mbedtls/tests/data_files/Makefile

## This file contains a record of how some of the test data was
## generated. The final build products are committed to the repository
## as well to make sure that the test data is identical. You do not
## need to use this makefile unless you're extending mbed TLS's tests.

## Many data files were generated prior to the existence of this
## makefile, so the method of their generation was not recorded.

## Note that in addition to depending on the version of the data
## generation tool, many of the build outputs are randomized, so
## running this makefile twice would not produce the same results.

## Tools
OPENSSL ?= openssl
FAKETIME ?= faketime

## Build the generated test data. Note that since the final outputs
## are committed to the repository, this target should do nothing on a
## fresh checkout. Furthermore, since the generation is randomized,
## re-running the same targets may result in differing files. The goal
## of this makefile is primarily to serve as a record of how the
## targets were generated in the first place.
default: all_final

all_intermediate := # temporary files
all_final := # files used by tests


################################################################
#### Generate certificates from existing keys
################################################################

test_ca_key_file_rsa = test-ca.key
test_ca_pwd_rsa = PolarSSLTest
test_ca_config_file = test-ca.opensslconf

test-ca.csr: $(test_ca_key_file_rsa) $(test_ca_config_file)
	$(OPENSSL) req -new -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test CA" -out $@
all_intermediate += test-ca.csr
test-ca-sha1.crt: $(test_ca_key_file_rsa) $(test_ca_config_file) test-ca.csr
	$(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha1 -in test-ca.csr -out $@
all_final += test-ca-sha1.crt
test-ca-sha256.crt: $(test_ca_key_file_rsa) $(test_ca_config_file) test-ca.csr
	$(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha256 -in test-ca.csr -out $@
all_final += test-ca-sha256.crt

test_ca_key_file_rsa_alt = test-ca-alt.key

$(test_ca_key_file_rsa_alt):
	$(OPENSSL) genrsa -out $@ 2048
test-ca-alt.csr: $(test_ca_key_file_rsa_alt) $(test_ca_config_file)
	$(OPENSSL) req -new -config $(test_ca_config_file) -key $(test_ca_key_file_rsa_alt) -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test CA" -out $@
all_intermediate += test-ca-alt.csr
test-ca-alt.crt: $(test_ca_key_file_rsa_alt) $(test_ca_config_file) test-ca-alt.csr
	$(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa_alt) -set_serial 0 -days 3653 -sha256 -in test-ca-alt.csr -out $@
all_final += test-ca-alt.crt
test-ca-alt-good.crt: test-ca-alt.crt test-ca-sha256.crt
	cat test-ca-alt.crt test-ca-sha256.crt > $@
all_final += test-ca-alt-good.crt
test-ca-good-alt.crt: test-ca-alt.crt test-ca-sha256.crt
	cat test-ca-sha256.crt test-ca-alt.crt > $@
all_final += test-ca-good-alt.crt

test_ca_crt_file_ec = test-ca2.crt
test_ca_key_file_ec = test-ca2.key

test-int-ca.csr: test-int-ca.key $(test_ca_config_file)
	$(OPENSSL) req -new -config $(test_ca_config_file) -key test-int-ca.key -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test Intermediate CA" -out $@
all_intermediate += test-int-ca.csr
test-int-ca-exp.crt: $(test_ca_crt_file_ec) $(test_ca_key_file_ec) $(test_ca_config_file) test-int-ca.csr
	$(FAKETIME) -f -3653d $(OPENSSL) x509 -req -extfile $(test_ca_config_file) -extensions v3_ca -CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) -set_serial 14 -days 3653 -sha256 -in test-int-ca.csr -out $@
all_final += test-int-ca-exp.crt

cli_crt_key_file_rsa = cli-rsa.key
cli_crt_extensions_file = cli.opensslconf

cli-rsa.csr: $(cli_crt_key_file_rsa)
	$(OPENSSL) req -new -key $(cli_crt_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=PolarSSL Client 2" -out $@
all_intermediate += cli-rsa.csr
cli-rsa-sha1.crt: $(cli_crt_key_file_rsa) test-ca-sha1.crt cli-rsa.csr
	$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha1.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha1 -in cli-rsa.csr -out $@
all_final += cli-rsa-sha1.crt
cli-rsa-sha256.crt: $(cli_crt_key_file_rsa) test-ca-sha256.crt cli-rsa.csr
	$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in cli-rsa.csr -out $@
all_final += cli-rsa-sha256.crt

server2-rsa.csr: server2.key
	$(OPENSSL) req -new -key server2.key -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=localhost" -out $@
all_intermediate += server2-rsa.csr
server2-sha256.crt: server2-rsa.csr
	$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in server2-rsa.csr -out $@
all_final += server2-sha256.crt

test_ca_int_rsa1 = test-int-ca.crt

server7.csr: server7.key
	$(OPENSSL) req -new -key server7.key -subj "/C=NL/O=PolarSSL/CN=localhost" -out $@
all_intermediate += server7.csr
server7-expired.crt: server7.csr $(test_ca_int_rsa1)
	$(FAKETIME) -f -3653d $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA $(test_ca_int_rsa1) -CAkey test-int-ca.key -set_serial 16 -days 3653 -sha256 -in server7.csr | cat - $(test_ca_int_rsa1) > $@
all_final += server7-expired.crt
server7-future.crt: server7.csr $(test_ca_int_rsa1)
	$(FAKETIME) -f +3653d $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA $(test_ca_int_rsa1) -CAkey test-int-ca.key -set_serial 16 -days 3653 -sha256 -in server7.csr | cat - $(test_ca_int_rsa1) > $@
all_final += server7-future.crt
server7-badsign.crt: server7.crt $(test_ca_int_rsa1)
	{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; cat $(test_ca_int_rsa1); } > $@
all_final += server7-badsign.crt
server7_int-ca-exp.crt: server7.crt test-int-ca-exp.crt
	cat server7.crt test-int-ca-exp.crt > $@
all_final += server7_int-ca-exp.crt

server5-ss-expired.crt: server5.key
	$(FAKETIME) -f -3653d $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/OU=testsuite/CN=localhost" -days 3653 -sha256 -key $< -out $@
all_final += server5-ss-expired.crt

# try to forge a copy of test-int-ca3 with different key
server5-ss-forgeca.crt: server5.key
	$(FAKETIME) '2015-09-01 14:08:43' $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/CN=mbed TLS Test intermediate CA 3" -set_serial 77 -config $(test_ca_config_file) -extensions noext_ca -days 3650 -sha256 -key $< -out $@
all_final += server5-ss-forgeca.crt

server10-badsign.crt: server10.crt
	{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
all_final += server10-badsign.crt
server10-bs_int3.pem: server10-badsign.crt test-int-ca3.crt
	cat server10-badsign.crt test-int-ca3.crt > $@
all_final += server10-bs_int3.pem
test-int-ca3-badsign.crt: test-int-ca3.crt
	{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
all_final += test-int-ca3-badsign.crt
server10_int3-bs.pem: server10.crt test-int-ca3-badsign.crt
	cat server10.crt test-int-ca3-badsign.crt > $@
all_final += server10-bs_int3-bs.pem


################################################################
#### Meta targets
################################################################

all_final: $(all_final)
all: $(all_intermediate) $(all_final)

.PHONY: default all_final all

# These files should not be committed to the repository.
list_intermediate:
	@printf '%s\n' $(all_intermediate) | sort
# These files should be committed to the repository so that the test data is
# available upon checkout without running a randomized process depending on
# third-party tools.
list_final:
	@printf '%s\n' $(all_final) | sort
.PHONY: list_intermediate list_final

## Remove intermediate files
clean:
	rm -f $(all_intermediate)
## Remove all build products, even the ones that are committed
neat: clean
	rm -f $(all_final)
.PHONY: clean neat
Document test data makefile 2017-05-11 15:57:22 +00:00			`## This file contains a record of how some of the test data was`
			`## generated. The final build products are committed to the repository`
			`## as well to make sure that the test data is identical. You do not`
			`## need to use this makefile unless you're extending mbed TLS's tests.`
Added SHA256 test certificates With SHA-1 deprecation, we need a few certificates using algorithms in the default support list. Most tests still use SHA-1 though. The generation process for the new certificates is recorded in the makefile. 2017-05-05 16:56:12 +00:00
Document test data makefile 2017-05-11 15:57:22 +00:00			`## Many data files were generated prior to the existence of this`
			`## makefile, so the method of their generation was not recorded.`
Added SHA256 test certificates With SHA-1 deprecation, we need a few certificates using algorithms in the default support list. Most tests still use SHA-1 though. The generation process for the new certificates is recorded in the makefile. 2017-05-05 16:56:12 +00:00
Document test data makefile 2017-05-11 15:57:22 +00:00			`## Note that in addition to depending on the version of the data`
			`## generation tool, many of the build outputs are randomized, so`
			`## running this makefile twice would not produce the same results.`

			`## Tools`
			`OPENSSL ?= openssl`
Add test for expired cert in longer chain That's two lines that were not covered in verify_child() 2017-06-05 08:20:32 +00:00			`FAKETIME ?= faketime`
Document test data makefile 2017-05-11 15:57:22 +00:00
			`## Build the generated test data. Note that since the final outputs`
			`## are committed to the repository, this target should do nothing on a`
			`## fresh checkout. Furthermore, since the generation is randomized,`
			`## re-running the same targets may result in differing files. The goal`
			`## of this makefile is primarily to serve as a record of how the`
			`## targets were generated in the first place.`
Added SHA256 test certificates With SHA-1 deprecation, we need a few certificates using algorithms in the default support list. Most tests still use SHA-1 though. The generation process for the new certificates is recorded in the makefile. 2017-05-05 16:56:12 +00:00			`default: all_final`

			`all_intermediate := # temporary files`
			`all_final := # files used by tests`

Document test data makefile 2017-05-11 15:57:22 +00:00

			`################################################################`
			`#### Generate certificates from existing keys`
			`################################################################`

			`test_ca_key_file_rsa = test-ca.key`
			`test_ca_pwd_rsa = PolarSSLTest`
			`test_ca_config_file = test-ca.opensslconf`

Added SHA256 test certificates With SHA-1 deprecation, we need a few certificates using algorithms in the default support list. Most tests still use SHA-1 though. The generation process for the new certificates is recorded in the makefile. 2017-05-05 16:56:12 +00:00			`test-ca.csr: $(test_ca_key_file_rsa) $(test_ca_config_file)`
			`$(OPENSSL) req -new -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test CA" -out $@`
			`all_intermediate += test-ca.csr`
			`test-ca-sha1.crt: $(test_ca_key_file_rsa) $(test_ca_config_file) test-ca.csr`
			`$(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha1 -in test-ca.csr -out $@`
			`all_final += test-ca-sha1.crt`
			`test-ca-sha256.crt: $(test_ca_key_file_rsa) $(test_ca_config_file) test-ca.csr`
			`$(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha256 -in test-ca.csr -out $@`
			`all_final += test-ca-sha256.crt`

Add test for same CA with different keys When a trusted CA is rolling its root keys, it could happen that for some users the list of trusted roots contains two versions of the same CA with the same name but different keys. Currently this is supported but wasn't tested. Note: the intermediate file test-ca-alt.csr is commited on purpose, as not commiting intermediate files causes make to regenerate files that we don't want it to touch. 2017-07-03 16:06:38 +00:00			`test_ca_key_file_rsa_alt = test-ca-alt.key`

			`$(test_ca_key_file_rsa_alt):`
			`$(OPENSSL) genrsa -out $@ 2048`
			`test-ca-alt.csr: $(test_ca_key_file_rsa_alt) $(test_ca_config_file)`
			`$(OPENSSL) req -new -config $(test_ca_config_file) -key $(test_ca_key_file_rsa_alt) -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test CA" -out $@`
			`all_intermediate += test-ca-alt.csr`
			`test-ca-alt.crt: $(test_ca_key_file_rsa_alt) $(test_ca_config_file) test-ca-alt.csr`
			`$(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa_alt) -set_serial 0 -days 3653 -sha256 -in test-ca-alt.csr -out $@`
			`all_final += test-ca-alt.crt`
			`test-ca-alt-good.crt: test-ca-alt.crt test-ca-sha256.crt`
			`cat test-ca-alt.crt test-ca-sha256.crt > $@`
			`all_final += test-ca-alt-good.crt`
			`test-ca-good-alt.crt: test-ca-alt.crt test-ca-sha256.crt`
			`cat test-ca-sha256.crt test-ca-alt.crt > $@`
			`all_final += test-ca-good-alt.crt`

Add tests for flags passed to f_vrfy The tests cover chains of length 0, 1 and 2, with one error, located at any of the available levels in the chain. This exercises all three call sites of f_vrfy (two in verify_top, one in verify_child). Chains of greater length would not cover any new code path or behaviour that I can see. 2017-06-27 10:51:52 +00:00			`test_ca_crt_file_ec = test-ca2.crt`
			`test_ca_key_file_ec = test-ca2.key`

			`test-int-ca.csr: test-int-ca.key $(test_ca_config_file)`
			`$(OPENSSL) req -new -config $(test_ca_config_file) -key test-int-ca.key -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test Intermediate CA" -out $@`
			`all_intermediate += test-int-ca.csr`
Add missing dependency in test-certs Makefile 2017-08-08 16:54:13 +00:00			`test-int-ca-exp.crt: $(test_ca_crt_file_ec) $(test_ca_key_file_ec) $(test_ca_config_file) test-int-ca.csr`
Add tests for flags passed to f_vrfy The tests cover chains of length 0, 1 and 2, with one error, located at any of the available levels in the chain. This exercises all three call sites of f_vrfy (two in verify_top, one in verify_child). Chains of greater length would not cover any new code path or behaviour that I can see. 2017-06-27 10:51:52 +00:00			`$(FAKETIME) -f -3653d $(OPENSSL) x509 -req -extfile $(test_ca_config_file) -extensions v3_ca -CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) -set_serial 14 -days 3653 -sha256 -in test-int-ca.csr -out $@`
			`all_final += test-int-ca-exp.crt`

Document test data makefile 2017-05-11 15:57:22 +00:00			`cli_crt_key_file_rsa = cli-rsa.key`
			`cli_crt_extensions_file = cli.opensslconf`

Added SHA256 test certificates With SHA-1 deprecation, we need a few certificates using algorithms in the default support list. Most tests still use SHA-1 though. The generation process for the new certificates is recorded in the makefile. 2017-05-05 16:56:12 +00:00			`cli-rsa.csr: $(cli_crt_key_file_rsa)`
			`$(OPENSSL) req -new -key $(cli_crt_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=PolarSSL Client 2" -out $@`
			`all_intermediate += cli-rsa.csr`
			`cli-rsa-sha1.crt: $(cli_crt_key_file_rsa) test-ca-sha1.crt cli-rsa.csr`
			`$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha1.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha1 -in cli-rsa.csr -out $@`
			`all_final += cli-rsa-sha1.crt`
			`cli-rsa-sha256.crt: $(cli_crt_key_file_rsa) test-ca-sha256.crt cli-rsa.csr`
			`$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in cli-rsa.csr -out $@`
			`all_final += cli-rsa-sha256.crt`

Test that SHA-1 defaults off Added tests to validate that certificates signed using SHA-1 are rejected by default, but accepted if SHA-1 is explicitly enabled. 2017-05-09 13:59:24 +00:00			`server2-rsa.csr: server2.key`
			`$(OPENSSL) req -new -key server2.key -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=localhost" -out $@`
			`all_intermediate += server2-rsa.csr`
			`server2-sha256.crt: server2-rsa.csr`
			`$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in server2-rsa.csr -out $@`
			`all_final += server2-sha256.crt`

Add test for expired cert in longer chain That's two lines that were not covered in verify_child() 2017-06-05 08:20:32 +00:00			`test_ca_int_rsa1 = test-int-ca.crt`

			`server7.csr: server7.key`
			`$(OPENSSL) req -new -key server7.key -subj "/C=NL/O=PolarSSL/CN=localhost" -out $@`
			`all_intermediate += server7.csr`
			`server7-expired.crt: server7.csr $(test_ca_int_rsa1)`
			`$(FAKETIME) -f -3653d $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA $(test_ca_int_rsa1) -CAkey test-int-ca.key -set_serial 16 -days 3653 -sha256 -in server7.csr \| cat - $(test_ca_int_rsa1) > $@`
			`all_final += server7-expired.crt`
			`server7-future.crt: server7.csr $(test_ca_int_rsa1)`
			`$(FAKETIME) -f +3653d $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA $(test_ca_int_rsa1) -CAkey test-int-ca.key -set_serial 16 -days 3653 -sha256 -in server7.csr \| cat - $(test_ca_int_rsa1) > $@`
			`all_final += server7-future.crt`
Add test for bad signature with longer chain This is one line that wasn't covered in verify_child() 2017-06-05 09:12:13 +00:00			`server7-badsign.crt: server7.crt $(test_ca_int_rsa1)`
Add tests for verify_restartable() For selection of test cases, see comments added in the commit. It makes the most sense to test with chains using ECC only, so for the chain of length 2 we use server10 -> int-ca3 -> int-ca2 and trust int-ca2 directly. Note: server10.crt was created by copying server10_int3_int-ca2.crt and manually truncating it to remove the intermediates. That base can now be used to create derived certs (without or with a chain) in a programmatic way. 2017-07-14 09:05:59 +00:00			`{ head -n-2 $<; tail -n-2 $< \| sed -e '1s/0\(=\)$$/_\1/' -e '1s/[^_=]\(=\)$$/0\1/' -e '1s/_/1/'; cat $(test_ca_int_rsa1); } > $@`
Add test for bad signature with longer chain This is one line that wasn't covered in verify_child() 2017-06-05 09:12:13 +00:00			`all_final += server7-badsign.crt`
Add tests for flags passed to f_vrfy The tests cover chains of length 0, 1 and 2, with one error, located at any of the available levels in the chain. This exercises all three call sites of f_vrfy (two in verify_top, one in verify_child). Chains of greater length would not cover any new code path or behaviour that I can see. 2017-06-27 10:51:52 +00:00			`server7_int-ca-exp.crt: server7.crt test-int-ca-exp.crt`
			`cat server7.crt test-int-ca-exp.crt > $@`
			`all_final += server7_int-ca-exp.crt`

			`server5-ss-expired.crt: server5.key`
			`$(FAKETIME) -f -3653d $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/OU=testsuite/CN=localhost" -days 3653 -sha256 -key $< -out $@`
			`all_final += server5-ss-expired.crt`

Add test for CA forgery attempt As we accept EE certs that are explicitly trusted (in the list of trusted roots) and usually look for parent by subject, and in the future we might want to avoid checking the self-signature on trusted certs, there could a risk that we incorrectly accept a cert that looks like a trusted root except it doesn't have the same key. This test ensures this will never happen. 2017-06-29 07:48:08 +00:00			`# try to forge a copy of test-int-ca3 with different key`
			`server5-ss-forgeca.crt: server5.key`
			`$(FAKETIME) '2015-09-01 14:08:43' $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/CN=mbed TLS Test intermediate CA 3" -set_serial 77 -config $(test_ca_config_file) -extensions noext_ca -days 3650 -sha256 -key $< -out $@`
			`all_final += server5-ss-forgeca.crt`

Add tests for verify_restartable() For selection of test cases, see comments added in the commit. It makes the most sense to test with chains using ECC only, so for the chain of length 2 we use server10 -> int-ca3 -> int-ca2 and trust int-ca2 directly. Note: server10.crt was created by copying server10_int3_int-ca2.crt and manually truncating it to remove the intermediates. That base can now be used to create derived certs (without or with a chain) in a programmatic way. 2017-07-14 09:05:59 +00:00			`server10-badsign.crt: server10.crt`
			`{ head -n-2 $<; tail -n-2 $< \| sed -e '1s/0\(=\)$$/_\1/' -e '1s/[^_=]\(=\)$$/0\1/' -e '1s/_/1/'; } > $@`
			`all_final += server10-badsign.crt`
			`server10-bs_int3.pem: server10-badsign.crt test-int-ca3.crt`
			`cat server10-badsign.crt test-int-ca3.crt > $@`
			`all_final += server10-bs_int3.pem`
			`test-int-ca3-badsign.crt: test-int-ca3.crt`
			`{ head -n-2 $<; tail -n-2 $< \| sed -e '1s/0\(=\)$$/_\1/' -e '1s/[^_=]\(=\)$$/0\1/' -e '1s/_/1/'; } > $@`
			`all_final += test-int-ca3-badsign.crt`
			`server10_int3-bs.pem: server10.crt test-int-ca3-badsign.crt`
			`cat server10.crt test-int-ca3-badsign.crt > $@`
			`all_final += server10-bs_int3-bs.pem`
Add test for CA forgery attempt As we accept EE certs that are explicitly trusted (in the list of trusted roots) and usually look for parent by subject, and in the future we might want to avoid checking the self-signature on trusted certs, there could a risk that we incorrectly accept a cert that looks like a trusted root except it doesn't have the same key. This test ensures this will never happen. 2017-06-29 07:48:08 +00:00
Document test data makefile 2017-05-11 15:57:22 +00:00
			`################################################################`
			`#### Meta targets`
			`################################################################`

Added SHA256 test certificates With SHA-1 deprecation, we need a few certificates using algorithms in the default support list. Most tests still use SHA-1 though. The generation process for the new certificates is recorded in the makefile. 2017-05-05 16:56:12 +00:00			`all_final: $(all_final)`
			`all: $(all_intermediate) $(all_final)`

Document test data makefile 2017-05-11 15:57:22 +00:00			`.PHONY: default all_final all`

Added SHA256 test certificates With SHA-1 deprecation, we need a few certificates using algorithms in the default support list. Most tests still use SHA-1 though. The generation process for the new certificates is recorded in the makefile. 2017-05-05 16:56:12 +00:00			`# These files should not be committed to the repository.`
			`list_intermediate:`
			`@printf '%s\n' $(all_intermediate) \| sort`
			`# These files should be committed to the repository so that the test data is`
			`# available upon checkout without running a randomized process depending on`
			`# third-party tools.`
			`list_final:`
			`@printf '%s\n' $(all_final) \| sort`
Document test data makefile 2017-05-11 15:57:22 +00:00			`.PHONY: list_intermediate list_final`
Added SHA256 test certificates With SHA-1 deprecation, we need a few certificates using algorithms in the default support list. Most tests still use SHA-1 though. The generation process for the new certificates is recorded in the makefile. 2017-05-05 16:56:12 +00:00
Document test data makefile 2017-05-11 15:57:22 +00:00			`## Remove intermediate files`
Added SHA256 test certificates With SHA-1 deprecation, we need a few certificates using algorithms in the default support list. Most tests still use SHA-1 though. The generation process for the new certificates is recorded in the makefile. 2017-05-05 16:56:12 +00:00			`clean:`
			`rm -f $(all_intermediate)`
Document test data makefile 2017-05-11 15:57:22 +00:00			`## Remove all build products, even the ones that are committed`
Added SHA256 test certificates With SHA-1 deprecation, we need a few certificates using algorithms in the default support list. Most tests still use SHA-1 though. The generation process for the new certificates is recorded in the makefile. 2017-05-05 16:56:12 +00:00			`neat: clean`
			`rm -f $(all_final)`
Document test data makefile 2017-05-11 15:57:22 +00:00			`.PHONY: clean neat`