail.
88%/crl.pem: %/x509.pem ${srcdir}/%-crl.template
89        certtool --generate-crl \
90                --outfile $@ \
91                --load-ca-privkey authority/secret.key \
92                --load-ca-certificate authority/x509.pem \
93                --load-certificate $< \
94                --template "${srcdir}/$(*)-crl.template"
Note: See TracBrowser for help on using the repository browser.