# # testdata/Makefile -- for TLS Pool developers # # This file creates elements in the testdata/ directory used for testing # and is in fact a requisite for tool/testcli, tool/testsrv, tool/testpeer. # # Targets of interest: # * all -- makes sure you can go ahead # * rebuild-pkcs11 -- wipes your PKCS #11 token (really!) and starts it fresh # * rebuild-cert -- wipes your certificate files and rebuilds them # * rebuild-pgp -- wipes your OpenPGP public keys and rebuilds them # * rebuild-db -- wipes your public credentials databases and refills them # The last four should be run in order; later ones may depend on predecessors. # # From: Rick van Rein # # # The following numbered keys are created here: # # 1. test client OpenPGP key: testcli@tlspool.arpa2.lab # 2. test server OpenPGP key: testsrv@tlspool.arpa2.lab # 3. test client certificate: testcli@tlspool.arpa2.lab # 4. test server certificate: testsrv@tlspool.arpa2.lab # 5. test CA certificate: testca@tlspool.arpa2.lab # 6. test on-the-fly signing CA certificate: flying-signer@tlspool.arpa2.lab # 7. test server certificate: tlspool.arpa2.lab # # # Setting for the configuration file tlspool.conf # Setting of the number of RSA private key bits (radically ignoring 2^n trends) # CONFFILE ?= $(shell pwd)/../etc/tlspool.conf RSABITS ?= 2048 PGPRSABITS ?= 2048 # # The directory with tools, defaulting to ../tool in the git base # Note that testdata is meant for developers, so assuming git is usually the best # TOOLDIR ?= $(shell pwd)/../build/tool # # Load a few things from tlspool.conf; these are assumed present while testing # P11PIN=$(shell sed < $(CONFFILE) -n 's/^pkcs11_pin //p') P11LIB=$(shell sed < $(CONFFILE) -n 's/^pkcs11_path //p') P11URI=$(shell sed < $(CONFFILE) -n 's/^pkcs11_token pkcs11:/pkcs11:/p') DMNUSR=$(shell sed < $(CONFFILE) -n 's/^daemon_user //p') DMNGRP=$(shell sed < $(CONFFILE) -n 's/^daemon_group //p') BDBENV=$(shell sed < $(CONFFILE) -n 's/^dbenv_dir //p') # # Embellish p11tool command; if fixed, provide the PKCS #11 PIN automatically # ifeq ($(P11PIN),) P11TOOL=p11tool --provider $(P11LIB) --login CERTTOOL=certtool --provider $(P11LIB) PGPTOOL=$(TOOLDIR)/pgp11-genkey else P11TOOL=GNUTLS_PIN=$(P11PIN) p11tool --provider $(P11LIB) --login CERTTOOL=GNUTLS_PIN=$(P11PIN) certtool --provider $(P11LIB) PGPTOOL=GNUTLS_PIN=$(P11PIN) $(TOOLDIR)/pgp11-genkey endif # # Establish which private keys need to be generated on the PKCS #11 token # PRIVKEY1=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj1label/!d' -e 's/^[ \t]*URL: //') ifeq ($(PRIVKEY1),) PRIVKEYGEN += privkey1 PRIVKEY1=$(P11URI);id=%30%31;object=obj1label;type=private endif PRIVKEY2=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj2label/!d' -e 's/^[ \t]*URL: //') ifeq ($(PRIVKEY2),) PRIVKEYGEN += privkey2 PRIVKEY2=$(P11URI);id=%30%32;object=obj2label;type=private endif PRIVKEY3=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj3label/!d' -e 's/^[ \t]*URL: //') ifeq ($(PRIVKEY3),) PRIVKEYGEN += privkey3 PRIVKEY3=$(P11URI);id=%30%33;object=obj3label;type=private endif PRIVKEY4=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj4label/!d' -e 's/^[ \t]*URL: //') ifeq ($(PRIVKEY4),) PRIVKEYGEN += privkey4 PRIVKEY4=$(P11URI);id=%30%34;object=obj4label;type=private endif PRIVKEY5=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj5label/!d' -e 's/^[ \t]*URL: //') ifeq ($(PRIVKEY5),) PRIVKEYGEN += privkey5 PRIVKEY5=$(P11URI);id=%30%35;object=obj5label;type=private endif PRIVKEY6=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj6label/!d' -e 's/^[ \t]*URL: //') ifeq ($(PRIVKEY6),) PRIVKEYGEN += privkey6 PRIVKEY6=$(P11URI);id=%30%36;object=obj6label;type=private endif PRIVKEY7=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj7label/!d' -e 's/^[ \t]*URL: //') ifeq ($(PRIVKEY7),) PRIVKEYGEN += privkey7 PRIVKEY7=$(P11URI);id=%30%37;object=obj7label;type=private endif PRIVKEY8=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj8label/!d' -e 's/^[ \t]*URL: //') ifeq ($(PRIVKEY8),) PRIVKEYGEN += privkey8 PRIVKEY8=$(P11URI);id=%30%38;object=obj8label;type=private endif # # General rules for cleaning and filling (together, rebuilding) parts # TARGET_PKCS11=$(PRIVKEYGEN) TARGET_CERT=tlspool-test-client-cert.der tlspool-test-server-cert.der tlspool-test-ca-cert.der tlspool-test-flying-signer.der tlspool-test-webhost-cert.der tlspool-test-playground-cert.der tlspool-test-srp TARGET_PGP=tlspool-test-client-pubkey.pgp tlspool-test-server-pubkey.pgp TARGET_DB=localid.db disclose.db trust.db TARGET_DBE=tlspool.env .PHONY: all rebuild-pkcs11 rebuild-cert rebuild-pgp rebuild-db .PHONY: clean-pkcs11 clean-cert clean-pgp clean-db .PHONY: refill-pkcs11 refill-cert refill-pgp refill-db all: fill-pkcs11 fill-cert fill-pgp fill-db rebuild-pkcs11: clean-pkcs11 fill-pkcs11 # # You should continue with "make rebuild-cert rebuild-pgp rebuild-db" # rebuild-cert: clean-cert fill-cert # # You should continue with "make rebuild-db" # rebuild-pgp: clean-pgp fill-pgp # # You should continue with "make rebuild-db" # rebuild-db: clean-db fill-db clean-pkcs11: # # WARNING -- PROCEED WITH CARE # # About to wipe your PKCS #11 object store. # If this is unintended, stop now. # $(P11TOOL) --initialize '$(P11URI)' fill-pkcs11: $(PRIVKEYGEN) clean-cert: rm -f $(TARGET_CERT) fill-cert: $(TARGET_CERT) clean-pgp: rm -f $(TARGET_PGP) fill-pgp: $(TARGET_PGP) clean-db: if pidof tlspool ; then echo First stop TLS Pool ; exit 1 ; fi rm -f $(TARGET_DB) mkdir -p $(TARGET_DBE) rm -f $(TARGET_DBE)/* rmdir $(TARGET_DBE) fill-db: $(TARGET_DBE) $(TARGET_DB) # # Rule for private key generation on the PKCS #11 token # # Old: Generate test keys externally and import using SoftHSM-specific tool: # # openssl pkcs8 -topk8 -in tlspool-test-client-key.pem -out tlspool-test-client-key-pkcs8.pem -inform pem -outform pem -nocrypt # openssl pkcs8 -topk8 -in tlspool-test-server-key.pem -out tlspool-test-server-key-pkcs8.pem -inform pem -outform pem -nocrypt # # softhsm-util --import tlspool-test-client-key-pkcs8.pem --slot 0 --label 'TLS Pool testdata' --id '6f626a336964' # softhsm-util --import tlspool-test-server-key-pkcs8.pem --slot 0 --label 'TLS Pool testdata' --id '6f626a346964' # # Could alternatively do: # # $(P11TOOL) --initialize '$(P11URI)' # $(P11TOOL) --generate-rsa --bits $(RSABITS) --label objXlabel --id objXid --outfile xxx.pem '$(P11URI)' # ... .PHONY: privkey1 privkey2 privkey3 privkey4 privkey5 privkey6 privkey7 privkey8 privkey1: @echo 'Generating private key #1 on PKCS #11 token' $(P11TOOL) --generate-rsa --bits $(PGPRSABITS) --label=obj1label --id=3031 --outfile=/dev/null '$(P11URI)' privkey2: @echo 'Generating private key #2 on PKCS #11 token' $(P11TOOL) --generate-rsa --bits $(PGPRSABITS) --label=obj2label --id=3032 --outfile=/dev/null '$(P11URI)' privkey3: @echo 'Generating private key #3 on PKCS #11 token' $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj3label --id=3033 --outfile=/dev/null '$(P11URI)' privkey4: @echo 'Generating private key #4 on PKCS #11 token' $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj4label --id=3034 --outfile=/dev/null '$(P11URI)' privkey5: @echo 'Generating private key #5 on PKCS #11 token' $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj5label --id=3035 --outfile=/dev/null '$(P11URI)' privkey6: @echo 'Generating private key #6 on PKCS #11 token' $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj6label --id=3036 --outfile=/dev/null '$(P11URI)' privkey7: @echo 'Generating private key #7 on PKCS #11 token' $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj7label --id=3037 --outfile=/dev/null '$(P11URI)' privkey8: @echo 'Generating private key #8 on PKCS #11 token' $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj8label --id=3038 --outfile=/dev/null '$(P11URI)' # # Produce binary DER certificates (without going through the textual "PEM" form) # # Key 1: OpenPGP Client Certificate tlspool-test-client-pubkey.pgp: echo Using PRIVKEY1, '$(PRIVKEY1)' $(PGPTOOL) $(P11LIB) '$(PRIVKEY1)' 'OpenPGP Test Client ' $@ $(CERTTOOL) --pgp-certificate-info --infile $@ --inraw --outfile $(@:.pgp=.asc) # Key 2: OpenPGP Server Certificate tlspool-test-server-pubkey.pgp: echo Using PRIVKEY2, '$(PRIVKEY2)' $(PGPTOOL) $(P11LIB) '$(PRIVKEY2)' 'OpenPGP Test Server ' $@ $(CERTTOOL) --pgp-certificate-info --infile $@ --inraw --outfile $(@:.pgp=.asc) # Key 3: X.509 Client Certificate tlspool-test-client-cert.der: tlspool-test-client-cert.template tlspool-test-ca-cert.der echo Using PRIVKEY3, '$(PRIVKEY3)' $(CERTTOOL) --outfile $@ --outder --generate-certificate --load-ca-certificate=tlspool-test-ca-cert.pem --load-ca-privkey='$(PRIVKEY5)' --load-privkey='$(PRIVKEY3)' --template=$< $(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem) # Key 4: X.509 Server Certificate with user@ domain name tlspool-test-server-cert.der: tlspool-test-server-cert.template tlspool-test-ca-cert.der echo Using PRIVKEY4, '$(PRIVKEY4)' $(CERTTOOL) --outfile $@ --outder --generate-certificate --load-ca-certificate=tlspool-test-ca-cert.pem --load-ca-privkey='$(PRIVKEY5)' --load-privkey='$(PRIVKEY4)' --template=$< $(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem) # Key 5: Test CA (for chained certificates) tlspool-test-ca-cert.der: tlspool-test-ca-cert.template echo Using PRIVKEY5, '$(PRIVKEY5)' $(CERTTOOL) --outfile $@ --outder --generate-self-signed --load-privkey='$(PRIVKEY5)' --template=$< $(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem) #TODO# # Based on key 5: certificate chain #TODO# tlspool-test-server-certchain.der: tlspool-test-server-cert.der tlspool-test-ca-cert.der #TODO# cat > $@ tlspool-test-server-cert.der tlspool-test-ca-cert.der # Key 6: Flying Signer CA (loaded into TLS Pool and automated) tlspool-test-flying-signer.der: tlspool-test-flying-signer.template echo Using PRIVKEY6, '$(PRIVKEY6)' $(CERTTOOL) --outfile $@ --outder --generate-self-signed --load-privkey='$(PRIVKEY6)' --template=$< $(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem) # Key 7: X.509 Server Certificate with just a host name tlspool-test-webhost-cert.der: tlspool-test-webhost-cert.template tlspool-test-ca-cert.der echo Using PRIVKEY7, '$(PRIVKEY7)' $(CERTTOOL) --outfile $@ --outder --generate-certificate --load-ca-certificate=tlspool-test-ca-cert.pem --load-ca-privkey='$(PRIVKEY5)' --load-privkey='$(PRIVKEY7)' --template=$< # Key 8: X.509 Server Certificate with just a host name tlspool-test-playground-cert.der: tlspool-test-playground-cert.template tlspool-test-ca-cert.der echo Using PRIVKEY8, '$(PRIVKEY8)' $(CERTTOOL) --outfile $@ --outder --generate-certificate --load-ca-certificate=tlspool-test-ca-cert.pem --load-ca-privkey='$(PRIVKEY5)' --load-privkey='$(PRIVKEY8)' --template=$< # Turn a .der into a .keyid %.keyid: %.der $(CERTTOOL) --inraw --infile $< -i | sed -e '1,/Public Key ID:/d' -e '/Public key.s random art:/,$$d' -e 's/[ \t]*//' | sed -n -e 's/^sha1://' -e '/^[^:]*$$/p' > $@ # # SRP credentials are loaded from fixed paths ../testdata/tlspool-test-srp.* for now # Yes, this is ugly, we're still hoping to use SRP #11 instead, as defined on # https://github.com/arpa2/srp-pkcs11 # tlspool-test-srp: chown $(DMNUSR):$(DMNGRP) $@.conf $@.passwd # # Create localid.db from scratch # tlspool.env: mkdir -p $@ chown $(DMNUSR):$(DMNGRP) $@ localid.db: tlspool.env $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testcli@tlspool.arpa2.lab OpenPGP,client '$(PRIVKEY1)' tlspool-test-client-pubkey.pgp $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testsrv@tlspool.arpa2.lab OpenPGP,server '$(PRIVKEY2)' tlspool-test-server-pubkey.pgp $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testcli@tlspool.arpa2.lab x.509,client '$(PRIVKEY3)' tlspool-test-client-cert.der $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testsrv@tlspool.arpa2.lab x.509,server '$(PRIVKEY4)' tlspool-test-server-cert.der $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testcli@tlspool.arpa2.lab kerberos,client,server 'pkcs11:some;place' /dev/null $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testsrv@tlspool.arpa2.lab kerberos,client,server 'pkcs11:some;place' /dev/null #REALISTIC-BUT-NOT-YET# $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testcli@tlspool.arpa2.lab valexp,client,server 'tI&' /dev/null #REALISTIC-BUT-NOT-YET# $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testsrv@tlspool.arpa2.lab valexp,client,server 'It&' /dev/null $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testcli@tlspool.arpa2.lab valexp,client,server '1' /dev/null $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testsrv@tlspool.arpa2.lab valexp,client,server '1' /dev/null $(TOOLDIR)/tlspool-localid-set $(CONFFILE) tlspool.arpa2.lab x.509,server,client '$(PRIVKEY7)' tlspool-test-webhost-cert.der $(TOOLDIR)/tlspool-localid-set $(CONFFILE) playground.arpa2.lab x.509,server,client '$(PRIVKEY8)' tlspool-test-playground-cert.der chown $(DMNUSR):$(DMNGRP) $(BDBENV)/* $@ disclose.db: tlspool.env localid.db $(TOOLDIR)/tlspool-disclose-set $(CONFFILE) @.arpa2.lab testcli@tlspool.arpa2.lab testsrv@tlspool.arpa2.lab $(TOOLDIR)/tlspool-disclose-set $(CONFFILE) . tlspool.arpa2.lab chown $(DMNUSR):$(DMNGRP) $(BDBENV)/* $@ trust.db: tlspool.env tlspool-test-ca-cert.der tlspool-test-ca-cert.keyid tlspool-test-flying-signer.der tlspool-test-flying-signer.keyid $(TOOLDIR)/tlspool-trust-set $(CONFFILE) x509,client,server `cat tlspool-test-ca-cert.keyid` 1 tlspool-test-ca-cert.der $(TOOLDIR)/tlspool-trust-set $(CONFFILE) x509,client,server `cat tlspool-test-flying-signer.keyid` 1 tlspool-test-flying-signer.der chown $(DMNUSR):$(DMNGRP) $(BDBENV)/* $@ clean: clean-db rm -f *.der *.pgp rm -f *.pem *.asc anchors: trust.db @$(foreach rootca,$(shell ls -1 $(shell pwd)/trust-anchors/*.pem),$(CERTTOOL) --certificate-info --infile "$(rootca)" --outder --outfile "$(rootca:.pem=.der)" && ) echo 'Converted all root CA .pem to .der' @$(foreach rootca,$(shell ls -1 $(shell pwd)/trust-anchors/*.der),$(CERTTOOL) --inraw --infile "$(rootca)" -i | sed -e '1,/Public Key ID:/d' -e '/Public key.s random art:/,$$d' -e 's/[ \t]*//' > "$(rootca:.der=.keyid)" && ) echo 'Converted all root CA .der to .keyid' @$(foreach rootca,$(shell ls -1 $(shell pwd)/trust-anchors/*.der),$(TOOLDIR)/set_trust $(CONFFILE) x509,client,server `cat "$(rootca:.der=.keyid)"` 1 "$(rootca)" && ) echo 'Imported all root CA .der into trust.db' anew: clean all