source: mod_gnutls/test/test_ca.mk @ 3deb86e

proxy-ticket
Last change on this file since 3deb86e was 7cfc02b, checked in by Fiona Klute <fiona.klute@…>, 17 months ago

Test suite: Add an OCSP responder for the sub CA

All CAs use the same server as their OCSP responders. The OCSP URI now
includes the CA identity so the server can select the correct CA when
generating the response.

  • Property mode set to 100644
File size: 4.8 KB
Line 
1#!/usr/bin/make -f
2# Authors:
3# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
4# Fiona Klute <fiona.klute@gmx.de>
5
6# General rules to set up a miniature CA & server & client environment
7# for the test suite
8
9%/template: $(srcdir)/%/template.in
10        @mkdir -m 0700 -p $(@D)
11        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
12        sed -i -e "s,__OCSP_URI__,$(OCSP_URI_TEMPLATE)$(dir $(*))," $@
13        for i in $(patsubst [%],%,$(TEST_IP)); do \
14                IP_ADDRS="$${IP_ADDRS}\nip_address = $${i}"; \
15        done; \
16        sed -i -e "s,__IP_ADDRESSES__,$${IP_ADDRS#\\n}," $@
17
18%/uid: $(srcdir)/%/uid.in
19        @mkdir -m 0700 -p $(@D)
20        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
21
22%/secret.key:
23        @mkdir -m 0700 -p $(@D)
24        certtool --outfile $@ --generate-privkey
25
26.PRECIOUS: %/secret.key
27
28%/secret.pgp.raw: %/uid %/secret.key
29        PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@
30
31%/secret.pgp: %/secret.pgp.raw pgpcrc
32        (printf -- '-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: test\n\n' && \
33        base64 < $< && \
34        printf -- '=' && \
35        ./pgpcrc < $< | base64 && \
36        printf -- '-----END PGP PRIVATE KEY BLOCK-----\n' ) > $@
37
38%/gpg.conf: %/secret.pgp
39        rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg $(dir $@)pubring.kbx $(dir $@)private-keys-v1.d/*.key
40        GNUPGHOME=$(dir $@) gpg --import $<
41        printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
42        printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
43
44%/minimal.pgp: %/gpg.conf
45        if test -r $@; then rm $@; fi
46        GNUPGHOME=$(dir $@) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
47
48# Import and signing modify the shared keyring, which leads to race
49# conditions with parallel make. Locking avoids this problem. Building
50# authority/minimal.pgp (instead of just authority/gpg.conf) before
51# */cert.pgp avoids having to lock for all */minimal.pgp, too.
52%/cert.pgp: %/minimal.pgp authority/minimal.pgp
53        if test -r $@; then rm $@; fi
54        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --import $<
55        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
56        GNUPGHOME=authority/ $(GPG_FLOCK) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
57
58# special rule for root CAs
59root_cert_rule = certtool --outfile $@ --generate-self-signed --load-privkey $(dir $@)secret.key --template $<
60root_chain_rule = cp $< $@
61authority/x509.pem rogueca/x509.pem: %/x509.pem: %/template %/secret.key
62        $(root_cert_rule)
63authority/x509-chain.pem rogueca/x509-chain.pem: %/x509-chain.pem: %/x509.pem
64        $(root_chain_rule)
65
66# generic rule for building non-root certificates, with the CA in the
67# parent directory
68cert_rule = certtool --outfile $@ --generate-certificate --load-ca-certificate $(dir $@)../x509.pem --load-ca-privkey $(dir $@)../secret.key --load-privkey $(dir $@)secret.key --template $<
69chain_rule = cat $< $(dir $@)../x509-chain.pem > $@
70
71# certificates signed by the test root CA
72%/x509.pem: %/template %/secret.key authority/secret.key authority/x509.pem
73        $(cert_rule)
74%/x509-chain.pem: %/x509.pem authority/x509-chain.pem
75        $(chain_rule)
76
77# certificates signed by the test sub CA
78authority/subca/%/x509.pem: authority/subca/%/template authority/subca/%/secret.key authority/subca/x509.pem
79        $(cert_rule)
80authority/subca/%/x509-chain.pem: authority/subca/%/x509.pem authority/subca/x509-chain.pem
81        $(chain_rule)
82
83# certificates signed by rogue CA (for error cases)
84rogueca/%/x509.pem: rogueca/%/template rogueca/%/secret.key rogueca/x509.pem
85        $(cert_rule)
86
87%/softhsm.conf: %/secret.key
88        echo "0:$(dir $@)softhsm.db" > $@
89
90%/softhsm.db: %/x509.pem %/secret.key %/softhsm.conf
91        SOFTHSM="$(SOFTHSM)" \
92        SOFTHSM_CONF="$(dir $@)softhsm.conf" \
93        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
94
95%/softhsm2.conf: %/secret.key
96        echo "objectstore.backend = file" > $@
97        echo "directories.tokendir = $(dir $@)softhsm2.db" >> $@
98
99%/softhsm2.db: %/x509.pem %/secret.key %/softhsm2.conf
100        rm -rf $@
101        mkdir -p $@
102        SOFTHSM="$(SOFTHSM)" \
103        SOFTHSM2_CONF="$(dir $@)softhsm2.conf" \
104        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
105
106# Generate CRL revoking a certain certificate. Currently used to
107# revoke the server certificate and check if setting the CRL as
108# GnuTLSProxyCRLFile causes the connection to the back end server to
109# fail.
110%/crl.pem: %/x509.pem $(srcdir)/%/crl.template
111        certtool --generate-crl \
112                --outfile $@ \
113                --load-ca-privkey authority/secret.key \
114                --load-ca-certificate authority/x509.pem \
115                --load-certificate $< \
116                --template "$(srcdir)/$(*)/crl.template"
Note: See TracBrowser for help on using the repository browser.