source: mod_gnutls/test/test_ca.mk @ d70dd6e

debian/masterdebian/stretch-backportsjessie-backportsupstream
Last change on this file since d70dd6e was d70dd6e, checked in by Thomas Klute <thomas2.klute@…>, 3 years ago

ensure cleanup of gpg v2.1 keyrings as well

depending on the version of gpg, the choices of secret keyrings, and
the behavior when exporting secret key material is different.

for example, see https://bugs.gnupg.org/gnupg/issue2324, and the fact
that secret keys are stored in different locations.

This change allows the test suite to work with all known major
versions of GnuPG.

  • Property mode set to 100644
File size: 4.2 KB
Line 
1#!/usr/bin/make -f
2# Authors:
3# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
4# Thomas Klute <thomas2.klute@uni-dortmund.de>
5
6pgpcrc: pgpcrc.c
7        gcc -o $@ $<
8
9# General rules to set up a miniature CA & server & client environment
10# for the test suite
11
12%.template: $(srcdir)/%.template.in
13        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
14
15%.uid: $(srcdir)/%.uid.in
16        sed s/__HOSTNAME__/$(TEST_HOST)/ < $< > $@
17
18%/secret.key:
19        mkdir -p $(dir $@)
20        chmod 0700 $(dir $@)
21        certtool --generate-privkey > $@
22
23%/secret.pgp.raw: %.uid %/secret.key
24        PEM2OPENPGP_EXPIRATION=86400 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify,sign pem2openpgp "$$(cat $<)" < $(dir $@)secret.key > $@
25
26%/secret.pgp: %/secret.pgp.raw pgpcrc
27        (printf -- '-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: test\n\n' && \
28        base64 < $< && \
29        printf -- '=' && \
30        ./pgpcrc < $< | base64 && \
31        printf -- '-----END PGP PRIVATE KEY BLOCK-----\n' ) > $@
32
33%/gpg.conf: %/secret.pgp
34        rm -f $(dir $@)pubring.gpg $(dir $@)secring.gpg $(dir $@)trustdb.gpg $(dir $@)pubring.kbx $(dir $@)private-keys-v1.d/*.key
35        GNUPGHOME=$(dir $@) gpg --import $<
36        printf "%s:6:\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
37        printf "default-key %s\n" "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
38
39%/minimal.pgp: %/gpg.conf
40        GNUPGHOME=$(dir $@) gpg --output $@ --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
41
42# Import and signing modify the shared keyring, which leads to race
43# conditions with parallel make. Locking avoids this problem.
44%/cert.pgp: %/minimal.pgp authority/gpg.conf
45        GNUPGHOME=authority $(GPG_FLOCK) gpg --import $<
46        GNUPGHOME=authority $(GPG_FLOCK) gpg --batch --sign-key --no-tty --yes "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)"
47        GNUPGHOME=authority gpg --armor --export "$$(GNUPGHOME=$(dir $@) gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > $@
48
49# special cases for the authorities' root certs:
50authority/x509.pem: authority.template authority/secret.key
51        certtool --generate-self-signed --load-privkey authority/secret.key --template authority.template > $@
52rogueca/x509.pem: $(srcdir)/rogueca.template rogueca/secret.key
53        certtool --generate-self-signed --load-privkey rogueca/secret.key --template $(srcdir)/rogueca.template > $@
54
55%/cert-request: %.template %/secret.key
56        certtool --generate-request --load-privkey $(dir $@)secret.key --template $< > $@
57
58# normal case: certificates signed by test CA
59%/x509.pem: %.template %/cert-request authority/secret.key authority/x509.pem
60        certtool --generate-certificate --load-ca-certificate authority/x509.pem --load-ca-privkey authority/secret.key --load-request $(dir $@)cert-request --template $< > $@
61
62# error case: certificates signed by rogue CA
63rogue%/x509.pem: rogue%.template rogue%/cert-request rogueca/x509.pem
64        certtool --generate-certificate --load-ca-certificate rogueca/x509.pem --load-ca-privkey rogueca/secret.key --load-request $(dir $@)cert-request --template $< > $@
65
66%/softhsm.conf: %/secret.key
67        echo "0:$(dir $@)softhsm.db" > $@
68
69%/softhsm.db: %/x509.pem %/secret.key %/softhsm.conf
70        SOFTHSM="$(SOFTHSM)" \
71        SOFTHSM_CONF="$(dir $@)softhsm.conf" \
72        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
73
74%/softhsm2.conf: %/secret.key
75        echo "objectstore.backend = file" > $@
76        echo "directories.tokendir = $(dir $@)softhsm2.db" >> $@
77
78%/softhsm2.db: %/x509.pem %/secret.key %/softhsm2.conf
79        mkdir -p $@
80        SOFTHSM="$(SOFTHSM)" \
81        SOFTHSM2_CONF="$(dir $@)softhsm2.conf" \
82        $(srcdir)/softhsm.bash init $(dir $@)secret.key $(dir $@)x509.pem
83
84# Generate CRL revoking a certain certificate. Currently used to
85# revoke the server certificate and check if setting the CRL as
86# GnuTLSProxyCRLFile causes the connection to the back end server to
87# fail.
88%/crl.pem: %/x509.pem ${srcdir}/%-crl.template
89        certtool --generate-crl \
90                --load-ca-privkey authority/secret.key \
91                --load-ca-certificate authority/x509.pem \
92                --load-certificate $< \
93                --template "${srcdir}/$(*)-crl.template" \
94                > $@
Note: See TracBrowser for help on using the repository browser.