2 # testdata/Makefile -- for TLS Pool developers
4 # This file creates elements in the testdata/ directory used for testing
5 # and is in fact a requisite for tool/testcli, tool/testsrv, tool/testpeer.
8 # * all -- makes sure you can go ahead
9 # * rebuild-pkcs11 -- wipes your PKCS #11 token (really!) and starts it fresh
10 # * rebuild-cert -- wipes your certificate files and rebuilds them
11 # * rebuild-pgp -- wipes your OpenPGP public keys and rebuilds them
12 # * rebuild-db -- wipes your public credentials databases and refills them
13 # The last four should be run in order; later ones may depend on predecessors.
15 # From: Rick van Rein <rick@openfortress.nl>
20 # The following numbered keys are created here:
22 # 1. test client OpenPGP key: testcli@tlspool.arpa2.lab
23 # 2. test server OpenPGP key: testsrv@tlspool.arpa2.lab
24 # 3. test client certificate: testcli@tlspool.arpa2.lab
25 # 4. test server certificate: testsrv@tlspool.arpa2.lab
26 # 5. test CA certificate: testca@tlspool.arpa2.lab
27 # 6. test on-the-fly signing CA certificate: flying-signer@tlspool.arpa2.lab
28 # 7. test server certificate: tlspool.arpa2.lab
33 # Setting for the configuration file tlspool.conf
34 # Setting of the number of RSA private key bits (radically ignoring 2^n trends)
36 CONFFILE ?= $(shell pwd)/../etc/tlspool.conf
41 # The directory with tools, defaulting to ../tool in the git base
42 # Note that testdata is meant for developers, so assuming git is usually the best
44 TOOLDIR ?= $(shell pwd)/../build/tool
47 # Load a few things from tlspool.conf; these are assumed present while testing
49 P11PIN=$(shell sed < $(CONFFILE) -n 's/^pkcs11_pin //p')
50 P11LIB=$(shell sed < $(CONFFILE) -n 's/^pkcs11_path //p')
51 P11URI=$(shell sed < $(CONFFILE) -n 's/^pkcs11_token pkcs11:/pkcs11:/p')
52 DMNUSR=$(shell sed < $(CONFFILE) -n 's/^daemon_user //p')
53 DMNGRP=$(shell sed < $(CONFFILE) -n 's/^daemon_group //p')
54 BDBENV=$(shell sed < $(CONFFILE) -n 's/^dbenv_dir //p')
57 # Embellish p11tool command; if fixed, provide the PKCS #11 PIN automatically
60 P11TOOL=p11tool --provider $(P11LIB) --login
61 CERTTOOL=certtool --provider $(P11LIB)
62 PGPTOOL=$(TOOLDIR)/pgp11-genkey
64 P11TOOL=GNUTLS_PIN=$(P11PIN) p11tool --provider $(P11LIB) --login
65 CERTTOOL=GNUTLS_PIN=$(P11PIN) certtool --provider $(P11LIB)
66 PGPTOOL=GNUTLS_PIN=$(P11PIN) $(TOOLDIR)/pgp11-genkey
70 # Establish which private keys need to be generated on the PKCS #11 token
73 PRIVKEY1=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj1label/!d' -e 's/^[ \t]*URL: //')
75 PRIVKEYGEN += privkey1
76 PRIVKEY1=$(P11URI);id=%30%31;object=obj1label;type=private
79 PRIVKEY2=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj2label/!d' -e 's/^[ \t]*URL: //')
81 PRIVKEYGEN += privkey2
82 PRIVKEY2=$(P11URI);id=%30%32;object=obj2label;type=private
85 PRIVKEY3=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj3label/!d' -e 's/^[ \t]*URL: //')
87 PRIVKEYGEN += privkey3
88 PRIVKEY3=$(P11URI);id=%30%33;object=obj3label;type=private
91 PRIVKEY4=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj4label/!d' -e 's/^[ \t]*URL: //')
93 PRIVKEYGEN += privkey4
94 PRIVKEY4=$(P11URI);id=%30%34;object=obj4label;type=private
97 PRIVKEY5=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj5label/!d' -e 's/^[ \t]*URL: //')
99 PRIVKEYGEN += privkey5
100 PRIVKEY5=$(P11URI);id=%30%35;object=obj5label;type=private
103 PRIVKEY6=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj6label/!d' -e 's/^[ \t]*URL: //')
105 PRIVKEYGEN += privkey6
106 PRIVKEY6=$(P11URI);id=%30%36;object=obj6label;type=private
109 PRIVKEY7=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj7label/!d' -e 's/^[ \t]*URL: //')
111 PRIVKEYGEN += privkey7
112 PRIVKEY7=$(P11URI);id=%30%37;object=obj7label;type=private
115 PRIVKEY8=$(shell $(P11TOOL) --list-privkeys '$(P11URI)' | sed -e '/object=obj8label/!d' -e 's/^[ \t]*URL: //')
117 PRIVKEYGEN += privkey8
118 PRIVKEY8=$(P11URI);id=%30%38;object=obj8label;type=private
123 # General rules for cleaning and filling (together, rebuilding) parts
126 TARGET_PKCS11=$(PRIVKEYGEN)
127 TARGET_CERT=tlspool-test-client-cert.der tlspool-test-server-cert.der tlspool-test-ca-cert.der tlspool-test-flying-signer.der tlspool-test-webhost-cert.der tlspool-test-playground-cert.der tlspool-test-srp
128 TARGET_PGP=tlspool-test-client-pubkey.pgp tlspool-test-server-pubkey.pgp
129 TARGET_DB=localid.db disclose.db trust.db
130 TARGET_DBE=tlspool.env
132 .PHONY: all rebuild-pkcs11 rebuild-cert rebuild-pgp rebuild-db
133 .PHONY: clean-pkcs11 clean-cert clean-pgp clean-db
134 .PHONY: refill-pkcs11 refill-cert refill-pgp refill-db
136 all: fill-pkcs11 fill-cert fill-pgp fill-db
138 rebuild-pkcs11: clean-pkcs11 fill-pkcs11
140 # You should continue with "make rebuild-cert rebuild-pgp rebuild-db"
143 rebuild-cert: clean-cert fill-cert
145 # You should continue with "make rebuild-db"
148 rebuild-pgp: clean-pgp fill-pgp
150 # You should continue with "make rebuild-db"
153 rebuild-db: clean-db fill-db
157 # WARNING -- PROCEED WITH CARE
159 # About to wipe your PKCS #11 object store.
160 # If this is unintended, stop now.
162 $(P11TOOL) --initialize '$(P11URI)'
164 fill-pkcs11: $(PRIVKEYGEN)
169 fill-cert: $(TARGET_CERT)
174 fill-pgp: $(TARGET_PGP)
177 if pidof tlspool ; then echo First stop TLS Pool ; exit 1 ; fi
179 mkdir -p $(TARGET_DBE)
180 rm -f $(TARGET_DBE)/*
183 fill-db: $(TARGET_DBE) $(TARGET_DB)
187 # Rule for private key generation on the PKCS #11 token
189 # Old: Generate test keys externally and import using SoftHSM-specific tool:
191 # openssl pkcs8 -topk8 -in tlspool-test-client-key.pem -out tlspool-test-client-key-pkcs8.pem -inform pem -outform pem -nocrypt
192 # openssl pkcs8 -topk8 -in tlspool-test-server-key.pem -out tlspool-test-server-key-pkcs8.pem -inform pem -outform pem -nocrypt
194 # softhsm-util --import tlspool-test-client-key-pkcs8.pem --slot 0 --label 'TLS Pool testdata' --id '6f626a336964'
195 # softhsm-util --import tlspool-test-server-key-pkcs8.pem --slot 0 --label 'TLS Pool testdata' --id '6f626a346964'
197 # Could alternatively do:
199 # $(P11TOOL) --initialize '$(P11URI)'
200 # $(P11TOOL) --generate-rsa --bits $(RSABITS) --label objXlabel --id objXid --outfile xxx.pem '$(P11URI)'
203 .PHONY: privkey1 privkey2 privkey3 privkey4 privkey5 privkey6 privkey7 privkey8
206 @echo 'Generating private key #1 on PKCS #11 token'
207 $(P11TOOL) --generate-rsa --bits $(PGPRSABITS) --label=obj1label --id=3031 --outfile=/dev/null '$(P11URI)'
210 @echo 'Generating private key #2 on PKCS #11 token'
211 $(P11TOOL) --generate-rsa --bits $(PGPRSABITS) --label=obj2label --id=3032 --outfile=/dev/null '$(P11URI)'
214 @echo 'Generating private key #3 on PKCS #11 token'
215 $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj3label --id=3033 --outfile=/dev/null '$(P11URI)'
218 @echo 'Generating private key #4 on PKCS #11 token'
219 $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj4label --id=3034 --outfile=/dev/null '$(P11URI)'
222 @echo 'Generating private key #5 on PKCS #11 token'
223 $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj5label --id=3035 --outfile=/dev/null '$(P11URI)'
226 @echo 'Generating private key #6 on PKCS #11 token'
227 $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj6label --id=3036 --outfile=/dev/null '$(P11URI)'
230 @echo 'Generating private key #7 on PKCS #11 token'
231 $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj7label --id=3037 --outfile=/dev/null '$(P11URI)'
234 @echo 'Generating private key #8 on PKCS #11 token'
235 $(P11TOOL) --generate-rsa --bits $(RSABITS) --label=obj8label --id=3038 --outfile=/dev/null '$(P11URI)'
239 # Produce binary DER certificates (without going through the textual "PEM" form)
242 # Key 1: OpenPGP Client Certificate
243 tlspool-test-client-pubkey.pgp:
244 echo Using PRIVKEY1, '$(PRIVKEY1)'
245 $(PGPTOOL) $(P11LIB) '$(PRIVKEY1)' 'OpenPGP Test Client <testcli@tlspool.arpa2.lab>' $@
246 $(CERTTOOL) --pgp-certificate-info --infile $@ --inraw --outfile $(@:.pgp=.asc)
248 # Key 2: OpenPGP Server Certificate
249 tlspool-test-server-pubkey.pgp:
250 echo Using PRIVKEY2, '$(PRIVKEY2)'
251 $(PGPTOOL) $(P11LIB) '$(PRIVKEY2)' 'OpenPGP Test Server <testsrv@tlspool.arpa2.lab>' $@
252 $(CERTTOOL) --pgp-certificate-info --infile $@ --inraw --outfile $(@:.pgp=.asc)
254 # Key 3: X.509 Client Certificate
255 tlspool-test-client-cert.der: tlspool-test-client-cert.template tlspool-test-ca-cert.der
256 echo Using PRIVKEY3, '$(PRIVKEY3)'
257 $(CERTTOOL) --outfile $@ --outder --generate-certificate --load-ca-certificate=tlspool-test-ca-cert.pem --load-ca-privkey='$(PRIVKEY5)' --load-privkey='$(PRIVKEY3)' --template=$<
258 $(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem)
260 # Key 4: X.509 Server Certificate with user@ domain name
261 tlspool-test-server-cert.der: tlspool-test-server-cert.template tlspool-test-ca-cert.der
262 echo Using PRIVKEY4, '$(PRIVKEY4)'
263 $(CERTTOOL) --outfile $@ --outder --generate-certificate --load-ca-certificate=tlspool-test-ca-cert.pem --load-ca-privkey='$(PRIVKEY5)' --load-privkey='$(PRIVKEY4)' --template=$<
264 $(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem)
266 # Key 5: Test CA (for chained certificates)
267 tlspool-test-ca-cert.der: tlspool-test-ca-cert.template
268 echo Using PRIVKEY5, '$(PRIVKEY5)'
269 $(CERTTOOL) --outfile $@ --outder --generate-self-signed --load-privkey='$(PRIVKEY5)' --template=$<
270 $(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem)
272 #TODO# # Based on key 5: certificate chain
273 #TODO# tlspool-test-server-certchain.der: tlspool-test-server-cert.der tlspool-test-ca-cert.der
274 #TODO# cat > $@ tlspool-test-server-cert.der tlspool-test-ca-cert.der
276 # Key 6: Flying Signer CA (loaded into TLS Pool and automated)
278 tlspool-test-flying-signer.der: tlspool-test-flying-signer.template
279 echo Using PRIVKEY6, '$(PRIVKEY6)'
280 $(CERTTOOL) --outfile $@ --outder --generate-self-signed --load-privkey='$(PRIVKEY6)' --template=$<
281 $(CERTTOOL) --certificate-info --infile $@ --inder --outfile $(@:.der=.pem)
283 # Key 7: X.509 Server Certificate with just a host name
284 tlspool-test-webhost-cert.der: tlspool-test-webhost-cert.template tlspool-test-ca-cert.der
285 echo Using PRIVKEY7, '$(PRIVKEY7)'
286 $(CERTTOOL) --outfile $@ --outder --generate-certificate --load-ca-certificate=tlspool-test-ca-cert.pem --load-ca-privkey='$(PRIVKEY5)' --load-privkey='$(PRIVKEY7)' --template=$<
288 # Key 8: X.509 Server Certificate with just a host name
289 tlspool-test-playground-cert.der: tlspool-test-playground-cert.template tlspool-test-ca-cert.der
290 echo Using PRIVKEY8, '$(PRIVKEY8)'
291 $(CERTTOOL) --outfile $@ --outder --generate-certificate --load-ca-certificate=tlspool-test-ca-cert.pem --load-ca-privkey='$(PRIVKEY5)' --load-privkey='$(PRIVKEY8)' --template=$<
294 # Turn a .der into a .keyid
296 $(CERTTOOL) --inraw --infile $< -i | sed -e '1,/Public Key ID:/d' -e '/Public key.s random art:/,$$d' -e 's/[ \t]*//' | sed -n -e 's/^sha1://' -e '/^[^:]*$$/p' > $@
299 # SRP credentials are loaded from fixed paths ../testdata/tlspool-test-srp.* for now
300 # Yes, this is ugly, we're still hoping to use SRP #11 instead, as defined on
301 # https://github.com/arpa2/srp-pkcs11
305 chown $(DMNUSR):$(DMNGRP) $@.conf $@.passwd
309 # Create localid.db from scratch
314 chown $(DMNUSR):$(DMNGRP) $@
316 localid.db: tlspool.env
317 $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testcli@tlspool.arpa2.lab OpenPGP,client '$(PRIVKEY1)' tlspool-test-client-pubkey.pgp
318 $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testsrv@tlspool.arpa2.lab OpenPGP,server '$(PRIVKEY2)' tlspool-test-server-pubkey.pgp
319 $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testcli@tlspool.arpa2.lab x.509,client '$(PRIVKEY3)' tlspool-test-client-cert.der
320 $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testsrv@tlspool.arpa2.lab x.509,server '$(PRIVKEY4)' tlspool-test-server-cert.der
321 $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testcli@tlspool.arpa2.lab kerberos,client,server 'pkcs11:some;place' /dev/null
322 $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testsrv@tlspool.arpa2.lab kerberos,client,server 'pkcs11:some;place' /dev/null
323 #REALISTIC-BUT-NOT-YET# $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testcli@tlspool.arpa2.lab valexp,client,server 'tI&' /dev/null
324 #REALISTIC-BUT-NOT-YET# $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testsrv@tlspool.arpa2.lab valexp,client,server 'It&' /dev/null
325 $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testcli@tlspool.arpa2.lab valexp,client,server '1' /dev/null
326 $(TOOLDIR)/tlspool-localid-set $(CONFFILE) testsrv@tlspool.arpa2.lab valexp,client,server '1' /dev/null
327 $(TOOLDIR)/tlspool-localid-set $(CONFFILE) tlspool.arpa2.lab x.509,server,client '$(PRIVKEY7)' tlspool-test-webhost-cert.der
328 $(TOOLDIR)/tlspool-localid-set $(CONFFILE) playground.arpa2.lab x.509,server,client '$(PRIVKEY8)' tlspool-test-playground-cert.der
329 chown $(DMNUSR):$(DMNGRP) $(BDBENV)/* $@
331 disclose.db: tlspool.env localid.db
332 $(TOOLDIR)/tlspool-disclose-set $(CONFFILE) @.arpa2.lab testcli@tlspool.arpa2.lab testsrv@tlspool.arpa2.lab
333 $(TOOLDIR)/tlspool-disclose-set $(CONFFILE) . tlspool.arpa2.lab
334 chown $(DMNUSR):$(DMNGRP) $(BDBENV)/* $@
336 trust.db: tlspool.env tlspool-test-ca-cert.der tlspool-test-ca-cert.keyid tlspool-test-flying-signer.der tlspool-test-flying-signer.keyid
337 $(TOOLDIR)/tlspool-trust-set $(CONFFILE) x509,client,server `cat tlspool-test-ca-cert.keyid` 1 tlspool-test-ca-cert.der
338 $(TOOLDIR)/tlspool-trust-set $(CONFFILE) x509,client,server `cat tlspool-test-flying-signer.keyid` 1 tlspool-test-flying-signer.der
339 chown $(DMNUSR):$(DMNGRP) $(BDBENV)/* $@
346 @$(foreach rootca,$(shell ls -1 $(shell pwd)/trust-anchors/*.pem),$(CERTTOOL) --certificate-info --infile "$(rootca)" --outder --outfile "$(rootca:.pem=.der)" && ) echo 'Converted all root CA .pem to .der'
347 @$(foreach rootca,$(shell ls -1 $(shell pwd)/trust-anchors/*.der),$(CERTTOOL) --inraw --infile "$(rootca)" -i | sed -e '1,/Public Key ID:/d' -e '/Public key.s random art:/,$$d' -e 's/[ \t]*//' > "$(rootca:.der=.keyid)" && ) echo 'Converted all root CA .der to .keyid'
348 @$(foreach rootca,$(shell ls -1 $(shell pwd)/trust-anchors/*.der),$(TOOLDIR)/set_trust $(CONFFILE) x509,client,server `cat "$(rootca:.der=.keyid)"` 1 "$(rootca)" && ) echo 'Imported all root CA .der into trust.db'