build: Generate certificates for unit testing locally

2024-11-22 06:29:23 +01:00 · 2019-05-11 10:11:12 +02:00 · 2019-05-11 10:11:12 +02:00 · cde9933124
commit cde9933124
parent f3ed078adf
3 changed files with 92 additions and 29 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -325,11 +325,6 @@ if CLIENT
 unit_tests += unit/test-client
 endif

-
-ell_pem_files = cert-ca-key.pem cert-client-key.pem cert-client-key-pkcs8.pem \
-		cert-server-key.pem cert-server-key-pkcs8.pem \
-		cert-ca.pem cert-client.pem cert-server.pem
-
 if MAINTAINER_MODE
 noinst_PROGRAMS += $(unit_tests)
 endif
@ -404,7 +399,10 @@ unit_test_eapol_SOURCES = unit/test-eapol.c \
 				src/erp.h src/erp.c \
 				src/mschaputil.h src/mschaputil.c
 unit_test_eapol_LDADD = $(ell_ldadd)
-unit_test_eapol_DEPENDENCIES = ell/unit/test_data
+unit_test_eapol_DEPENDENCIES = unit/cert-server.pem \
+				unit/cert-server-key-pkcs8.pem \
+				unit/cert-client.pem \
+				unit/cert-client-key-pkcs8.pem

 unit_test_util_SOURCES = src/util.h src/util.c \
 				unit/test-util.c
@ -465,10 +463,12 @@ endif

 EXTRA_DIST = src/genbuiltin src/iwd.service.in src/net.connman.iwd.service \
 			wired/ead.service.in wired/net.connman.ead.service \
-			src/pkcs8.conf doc/main.conf $(manual_pages:.1=.txt)
+			src/pkcs8.conf unit/gencerts.cnf \
+			doc/main.conf $(manual_pages:.1=.txt)

 AM_CFLAGS = $(ell_cflags) -fvisibility=hidden \
-			-DELL_UNIT_TEST_DATA=\"$(abs_builddir)/ell/unit/\"
+				-DUNITDIR=\""$(top_srcdir)/unit/"\" \
+				-DCERTDIR=\""$(top_builddir)/unit/"\"

 CLEANFILES = src/iwd.service wired/ead.service

@ -483,6 +483,58 @@ DISTCLEANFILES = $(BUILT_SOURCES) $(unit_tests) $(manual_pages)

 MAINTAINERCLEANFILES = Makefile.in configure config.h.in aclocal.m4

+true_redirect_openssl = 2>&1
+false_redirect_openssl = 2>/dev/null
+
+unit/cert-ca-key.pem:
+	$(AM_V_GEN)openssl genrsa -out $@ 2048 $($(AM_V_P)_redirect_openssl)
+
+unit/cert-ca.pem: unit/cert-ca-key.pem unit/gencerts.cnf
+	$(AM_V_GEN)openssl req -x509 -new -nodes -extensions ca_ext \
+			-config $(srcdir)/unit/gencerts.cnf \
+			-subj '/O=International Union of Example Organizations/CN=Certificate issuer guy/emailAddress=ca@mail.example' \
+			-key $< -sha256 -days 10000 -out $@
+
+unit/cert-server-key.pem:
+	$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
+
+unit/cert-server-key-pkcs8.pem: unit/cert-server-key.pem
+	$(AM_V_GEN)openssl pkcs8 -topk8 -nocrypt -in $< -out $@
+
+unit/cert-server.csr: unit/cert-server-key.pem unit/gencerts.cnf
+	$(AM_V_GEN)openssl req -new -extensions cert_ext \
+			-config $(srcdir)/unit/gencerts.cnf \
+			-subj '/O=Foo Example Organization/CN=Foo Example Organization/emailAddress=foo@mail.example' \
+			-key $< -out $@
+
+unit/cert-server.pem: unit/cert-server.csr unit/cert-ca.pem unit/gencerts.cnf
+	$(AM_V_GEN)openssl x509 -req -extensions cert_ext \
+			-extfile $(srcdir)/unit/gencerts.cnf \
+			-in $< -CA $(builddir)/unit/cert-ca.pem \
+			-CAkey $(builddir)/unit/cert-ca-key.pem \
+			-CAserial $(builddir)/unit/cert-ca.srl \
+			-CAcreateserial -sha256 -days 10000 -out $@ $($(AM_V_P)_redirect_openssl)
+
+unit/cert-client-key.pem:
+	$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
+
+unit/cert-client-key-pkcs8.pem: unit/cert-client-key.pem
+	$(AM_V_GEN)openssl pkcs8 -topk8 -nocrypt -in $< -out $@
+
+unit/cert-client.csr: unit/cert-client-key.pem unit/gencerts.cnf
+	$(AM_V_GEN)openssl req -new -extensions cert_ext \
+			-config $(srcdir)/unit/gencerts.cnf \
+			-subj '/O=Bar Example Organization/CN=Bar Example Organization/emailAddress=bar@mail.example' \
+			-key $< -out $@
+
+unit/cert-client.pem: unit/cert-client.csr unit/cert-ca.pem unit/gencerts.cnf
+	$(AM_V_GEN)openssl x509 -req -extensions cert_ext \
+			-extfile $(srcdir)/unit/gencerts.cnf \
+			-in $< -CA $(builddir)/unit/cert-ca.pem \
+			-CAkey $(builddir)/unit/cert-ca-key.pem \
+			-CAserial $(builddir)/unit/cert-ca.srl \
+			-CAcreateserial -sha256 -days 10000 -out $@ $($(AM_V_P)_redirect_openssl)
+
 BUILT_SOURCES = $(ell_built_sources) src/builtin.h

 ell/internal: Makefile
@ -499,14 +551,6 @@ ell/ell.h: Makefile
 		echo "#include <$$f>" >> $@ ; \
 	done

-ell/unit/test_data: Makefile
-	$(AM_V_at)$(MKDIR_P) $(abs_builddir)/ell/unit
-	$(AM_V_GEN)for f in $(ell_pem_files) ; do \
-		if [ ! -f $$f ] ; then \
-			$(LN_S) -t $(abs_builddir)/ell/unit -f $(abs_srcdir)/../ell/unit/$$f ; \
-		fi \
-	done > $@
-
 SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
 		$(SED) -e 's,@libexecdir\@,$(libexecdir),g' \
 		< $< > $@
@ -518,7 +562,7 @@ SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
 	$(AM_V_GEN)$(A2X) --doctype manpage --format manpage $(srcdir)/$<

 clean-local:
-	-rm -rf $(abs_builddir)/ell/unit/*.pem $(abs_builddir)/ell/unit/test_data
+	-rm -f unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl

 maintainer-clean-local:
 	-rm -rf build-aux ell
--- a/unit/gencerts.cnf
+++ b/unit/gencerts.cnf
@ -0,0 +1,19 @@
+[ req ]
+distinguished_name = req_distinguished_name
+
+[ req_distinguished_name ]
+
+[ ca_ext ]
+basicConstraints = CA:TRUE,pathlen:0
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+
+[ int_ext ]
+basicConstraints = CA:TRUE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+
+[ cert_ext ]
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
--- a/unit/test-eapol.c
+++ b/unit/test-eapol.c
@ -2947,9 +2947,9 @@ static void eapol_sm_test_tls(struct eapol_8021x_tls_test_state *s,
 	s->tx_buf_len = 0;
 	s->tx_buf_offset = 0;

-	assert(l_tls_set_auth_data(s->tls, ELL_UNIT_TEST_DATA "cert-server.pem",
-			ELL_UNIT_TEST_DATA "cert-server-key-pkcs8.pem", NULL));
-	assert(l_tls_set_cacert(s->tls, ELL_UNIT_TEST_DATA "cert-ca.pem"));
+	assert(l_tls_set_auth_data(s->tls, CERTDIR "cert-server.pem",
+				CERTDIR "cert-server-key-pkcs8.pem", NULL));
+	assert(l_tls_set_cacert(s->tls, CERTDIR "cert-ca.pem"));
 	assert(l_tls_start(s->tls));

 	start = 1;
@ -3113,9 +3113,9 @@ static void eapol_sm_test_eap_tls(const void *data)
 	static const char *eapol_8021x_config = "[Security]\n"
 		"EAP-Method=TLS\n"
 		"EAP-Identity=abc@example.com\n"
-		"EAP-TLS-CACert=" ELL_UNIT_TEST_DATA "cert-ca.pem\n"
-		"EAP-TLS-ClientCert=" ELL_UNIT_TEST_DATA "cert-client.pem\n"
-		"EAP-TLS-ClientKey=" ELL_UNIT_TEST_DATA "cert-client-key-pkcs8.pem";
+		"EAP-TLS-CACert=" CERTDIR "cert-ca.pem\n"
+		"EAP-TLS-ClientCert=" CERTDIR "cert-client.pem\n"
+		"EAP-TLS-ClientKey=" CERTDIR "cert-client-key-pkcs8.pem";
 	struct eapol_8021x_tls_test_state s;

 	s.app_data_cb = eapol_sm_test_tls_new_data;
@ -3189,9 +3189,9 @@ static void eapol_sm_test_eap_ttls_md5(const void *data)
 	static const char *eapol_8021x_config = "[Security]\n"
 		"EAP-Method=TTLS\n"
 		"EAP-Identity=abc@example.com\n"
-		"EAP-TTLS-CACert=" ELL_UNIT_TEST_DATA "cert-ca.pem\n"
-		"EAP-TTLS-ClientCert=" ELL_UNIT_TEST_DATA "cert-client.pem\n"
-		"EAP-TTLS-ClientKey=" ELL_UNIT_TEST_DATA "cert-client-key-pkcs8.pem\n"
+		"EAP-TTLS-CACert=" CERTDIR "cert-ca.pem\n"
+		"EAP-TTLS-ClientCert=" CERTDIR "cert-client.pem\n"
+		"EAP-TTLS-ClientKey=" CERTDIR "cert-client-key-pkcs8.pem\n"
 		"EAP-TTLS-Phase2-Method=MD5\n"
 		"EAP-TTLS-Phase2-Identity=abc@example.com\n"
 		"EAP-TTLS-Phase2-Password=testpasswd";
@ -3258,9 +3258,9 @@ static void eapol_sm_test_eap_nak(const void *data)
 	static const char *eapol_8021x_config = "[Security]\n"
 		"EAP-Method=TLS\n"
 		"EAP-Identity=abc@example.com\n"
-		"EAP-TLS-CACert=" ELL_UNIT_TEST_DATA "cert-ca.pem\n"
-		"EAP-TLS-ClientCert=" ELL_UNIT_TEST_DATA "cert-client.pem\n"
-		"EAP-TLS-ClientKey=" ELL_UNIT_TEST_DATA "cert-client-key-pkcs8.pem";
+		"EAP-TLS-CACert=" CERTDIR "cert-ca.pem\n"
+		"EAP-TLS-ClientCert=" CERTDIR "cert-client.pem\n"
+		"EAP-TLS-ClientKey=" CERTDIR "cert-client-key-pkcs8.pem";
 	static const unsigned char ap_wpa_ie[] = {
 		0xdd, 0x16, 0x00, 0x50, 0xf2, 0x01, 0x01, 0x00,
 		0x00, 0x50, 0xf2, 0x02, 0x01, 0x00, 0x00, 0x50,