2 # testdata/Makefile -- for TLS Pool developers
4 # This file creates elements in the testdata/ directory used for testing
5 # and is in fact a requisite for tool/testcli, tool/testsrv, tool/testpeer.
8 # * all -- makes sure you can go ahead
9 # * rebuild-pkcs11 -- wipes your PKCS #11 token (really!) and starts it fresh
10 # * rebuild-cert -- wipes your certificate files and rebuilds them
11 # * rebuild-pgp -- wipes your OpenPGP public keys and rebuilds them
12 # * rebuild-db -- wipes your public credentials databases and refills them
13 # The last four should be run in order; later ones may depend on predecessors.
15 # From: Rick van Rein <rick@openfortress.nl>
20 # The following numbered keys are created here:
22 # 1. test client OpenPGP key: testcli@tlspool.arpa2.lab
23 # 2. test server OpenPGP key: testsrv@tlspool.arpa2.lab
24 # 3. test client certificate: testcli@tlspool.arpa2.lab
25 # 4. test server certificate: testsrv@tlspool.arpa2.lab
26 # 5. test CA certificate: testca@tlspool.arpa2.lab
27 # 6. test on-the-fly signing CA certificate: flying-signer@tlspool.arpa2.lab
28 # 7. test server certificate: tlspool.arpa2.lab
33 # Setting for the configuration file tlspool.conf
34 # Setting of the number of RSA private key bits (radically ignoring 2^n trends)
36 CONFFILE=$(shell pwd)/../etc/tlspool.conf
41 # Load a few things from tlspool.conf; these are assumed present while testing
43 P11PIN=$(shell sed < $(CONFFILE) -n 's/^pkcs11_pin //p')
44 P11LIB=$(shell sed < $(CONFFILE) -n 's/^pkcs11_path //p')
45 P11URI=$(shell sed < $(CONFFILE) -n 's/^pkcs11_token pkcs11:/pkcs11:/p')
46 DMNUSR=$(shell sed < $(CONFFILE) -n 's/^daemon_user //p')
47 DMNGRP=$(shell sed < $(CONFFILE) -n 's/^daemon_group //p')
48 BDBENV=$(shell sed < $(CONFFILE) -n 's/^dbenv_dir //p')
51 # Embellish p11tool command; if fixed, provide the PKCS #11 PIN automatically
54 P11TOOL=p11tool --provider $(P11LIB) --login
55 CERTTOOL=certtool --provider $(P11LIB)
56 PGPTOOL=../tool/pgp11_genkey
58 P11TOOL=GNUTLS_PIN=$(P11PIN) p11tool --provider $(P11LIB) --login
59 CERTTOOL=GNUTLS_PIN=$(P11PIN) certtool --provider $(P11LIB)
60 PGPTOOL=GNUTLS_PIN=$(P11PIN) ../tool/pgp11_genkey
64 # Establish which private keys need to be generated on the PKCS #11 token
67 PRIVKEY1=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj1label/!d' -e 's/^[ \t]*URL: //')
69 PRIVKEYGEN += privkey1
70 PRIVKEY1=$(P11URI);id=%30%31;label=obj1label;type=private
73 PRIVKEY2=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj2label/!d' -e 's/^[ \t]*URL: //')
75 PRIVKEYGEN += privkey2
76 PRIVKEY2=$(P11URI);id=%30%32;label=obj2label;type=private
79 PRIVKEY3=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj3label/!d' -e 's/^[ \t]*URL: //')
81 PRIVKEYGEN += privkey3
82 PRIVKEY3=$(P11URI);id=%30%33;label=obj3label;type=private
85 PRIVKEY4=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj4label/!d' -e 's/^[ \t]*URL: //')
87 PRIVKEYGEN += privkey4
88 PRIVKEY4=$(P11URI);id=%30%34;label=obj4label;type=private
91 PRIVKEY5=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj5label/!d' -e 's/^[ \t]*URL: //')
93 PRIVKEYGEN += privkey5
94 PRIVKEY5=$(P11URI);id=%30%35;label=obj5label;type=private
97 PRIVKEY6=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj6label/!d' -e 's/^[ \t]*URL: //')
99 PRIVKEYGEN += privkey6
100 PRIVKEY6=$(P11URI);id=%30%36;label=obj6label;type=private
103 PRIVKEY7=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj7label/!d' -e 's/^[ \t]*URL: //')
105 PRIVKEYGEN += privkey7
106 PRIVKEY7=$(P11URI);id=%30%37;label=obj7label;type=private
111 # General rules for cleaning and filling (together, rebuilding) parts
114 TARGET_PKCS11=$(PRIVKEYGEN)
115 TARGET_CERT=tlspool-test-client-cert.der tlspool-test-server-cert.der tlspool-test-ca-cert.der tlspool-test-flying-signer.der tlspool-test-webhost-cert.der
116 TARGET_PGP=tlspool-test-client-pubkey.pgp tlspool-test-server-pubkey.pgp
117 TARGET_DB=localid.db disclose.db
118 TARGET_DBE=tlspool.env
120 .PHONY: all rebuild-pkcs11 rebuild-cert rebuild-pgp rebuild-db
121 .PHONY: clean-pkcs11 clean-cert clean-pgp clean-db
122 .PHONY: refill-pkcs11 refill-cert refill-pgp refill-db
124 all: fill-pkcs11 fill-cert fill-pgp fill-db
126 rebuild-pkcs11: clean-pkcs11 fill-pkcs11
128 # You should continue with "make rebuild-cert rebuild-pgp rebuild-db"
131 rebuild-cert: clean-cert fill-cert
133 # You should continue with "make rebuild-db"
136 rebuild-pgp: clean-pgp fill-pgp
138 # You should continue with "make rebuild-db"
141 rebuild-db: clean-db fill-db
145 # WARNING -- PROCEED WITH CARE
147 # About to wipe your PKCS #11 object store.
148 # If this is unintended, stop now.
150 $(P11TOOL) --initialize '$(P11URI)'
152 fill-pkcs11: $(PRIVKEYGEN)
157 fill-cert: $(TARGET_CERT)
162 fill-pgp: $(TARGET_PGP)
165 if pidof tlspool ; then echo First stop TLS Pool ; exit 1 ; fi
167 mkdir -p $(TARGET_DBE)
168 rm -f $(TARGET_DBE)/*
171 fill-db: $(TARGET_DBE) $(TARGET_DB)
175 # Rule for private key generation on the PKCS #11 token
177 # Old: Generate test keys externally and import using SoftHSM-specific tool:
179 # openssl pkcs8 -topk8 -in tlspool-test-client-key.pem -out tlspool-test-client-key-pkcs8.pem -inform pem -outform pem -nocrypt
180 # openssl pkcs8 -topk8 -in tlspool-test-server-key.pem -out tlspool-test-server-key-pkcs8.pem -inform pem -outform pem -nocrypt
182 # softhsm-util --import tlspool-test-client-key-pkcs8.pem --slot 0 --label 'TLS Pool testdata' --id '6f626a336964'
183 # softhsm-util --import tlspool-test-server-key-pkcs8.pem --slot 0 --label 'TLS Pool testdata' --id '6f626a346964'
185 # Could alternatively do:
187 # $(P11TOOL) --initialize '$(P11URI)'
188 # $(P11TOOL) --generate-rsa --bits $(RSABITS) --label objXlabel --id objXid --outfile xxx.pem '$(P11URI)'
191 .PHONY: privkey1 privkey2 privkey3 privkey4 privkey5 privkey6 privkey7
194 @echo 'Generating private key #1 on PKCS #11 token'
195 $(P11TOOL) --generate-rsa --bits $(PGPRSABITS) --label=obj1label --id=3031 --outfile=/dev/null '$(P11URI)'
198 @echo 'Generating private key #2 on PKCS #11 token'
199 $(P11TOOL) --generate-rsa --bits $(PGPRSABITS) --label=obj2label --id=3032 --outfile=/dev/null '$(P11URI)'
202 @echo 'Generating private key #3 on PKCS #11 token'
203 $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj3label --id=3033 --outfile=/dev/null '$(P11URI)'
206 @echo 'Generating private key #4 on PKCS #11 token'
207 $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj4label --id=3034 --outfile=/dev/null '$(P11URI)'
210 @echo 'Generating private key #5 on PKCS #11 token'
211 $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj5label --id=3035 --outfile=/dev/null '$(P11URI)'
214 @echo 'Generating private key #6 on PKCS #11 token'
215 $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj6label --id=3036 --outfile=/dev/null '$(P11URI)'
218 @echo 'Generating private key #7 on PKCS #11 token'
219 $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj7label --id=3037 --outfile=/dev/null '$(P11URI)'
223 # Produce binary DER certificates (without going through the textual "PEM" form)
226 # Key 1: OpenPGP Client Certificate
227 tlspool-test-client-pubkey.pgp:
228 echo Using PRIVKEY1, '$(PRIVKEY1)'
229 $(PGPTOOL) $(P11LIB) '$(PRIVKEY1)' 'OpenPGP Test Client <testcli@tlspool.arpa2.lab>' $@
230 $(CERTTOOL) --pgp-certificate-info --infile $@ --inraw --outfile $(@:.pgp=.asc)
232 # Key 2: OpenPGP Server Certificate
233 tlspool-test-server-pubkey.pgp:
234 echo Using PRIVKEY2, '$(PRIVKEY2)'
235 $(PGPTOOL) $(P11LIB) '$(PRIVKEY2)' 'OpenPGP Test Server <testsrv@tlspool.arpa2.lab>' $@
236 $(CERTTOOL) --pgp-certificate-info --infile $@ --inraw --outfile $(@:.pgp=.asc)
238 # Key 3: X.509 Client Certificate
239 tlspool-test-client-cert.der: tlspool-test-client-cert.template
240 echo Using PRIVKEY3, '$(PRIVKEY3)'
241 $(CERTTOOL) --outfile $@ --outder --generate-self-signed --load-privkey='$(PRIVKEY3)' --template=$<
242 $(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem)
244 # Key 4: X.509 Server Certificate with user@ domain name
245 tlspool-test-server-cert.der: tlspool-test-server-cert.template
246 echo Using PRIVKEY4, '$(PRIVKEY4)'
247 $(CERTTOOL) --outfile $@ --outder --generate-self-signed --load-privkey='$(PRIVKEY4)' --template=$<
248 $(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem)
250 # Key 5: Test CA (for chained certificates)
251 tlspool-test-ca-cert.der: tlspool-test-ca-cert.template
252 echo Using PRIVKEY5, '$(PRIVKEY5)'
253 $(CERTTOOL) --outfile $@ --outder --generate-self-signed --load-privkey='$(PRIVKEY5)' --template=$<
254 $(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem)
256 #TODO# # Based on key 5: certificate chain
257 #TODO# tlspool-test-server-certchain.der: tlspool-test-server-cert.der tlspool-test-ca-cert.der
258 #TODO# cat > $@ tlspool-test-server-cert.der tlspool-test-ca-cert.der
260 # Key 6: Flying Signer CA (loaded into TLS Pool and automated)
262 tlspool-test-flying-signer.der: tlspool-test-flying-signer.template
263 echo Using PRIVKEY6, '$(PRIVKEY6)'
264 $(CERTTOOL) --outfile $@ --outder --generate-self-signed --load-privkey='$(PRIVKEY6)' --template=$<
265 $(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem)
267 # Key 7: X.509 Server Certificate with just a host name
268 tlspool-test-webhost-cert.der: tlspool-test-webhost-cert.template
269 echo Using PRIVKEY7, '$(PRIVKEY7)'
270 $(CERTTOOL) --outfile $@ --outder --generate-self-signed --load-privkey='$(PRIVKEY7)' --template=$<
271 $(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem)
274 # Create localid.db from scratch
279 chown $(DMNUSR):$(DMNGRP) $@
281 localid.db: tlspool.env
282 ../tool/set_localid $(CONFFILE) testcli@tlspool.arpa2.lab OpenPGP,client '$(PRIVKEY1)' tlspool-test-client-pubkey.pgp
283 ../tool/set_localid $(CONFFILE) testsrv@tlspool.arpa2.lab OpenPGP,server '$(PRIVKEY2)' tlspool-test-server-pubkey.pgp
284 ../tool/set_localid $(CONFFILE) testcli@tlspool.arpa2.lab x.509,client '$(PRIVKEY3)' tlspool-test-client-cert.der
285 ../tool/set_localid $(CONFFILE) testsrv@tlspool.arpa2.lab x.509,server '$(PRIVKEY4)' tlspool-test-server-cert.der
286 ../tool/set_localid $(CONFFILE) tlspool.arpa2.lab x.509,server,client '$(PRIVKEY7)' tlspool-test-webhost-cert.der
287 chown $(DMNUSR):$(DMNGRP) $(BDBENV)/* $@
289 disclose.db: tlspool.env localid.db
290 ../tool/set_disclose $(CONFFILE) @.arpa2.lab testcli@tlspool.arpa2.lab testsrv@tlspool.arpa2.lab
291 ../tool/set_disclose $(CONFFILE) . tlspool.arpa2.lab
292 chown $(DMNUSR):$(DMNGRP) $(BDBENV)/* $@