source: mod_gnutls/test/test_ca.mk @ a0161fe

debian/masterdebian/stretch-backportsupstream
Last change on this file since a0161fe was a0161fe, checked in by Thomas Klute <thomas2.klute@…>, 3 years ago

Test suite: Include OCSP URI in server & client certificates if enabled

  • Property mode set to 100644
File size: 4.2 KB
Line 
1#!/usr/bin/make -f
2# Authors:
3# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
4# Thomas Klute <thomas2.klute@uni-dortmund.de>
5
6# General rules to set up a miniature CA & server & client environment
7# for the test suite
8
9%.template: $(srcdir)/%.template.in
10        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
11        if test -n "$(OCSP_PORT)"; then \
12                sed -i -e 's/^### ocsp/ocsp/' \
13                        -e s/__OCSP_PORT__/$(OCSP_PORT)/ $@; \
14        fi
15
16%.uid: $(srcdir)/%.uid.in
17        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
18
19%/secret.key:
20        mkdir -p $(dir $@)
21        chmod 0700 $(dir $@)
22        certtool --generate-privkey > $@
23
24%/secring.gpg: %.uid %/secret.key
25        rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg
26        PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key | GNUPGHOME=$(dir $@) gpg --import
27        printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
28
29%/gpg.conf: %/secring.gpg
30        printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
31
32%/secret.pgp: %/secring.gpg
33        GNUPGHOME=$(dir $@) gpg --armor --batch --no-tty --yes --export-secret-key "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
34
35%/minimal.pgp: %/secring.gpg
36        GNUPGHOME=$(dir $@) gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
37
38# Import and signing modify the shared keyring, which leads to race
39# conditions with parallel make. Locking avoids this problem.
40%/cert.pgp: %/minimal.pgp authority/gpg.conf
41        GNUPGHOME=authority $(GPG_FLOCK) gpg --import $<
42        GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
43        GNUPGHOME=authority gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
44
45# special cases for the authorities' root certs:
46authority/x509.pem: authority.template authority/secret.key
47        certtool --generate-self-signed --load-privkey authority/secret.key --template authority.template > $@
48rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key
49        certtool --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template > $@
50
51%/cert-request: %.template %/secret.key
52        certtool --generate-request --load-privkey $(dir $@)secret.key --template $< > $@
53
54# normal case: certificates signed by test CA
55%/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem
56        certtool --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@
57
58# error case: certificates signed by rogue CA
59rogue%/x509.pem: rogue%.template rogue%/cert-request rogueca/x509.pem
60        certtool --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $< > $@
61
62%/softhsm.conf: %/secret.key
63        echo "0:$(dir $@)softhsm.db" > $@
64
65%/softhsm.db: %/x509.pem %/secret.key %/softhsm.conf
66        SOFTHSM="$(SOFTHSM)" \
67        SOFTHSM_CONF="$(dir $@)softhsm.conf" \
68        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
69
70%/softhsm2.conf: %/secret.key
71        echo "objectstore.backend = file" > $@
72        echo "directories.tokendir = $(dir $@)softhsm2.db" >> $@
73
74%/softhsm2.db: %/x509.pem %/secret.key %/softhsm2.conf
75        mkdir -p $@
76        SOFTHSM="$(SOFTHSM)" \
77        SOFTHSM2_CONF="$(dir $@)softhsm2.conf" \
78        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
79
80# Generate CRL revoking a certain certificate. Currently used to
81# revoke the server certificate and check if setting the CRL as
82# GnuTLSProxyCRLFile causes the connection to the back end server to
83# fail.
84%/crl.pem: %/x509.pem ${srcdir}/%-crl.template
85        certtool --generate-crl \
86                --load-ca-privkey authority/secret.key \
87                --load-ca-certificate authority/x509.pem \
88                --load-certificate $< \
89                --template "${srcdir}/$(*)-crl.template" \
90                > $@
Note: See TracBrowser for help on using the repository browser.