# Setting for the configuration file tlspool.conf
# Setting of the number of RSA private key bits (radically ignoring 2^n trends)
#
-CONFFILE=$(shell pwd)/../etc/tlspool.conf
-RSABITS=2000
-PGPRSABITS=2048
+CONFFILE ?= $(shell pwd)/../etc/tlspool.conf
+RSABITS ?= 2048
+PGPRSABITS ?= 2048
+
+#
+# The directory with tools, defaulting to ../tool in the git base
+# Note that testdata is meant for developers, so assuming git is usually the best
+#
+TOOLDIR ?= $(shell pwd)/../build/tool
#
# Load a few things from tlspool.conf; these are assumed present while testing
ifeq ($(P11PIN),)
P11TOOL=p11tool --provider $(P11LIB) --login
CERTTOOL=certtool --provider $(P11LIB)
-PGPTOOL=../tool/pgp11_genkey
+PGPTOOL=$(TOOLDIR)/pgp11-genkey
else
P11TOOL=GNUTLS_PIN=$(P11PIN) p11tool --provider $(P11LIB) --login
CERTTOOL=GNUTLS_PIN=$(P11PIN) certtool --provider $(P11LIB)
-PGPTOOL=GNUTLS_PIN=$(P11PIN) ../tool/pgp11_genkey
+PGPTOOL=GNUTLS_PIN=$(P11PIN) $(TOOLDIR)/pgp11-genkey
endif
#
PRIVKEY1=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj1label/!d' -e 's/^[ \t]*URL: //')
ifeq ($(PRIVKEY1),)
PRIVKEYGEN += privkey1
-PRIVKEY1=$(P11URI);id=%30%31;label=obj1label;type=private
+PRIVKEY1=$(P11URI);id=%30%31;object=obj1label;type=private
endif
PRIVKEY2=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj2label/!d' -e 's/^[ \t]*URL: //')
ifeq ($(PRIVKEY2),)
PRIVKEYGEN += privkey2
-PRIVKEY2=$(P11URI);id=%30%32;label=obj2label;type=private
+PRIVKEY2=$(P11URI);id=%30%32;object=obj2label;type=private
endif
PRIVKEY3=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj3label/!d' -e 's/^[ \t]*URL: //')
ifeq ($(PRIVKEY3),)
PRIVKEYGEN += privkey3
-PRIVKEY3=$(P11URI);id=%30%33;label=obj3label;type=private
+PRIVKEY3=$(P11URI);id=%30%33;object=obj3label;type=private
endif
PRIVKEY4=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj4label/!d' -e 's/^[ \t]*URL: //')
ifeq ($(PRIVKEY4),)
PRIVKEYGEN += privkey4
-PRIVKEY4=$(P11URI);id=%30%34;label=obj4label;type=private
+PRIVKEY4=$(P11URI);id=%30%34;object=obj4label;type=private
endif
PRIVKEY5=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj5label/!d' -e 's/^[ \t]*URL: //')
ifeq ($(PRIVKEY5),)
PRIVKEYGEN += privkey5
-PRIVKEY5=$(P11URI);id=%30%35;label=obj5label;type=private
+PRIVKEY5=$(P11URI);id=%30%35;object=obj5label;type=private
endif
PRIVKEY6=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj6label/!d' -e 's/^[ \t]*URL: //')
ifeq ($(PRIVKEY6),)
PRIVKEYGEN += privkey6
-PRIVKEY6=$(P11URI);id=%30%36;label=obj6label;type=private
+PRIVKEY6=$(P11URI);id=%30%36;object=obj6label;type=private
endif
PRIVKEY7=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj7label/!d' -e 's/^[ \t]*URL: //')
ifeq ($(PRIVKEY7),)
PRIVKEYGEN += privkey7
-PRIVKEY7=$(P11URI);id=%30%37;label=obj7label;type=private
+PRIVKEY7=$(P11URI);id=%30%37;object=obj7label;type=private
+endif
+
+PRIVKEY8=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj8label/!d' -e 's/^[ \t]*URL: //')
+ifeq ($(PRIVKEY8),)
+PRIVKEYGEN += privkey8
+PRIVKEY8=$(P11URI);id=%30%38;object=obj8label;type=private
endif
#
TARGET_PKCS11=$(PRIVKEYGEN)
-TARGET_CERT=tlspool-test-client-cert.der tlspool-test-server-cert.der tlspool-test-ca-cert.der tlspool-test-flying-signer.der tlspool-test-webhost-cert.der
+TARGET_CERT=tlspool-test-client-cert.der tlspool-test-server-cert.der tlspool-test-ca-cert.der tlspool-test-flying-signer.der tlspool-test-webhost-cert.der tlspool-test-playground-cert.der tlspool-test-srp
TARGET_PGP=tlspool-test-client-pubkey.pgp tlspool-test-server-pubkey.pgp
-TARGET_DB=localid.db disclose.db
+TARGET_DB=localid.db disclose.db trust.db
TARGET_DBE=tlspool.env
.PHONY: all rebuild-pkcs11 rebuild-cert rebuild-pgp rebuild-db
# $(P11TOOL) --generate-rsa --bits $(RSABITS) --label objXlabel --id objXid --outfile xxx.pem '$(P11URI)'
# ...
-.PHONY: privkey1 privkey2 privkey3 privkey4 privkey5 privkey6 privkey7
+.PHONY: privkey1 privkey2 privkey3 privkey4 privkey5 privkey6 privkey7 privkey8
privkey1:
@echo 'Generating private key #1 on PKCS #11 token'
@echo 'Generating private key #7 on PKCS #11 token'
$(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj7label --id=3037 --outfile=/dev/null '$(P11URI)'
+privkey8:
+ @echo 'Generating private key #8 on PKCS #11 token'
+ $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj8label --id=3038 --outfile=/dev/null '$(P11URI)'
+
#
# Produce binary DER certificates (without going through the textual "PEM" form)
$(CERTTOOL) --pgp-certificate-info --infile $@ --inraw --outfile $(@:.pgp=.asc)
# Key 3: X.509 Client Certificate
-tlspool-test-client-cert.der: tlspool-test-client-cert.template
+tlspool-test-client-cert.der: tlspool-test-client-cert.template tlspool-test-ca-cert.der
echo Using PRIVKEY3, '$(PRIVKEY3)'
- $(CERTTOOL) --outfile $@ --outder --generate-self-signed --load-privkey='$(PRIVKEY3)' --template=$<
+ $(CERTTOOL) --outfile $@ --outder --generate-certificate --load-ca-certificate=tlspool-test-ca-cert.pem --load-ca-privkey='$(PRIVKEY5)' --load-privkey='$(PRIVKEY3)' --template=$<
$(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem)
# Key 4: X.509 Server Certificate with user@ domain name
-tlspool-test-server-cert.der: tlspool-test-server-cert.template
+tlspool-test-server-cert.der: tlspool-test-server-cert.template tlspool-test-ca-cert.der
echo Using PRIVKEY4, '$(PRIVKEY4)'
- $(CERTTOOL) --outfile $@ --outder --generate-self-signed --load-privkey='$(PRIVKEY4)' --template=$<
+ $(CERTTOOL) --outfile $@ --outder --generate-certificate --load-ca-certificate=tlspool-test-ca-cert.pem --load-ca-privkey='$(PRIVKEY5)' --load-privkey='$(PRIVKEY4)' --template=$<
$(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem)
# Key 5: Test CA (for chained certificates)
$(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem)
# Key 7: X.509 Server Certificate with just a host name
-tlspool-test-webhost-cert.der: tlspool-test-webhost-cert.template
+tlspool-test-webhost-cert.der: tlspool-test-webhost-cert.template tlspool-test-ca-cert.der
echo Using PRIVKEY7, '$(PRIVKEY7)'
- $(CERTTOOL) --outfile $@ --outder --generate-self-signed --load-privkey='$(PRIVKEY7)' --template=$<
- $(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem)
+ $(CERTTOOL) --outfile $@ --outder --generate-certificate --load-ca-certificate=tlspool-test-ca-cert.pem --load-ca-privkey='$(PRIVKEY5)' --load-privkey='$(PRIVKEY7)' --template=$<
+
+# Key 8: X.509 Server Certificate with just a host name
+tlspool-test-playground-cert.der: tlspool-test-playground-cert.template tlspool-test-ca-cert.der
+ echo Using PRIVKEY8, '$(PRIVKEY8)'
+ $(CERTTOOL) --outfile $@ --outder --generate-certificate --load-ca-certificate=tlspool-test-ca-cert.pem --load-ca-privkey='$(PRIVKEY5)' --load-privkey='$(PRIVKEY8)' --template=$<
+
+
+# Turn a .der into a .keyid
+%.keyid: %.der
+ $(CERTTOOL) --inraw --infile $< -i | sed -e '1,/Public Key ID:/d' -e '/Public key.s random art:/,$$d' -e 's/[ \t]*//' | sed -n -e 's/^sha1://' -e '/^[^:]*$$/p' > $@
+
+#
+# SRP credentials are loaded from fixed paths ../testdata/tlspool-test-srp.* for now
+# Yes, this is ugly, we're still hoping to use SRP #11 instead, as defined on
+# https://github.com/arpa2/srp-pkcs11
+#
+
+tlspool-test-srp:
+ chown $(DMNUSR):$(DMNGRP) $@.conf $@.passwd
+
#
# Create localid.db from scratch
chown $(DMNUSR):$(DMNGRP) $@
localid.db: tlspool.env
- ../tool/set_localid $(CONFFILE) testcli@tlspool.arpa2.lab OpenPGP,client '$(PRIVKEY1)' tlspool-test-client-pubkey.pgp
- ../tool/set_localid $(CONFFILE) testsrv@tlspool.arpa2.lab OpenPGP,server '$(PRIVKEY2)' tlspool-test-server-pubkey.pgp
- ../tool/set_localid $(CONFFILE) testcli@tlspool.arpa2.lab x.509,client '$(PRIVKEY3)' tlspool-test-client-cert.der
- ../tool/set_localid $(CONFFILE) testsrv@tlspool.arpa2.lab x.509,server '$(PRIVKEY4)' tlspool-test-server-cert.der
- ../tool/set_localid $(CONFFILE) tlspool.arpa2.lab x.509,server,client '$(PRIVKEY7)' tlspool-test-webhost-cert.der
+ $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testcli@tlspool.arpa2.lab OpenPGP,client '$(PRIVKEY1)' tlspool-test-client-pubkey.pgp
+ $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testsrv@tlspool.arpa2.lab OpenPGP,server '$(PRIVKEY2)' tlspool-test-server-pubkey.pgp
+ $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testcli@tlspool.arpa2.lab x.509,client '$(PRIVKEY3)' tlspool-test-client-cert.der
+ $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testsrv@tlspool.arpa2.lab x.509,server '$(PRIVKEY4)' tlspool-test-server-cert.der
+ $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testcli@tlspool.arpa2.lab kerberos,client,server 'pkcs11:some;place' /dev/null
+ $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testsrv@tlspool.arpa2.lab kerberos,client,server 'pkcs11:some;place' /dev/null
+ #REALISTIC-BUT-NOT-YET# $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testcli@tlspool.arpa2.lab valexp,client,server 'tI&' /dev/null
+ #REALISTIC-BUT-NOT-YET# $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testsrv@tlspool.arpa2.lab valexp,client,server 'It&' /dev/null
+ $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testcli@tlspool.arpa2.lab valexp,client,server '1' /dev/null
+ $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testsrv@tlspool.arpa2.lab valexp,client,server '1' /dev/null
+ $(TOOLDIR)/tlspool-localid-set $(CONFFILE) tlspool.arpa2.lab x.509,server,client '$(PRIVKEY7)' tlspool-test-webhost-cert.der
+ $(TOOLDIR)/tlspool-localid-set $(CONFFILE) playground.arpa2.lab x.509,server,client '$(PRIVKEY8)' tlspool-test-playground-cert.der
chown $(DMNUSR):$(DMNGRP) $(BDBENV)/* $@
disclose.db: tlspool.env localid.db
- ../tool/set_disclose $(CONFFILE) @.arpa2.lab testcli@tlspool.arpa2.lab testsrv@tlspool.arpa2.lab
- ../tool/set_disclose $(CONFFILE) . tlspool.arpa2.lab
+ $(TOOLDIR)/tlspool-disclose-set $(CONFFILE) @.arpa2.lab testcli@tlspool.arpa2.lab testsrv@tlspool.arpa2.lab
+ $(TOOLDIR)/tlspool-disclose-set $(CONFFILE) . tlspool.arpa2.lab
+ chown $(DMNUSR):$(DMNGRP) $(BDBENV)/* $@
+
+trust.db: tlspool.env tlspool-test-ca-cert.der tlspool-test-ca-cert.keyid tlspool-test-flying-signer.der tlspool-test-flying-signer.keyid
+ $(TOOLDIR)/tlspool-trust-set $(CONFFILE) x509,client,server `cat tlspool-test-ca-cert.keyid` 1 tlspool-test-ca-cert.der
+ $(TOOLDIR)/tlspool-trust-set $(CONFFILE) x509,client,server `cat tlspool-test-flying-signer.keyid` 1 tlspool-test-flying-signer.der
chown $(DMNUSR):$(DMNGRP) $(BDBENV)/* $@
clean: clean-db
rm -f *.der *.pgp
rm -f *.pem *.asc
+anchors: trust.db
+ @$(foreach rootca,$(shell ls -1 $(shell pwd)/trust-anchors/*.pem),$(CERTTOOL) --certificate-info --infile "$(rootca)" --outder --outfile "$(rootca:.pem=.der)" && ) echo 'Converted all root CA .pem to .der'
+ @$(foreach rootca,$(shell ls -1 $(shell pwd)/trust-anchors/*.der),$(CERTTOOL) --inraw --infile "$(rootca)" -i | sed -e '1,/Public Key ID:/d' -e '/Public key.s random art:/,$$d' -e 's/[ \t]*//' > "$(rootca:.der=.keyid)" && ) echo 'Converted all root CA .der to .keyid'
+ @$(foreach rootca,$(shell ls -1 $(shell pwd)/trust-anchors/*.der),$(TOOLDIR)/set_trust $(CONFFILE) x509,client,server `cat "$(rootca:.der=.keyid)"` 1 "$(rootca)" && ) echo 'Imported all root CA .der into trust.db'
+
anew: clean all