d19a41d9aa
For selection of test cases, see comments added in the commit. It makes the most sense to test with chains using ECC only, so for the chain of length 2 we use server10 -> int-ca3 -> int-ca2 and trust int-ca2 directly. Note: server10.crt was created by copying server10_int3_int-ca2.crt and manually truncating it to remove the intermediates. That base can now be used to create derived certs (without or with a chain) in a programmatic way.
162 lines
8.2 KiB
Makefile
162 lines
8.2 KiB
Makefile
## This file contains a record of how some of the test data was
|
|
## generated. The final build products are committed to the repository
|
|
## as well to make sure that the test data is identical. You do not
|
|
## need to use this makefile unless you're extending mbed TLS's tests.
|
|
|
|
## Many data files were generated prior to the existence of this
|
|
## makefile, so the method of their generation was not recorded.
|
|
|
|
## Note that in addition to depending on the version of the data
|
|
## generation tool, many of the build outputs are randomized, so
|
|
## running this makefile twice would not produce the same results.
|
|
|
|
## Tools
|
|
OPENSSL ?= openssl
|
|
FAKETIME ?= faketime
|
|
|
|
## Build the generated test data. Note that since the final outputs
|
|
## are committed to the repository, this target should do nothing on a
|
|
## fresh checkout. Furthermore, since the generation is randomized,
|
|
## re-running the same targets may result in differing files. The goal
|
|
## of this makefile is primarily to serve as a record of how the
|
|
## targets were generated in the first place.
|
|
default: all_final
|
|
|
|
all_intermediate := # temporary files
|
|
all_final := # files used by tests
|
|
|
|
|
|
|
|
################################################################
|
|
#### Generate certificates from existing keys
|
|
################################################################
|
|
|
|
test_ca_key_file_rsa = test-ca.key
|
|
test_ca_pwd_rsa = PolarSSLTest
|
|
test_ca_config_file = test-ca.opensslconf
|
|
|
|
test-ca.csr: $(test_ca_key_file_rsa) $(test_ca_config_file)
|
|
$(OPENSSL) req -new -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test CA" -out $@
|
|
all_intermediate += test-ca.csr
|
|
test-ca-sha1.crt: $(test_ca_key_file_rsa) $(test_ca_config_file) test-ca.csr
|
|
$(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha1 -in test-ca.csr -out $@
|
|
all_final += test-ca-sha1.crt
|
|
test-ca-sha256.crt: $(test_ca_key_file_rsa) $(test_ca_config_file) test-ca.csr
|
|
$(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha256 -in test-ca.csr -out $@
|
|
all_final += test-ca-sha256.crt
|
|
|
|
test_ca_key_file_rsa_alt = test-ca-alt.key
|
|
|
|
$(test_ca_key_file_rsa_alt):
|
|
$(OPENSSL) genrsa -out $@ 2048
|
|
test-ca-alt.csr: $(test_ca_key_file_rsa_alt) $(test_ca_config_file)
|
|
$(OPENSSL) req -new -config $(test_ca_config_file) -key $(test_ca_key_file_rsa_alt) -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test CA" -out $@
|
|
all_intermediate += test-ca-alt.csr
|
|
test-ca-alt.crt: $(test_ca_key_file_rsa_alt) $(test_ca_config_file) test-ca-alt.csr
|
|
$(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa_alt) -set_serial 0 -days 3653 -sha256 -in test-ca-alt.csr -out $@
|
|
all_final += test-ca-alt.crt
|
|
test-ca-alt-good.crt: test-ca-alt.crt test-ca-sha256.crt
|
|
cat test-ca-alt.crt test-ca-sha256.crt > $@
|
|
all_final += test-ca-alt-good.crt
|
|
test-ca-good-alt.crt: test-ca-alt.crt test-ca-sha256.crt
|
|
cat test-ca-sha256.crt test-ca-alt.crt > $@
|
|
all_final += test-ca-good-alt.crt
|
|
|
|
test_ca_crt_file_ec = test-ca2.crt
|
|
test_ca_key_file_ec = test-ca2.key
|
|
|
|
test-int-ca.csr: test-int-ca.key $(test_ca_config_file)
|
|
$(OPENSSL) req -new -config $(test_ca_config_file) -key test-int-ca.key -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test Intermediate CA" -out $@
|
|
all_intermediate += test-int-ca.csr
|
|
test-int-ca-exp.crt: $(test_ca_crt_file_ec) $(test_ca_key_file_ec) $(test_ca_config_file) test-int-ca.csr
|
|
$(FAKETIME) -f -3653d $(OPENSSL) x509 -req -extfile $(test_ca_config_file) -extensions v3_ca -CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) -set_serial 14 -days 3653 -sha256 -in test-int-ca.csr -out $@
|
|
all_final += test-int-ca-exp.crt
|
|
|
|
cli_crt_key_file_rsa = cli-rsa.key
|
|
cli_crt_extensions_file = cli.opensslconf
|
|
|
|
cli-rsa.csr: $(cli_crt_key_file_rsa)
|
|
$(OPENSSL) req -new -key $(cli_crt_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=PolarSSL Client 2" -out $@
|
|
all_intermediate += cli-rsa.csr
|
|
cli-rsa-sha1.crt: $(cli_crt_key_file_rsa) test-ca-sha1.crt cli-rsa.csr
|
|
$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha1.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha1 -in cli-rsa.csr -out $@
|
|
all_final += cli-rsa-sha1.crt
|
|
cli-rsa-sha256.crt: $(cli_crt_key_file_rsa) test-ca-sha256.crt cli-rsa.csr
|
|
$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in cli-rsa.csr -out $@
|
|
all_final += cli-rsa-sha256.crt
|
|
|
|
server2-rsa.csr: server2.key
|
|
$(OPENSSL) req -new -key server2.key -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=localhost" -out $@
|
|
all_intermediate += server2-rsa.csr
|
|
server2-sha256.crt: server2-rsa.csr
|
|
$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in server2-rsa.csr -out $@
|
|
all_final += server2-sha256.crt
|
|
|
|
test_ca_int_rsa1 = test-int-ca.crt
|
|
|
|
server7.csr: server7.key
|
|
$(OPENSSL) req -new -key server7.key -subj "/C=NL/O=PolarSSL/CN=localhost" -out $@
|
|
all_intermediate += server7.csr
|
|
server7-expired.crt: server7.csr $(test_ca_int_rsa1)
|
|
$(FAKETIME) -f -3653d $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA $(test_ca_int_rsa1) -CAkey test-int-ca.key -set_serial 16 -days 3653 -sha256 -in server7.csr | cat - $(test_ca_int_rsa1) > $@
|
|
all_final += server7-expired.crt
|
|
server7-future.crt: server7.csr $(test_ca_int_rsa1)
|
|
$(FAKETIME) -f +3653d $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA $(test_ca_int_rsa1) -CAkey test-int-ca.key -set_serial 16 -days 3653 -sha256 -in server7.csr | cat - $(test_ca_int_rsa1) > $@
|
|
all_final += server7-future.crt
|
|
server7-badsign.crt: server7.crt $(test_ca_int_rsa1)
|
|
{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; cat $(test_ca_int_rsa1); } > $@
|
|
all_final += server7-badsign.crt
|
|
server7_int-ca-exp.crt: server7.crt test-int-ca-exp.crt
|
|
cat server7.crt test-int-ca-exp.crt > $@
|
|
all_final += server7_int-ca-exp.crt
|
|
|
|
server5-ss-expired.crt: server5.key
|
|
$(FAKETIME) -f -3653d $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/OU=testsuite/CN=localhost" -days 3653 -sha256 -key $< -out $@
|
|
all_final += server5-ss-expired.crt
|
|
|
|
# try to forge a copy of test-int-ca3 with different key
|
|
server5-ss-forgeca.crt: server5.key
|
|
$(FAKETIME) '2015-09-01 14:08:43' $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/CN=mbed TLS Test intermediate CA 3" -set_serial 77 -config $(test_ca_config_file) -extensions noext_ca -days 3650 -sha256 -key $< -out $@
|
|
all_final += server5-ss-forgeca.crt
|
|
|
|
server10-badsign.crt: server10.crt
|
|
{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
|
|
all_final += server10-badsign.crt
|
|
server10-bs_int3.pem: server10-badsign.crt test-int-ca3.crt
|
|
cat server10-badsign.crt test-int-ca3.crt > $@
|
|
all_final += server10-bs_int3.pem
|
|
test-int-ca3-badsign.crt: test-int-ca3.crt
|
|
{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
|
|
all_final += test-int-ca3-badsign.crt
|
|
server10_int3-bs.pem: server10.crt test-int-ca3-badsign.crt
|
|
cat server10.crt test-int-ca3-badsign.crt > $@
|
|
all_final += server10-bs_int3-bs.pem
|
|
|
|
|
|
################################################################
|
|
#### Meta targets
|
|
################################################################
|
|
|
|
all_final: $(all_final)
|
|
all: $(all_intermediate) $(all_final)
|
|
|
|
.PHONY: default all_final all
|
|
|
|
# These files should not be committed to the repository.
|
|
list_intermediate:
|
|
@printf '%s\n' $(all_intermediate) | sort
|
|
# These files should be committed to the repository so that the test data is
|
|
# available upon checkout without running a randomized process depending on
|
|
# third-party tools.
|
|
list_final:
|
|
@printf '%s\n' $(all_final) | sort
|
|
.PHONY: list_intermediate list_final
|
|
|
|
## Remove intermediate files
|
|
clean:
|
|
rm -f $(all_intermediate)
|
|
## Remove all build products, even the ones that are committed
|
|
neat: clean
|
|
rm -f $(all_final)
|
|
.PHONY: clean neat
|