source: mod_gnutls/test/test_ca.mk @ 3aff94d

debian/master
Last change on this file since 3aff94d was 849b87e, checked in by Fiona Klute <fiona.klute@…>, 14 months ago

Test suite: Add support for IP-based virtual hosts

  • Pass TEST_IP to the tests
  • Add IP addresses to the server certificate
  • Allow tests to access the server via an IP address instead of TEST_HOST
  • Property mode set to 100644
File size: 4.6 KB
Line 
1#!/usr/bin/make -f
2# Authors:
3# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
4# Fiona Klute <fiona.klute@gmx.de>
5
6# General rules to set up a miniature CA & server & client environment
7# for the test suite
8
9%.template: $(srcdir)/%.template.in
10        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
11        if test -n "$(OCSP_PORT)"; then \
12                sed -i -e 's/^### ocsp/ocsp/' \
13                        -e s/__OCSP_PORT__/$(OCSP_PORT)/ $@; \
14        fi
15        for i in $$(echo $(TEST_IP)); do \
16                i="$${i%\]}"; \
17                IP_ADDRS="$${IP_ADDRS}\nip_address = $${i#\[}"; \
18        done; \
19        sed -i -e "s,__IP_ADDRESSES__,$${IP_ADDRS}," $@
20
21%.uid: $(srcdir)/%.uid.in
22        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
23
24%/secret.key:
25        mkdir -p $(dir $@)
26        chmod 0700 $(dir $@)
27        certtool --outfile $@ --generate-privkey
28
29%/secret.pgp.raw: %.uid %/secret.key
30        PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@
31
32%/secret.pgp: %/secret.pgp.raw pgpcrc
33        (printf -- '-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: test\n\n' && \
34        base64 < $< && \
35        printf -- '=' && \
36        ./pgpcrc < $< | base64 && \
37        printf -- '-----END PGP PRIVATE KEY BLOCK-----\n' ) > $@
38
39%/gpg.conf: %/secret.pgp
40        rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg $(dir $@)pubring.kbx $(dir $@)private-keys-v1.d/*.key
41        GNUPGHOME=$(dir $@) gpg --import $<
42        printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
43        printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
44
45%/minimal.pgp: %/gpg.conf
46        if test -r $@; then rm $@; fi
47        GNUPGHOME=$(dir $@) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
48
49# Import and signing modify the shared keyring, which leads to race
50# conditions with parallel make. Locking avoids this problem. Building
51# authority/minimal.pgp (instead of just authority/gpg.conf) before
52# */cert.pgp avoids having to lock for all */minimal.pgp, too.
53%/cert.pgp: %/minimal.pgp authority/minimal.pgp
54        if test -r $@; then rm $@; fi
55        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --import $<
56        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
57        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
58
59# special cases for the authorities' root certs:
60authority/x509.pem: authority.template authority/secret.key
61        certtool --outfile $@ --generate-self-signed --load-privkey authority/secret.key --template authority.template
62rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key
63        certtool --outfile $@ --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template
64
65%/cert-request: %.template %/secret.key
66        certtool --outfile $@ --generate-request --load-privkey $(dir $@)secret.key --template $<
67
68# normal case: certificates signed by test CA
69%/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem
70        certtool --outfile $@ --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $<
71
72# error case: certificates signed by rogue CA
73rogue%/x509.pem: rogue%.template rogue%/cert-request rogueca/x509.pem
74        certtool --outfile $@ --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $<
75
76%/softhsm.conf: %/secret.key
77        echo "0:$(dir $@)softhsm.db" > $@
78
79%/softhsm.db: %/x509.pem %/secret.key %/softhsm.conf
80        SOFTHSM="$(SOFTHSM)" \
81        SOFTHSM_CONF="$(dir $@)softhsm.conf" \
82        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
83
84%/softhsm2.conf: %/secret.key
85        echo "objectstore.backend = file" > $@
86        echo "directories.tokendir = $(dir $@)softhsm2.db" >> $@
87
88%/softhsm2.db: %/x509.pem %/secret.key %/softhsm2.conf
89        mkdir -p $@
90        SOFTHSM="$(SOFTHSM)" \
91        SOFTHSM2_CONF="$(dir $@)softhsm2.conf" \
92        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
93
94# Generate CRL revoking a certain certificate. Currently used to
95# revoke the server certificate and check if setting the CRL as
96# GnuTLSProxyCRLFile causes the connection to the back end server to
97# fail.
98%/crl.pem: %/x509.pem ${srcdir}/%-crl.template
99        certtool --generate-crl \
100                --outfile $@ \
101                --load-ca-privkey authority/secret.key \
102                --load-ca-certificate authority/x509.pem \
103                --load-certificate $< \
104                --template "${srcdir}/$(*)-crl.template"
Note: See TracBrowser for help on using the repository browser.