build: Generate certificates for unit testing locally

Makefile.am

@@ -325,11 +325,6 @@ if CLIENT
 unit_tests += unit/test-client
 endif
 
-
-ell_pem_files = cert-ca-key.pem cert-client-key.pem cert-client-key-pkcs8.pem \
-		cert-server-key.pem cert-server-key-pkcs8.pem \
-		cert-ca.pem cert-client.pem cert-server.pem
-
 if MAINTAINER_MODE
 noinst_PROGRAMS += $(unit_tests)
 endif
@@ -404,7 +399,10 @@ unit_test_eapol_SOURCES = unit/test-eapol.c \
 				src/erp.h src/erp.c \
 				src/mschaputil.h src/mschaputil.c
 unit_test_eapol_LDADD = $(ell_ldadd)
-unit_test_eapol_DEPENDENCIES = ell/unit/test_data
+unit_test_eapol_DEPENDENCIES = unit/cert-server.pem \
+				unit/cert-server-key-pkcs8.pem \
+				unit/cert-client.pem \
+				unit/cert-client-key-pkcs8.pem
 
 unit_test_util_SOURCES = src/util.h src/util.c \
 				unit/test-util.c
@@ -465,10 +463,12 @@ endif
 
 EXTRA_DIST = src/genbuiltin src/iwd.service.in src/net.connman.iwd.service \
 			wired/ead.service.in wired/net.connman.ead.service \
-			src/pkcs8.conf doc/main.conf $(manual_pages:.1=.txt)
+			src/pkcs8.conf unit/gencerts.cnf \
+			doc/main.conf $(manual_pages:.1=.txt)
 
 AM_CFLAGS = $(ell_cflags) -fvisibility=hidden \
-			-DELL_UNIT_TEST_DATA=\"$(abs_builddir)/ell/unit/\"
+				-DUNITDIR=\""$(top_srcdir)/unit/"\" \
+				-DCERTDIR=\""$(top_builddir)/unit/"\"
 
 CLEANFILES = src/iwd.service wired/ead.service
 
@@ -483,6 +483,58 @@ DISTCLEANFILES = $(BUILT_SOURCES) $(unit_tests) $(manual_pages)
 
 MAINTAINERCLEANFILES = Makefile.in configure config.h.in aclocal.m4
 
+true_redirect_openssl = 2>&1
+false_redirect_openssl = 2>/dev/null
+
+unit/cert-ca-key.pem:
+	$(AM_V_GEN)openssl genrsa -out $@ 2048 $($(AM_V_P)_redirect_openssl)
+
+unit/cert-ca.pem: unit/cert-ca-key.pem unit/gencerts.cnf
+	$(AM_V_GEN)openssl req -x509 -new -nodes -extensions ca_ext \
+			-config $(srcdir)/unit/gencerts.cnf \
+			-subj '/O=International Union of Example Organizations/CN=Certificate issuer guy/emailAddress=ca@mail.example' \
+			-key $< -sha256 -days 10000 -out $@
+
+unit/cert-server-key.pem:
+	$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
+
+unit/cert-server-key-pkcs8.pem: unit/cert-server-key.pem
+	$(AM_V_GEN)openssl pkcs8 -topk8 -nocrypt -in $< -out $@
+
+unit/cert-server.csr: unit/cert-server-key.pem unit/gencerts.cnf
+	$(AM_V_GEN)openssl req -new -extensions cert_ext \
+			-config $(srcdir)/unit/gencerts.cnf \
+			-subj '/O=Foo Example Organization/CN=Foo Example Organization/emailAddress=foo@mail.example' \
+			-key $< -out $@
+
+unit/cert-server.pem: unit/cert-server.csr unit/cert-ca.pem unit/gencerts.cnf
+	$(AM_V_GEN)openssl x509 -req -extensions cert_ext \
+			-extfile $(srcdir)/unit/gencerts.cnf \
+			-in $< -CA $(builddir)/unit/cert-ca.pem \
+			-CAkey $(builddir)/unit/cert-ca-key.pem \
+			-CAserial $(builddir)/unit/cert-ca.srl \
+			-CAcreateserial -sha256 -days 10000 -out $@ $($(AM_V_P)_redirect_openssl)
+
+unit/cert-client-key.pem:
+	$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
+
+unit/cert-client-key-pkcs8.pem: unit/cert-client-key.pem
+	$(AM_V_GEN)openssl pkcs8 -topk8 -nocrypt -in $< -out $@
+
+unit/cert-client.csr: unit/cert-client-key.pem unit/gencerts.cnf
+	$(AM_V_GEN)openssl req -new -extensions cert_ext \
+			-config $(srcdir)/unit/gencerts.cnf \
+			-subj '/O=Bar Example Organization/CN=Bar Example Organization/emailAddress=bar@mail.example' \
+			-key $< -out $@
+
+unit/cert-client.pem: unit/cert-client.csr unit/cert-ca.pem unit/gencerts.cnf
+	$(AM_V_GEN)openssl x509 -req -extensions cert_ext \
+			-extfile $(srcdir)/unit/gencerts.cnf \
+			-in $< -CA $(builddir)/unit/cert-ca.pem \
+			-CAkey $(builddir)/unit/cert-ca-key.pem \
+			-CAserial $(builddir)/unit/cert-ca.srl \
+			-CAcreateserial -sha256 -days 10000 -out $@ $($(AM_V_P)_redirect_openssl)
+
 BUILT_SOURCES = $(ell_built_sources) src/builtin.h
 
 ell/internal: Makefile
@@ -499,14 +551,6 @@ ell/ell.h: Makefile
 		echo "#include <$$f>" >> $@ ; \
 	done
 
-ell/unit/test_data: Makefile
-	$(AM_V_at)$(MKDIR_P) $(abs_builddir)/ell/unit
-	$(AM_V_GEN)for f in $(ell_pem_files) ; do \
-		if [ ! -f $$f ] ; then \
-			$(LN_S) -t $(abs_builddir)/ell/unit -f $(abs_srcdir)/../ell/unit/$$f ; \
-		fi \
-	done > $@
-
 SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
 		$(SED) -e 's,@libexecdir\@,$(libexecdir),g' \
 		< $< > $@
@@ -518,7 +562,7 @@ SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
 	$(AM_V_GEN)$(A2X) --doctype manpage --format manpage $(srcdir)/$<
 
 clean-local:
-	-rm -rf $(abs_builddir)/ell/unit/*.pem $(abs_builddir)/ell/unit/test_data
+	-rm -f unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl
 
 maintainer-clean-local:
 	-rm -rf build-aux ell

unit/gencerts.cnf

@@ -0,0 +1,19 @@
+[ req ]
+distinguished_name = req_distinguished_name
+
+[ req_distinguished_name ]
+
+[ ca_ext ]
+basicConstraints = CA:TRUE,pathlen:0
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+
+[ int_ext ]
+basicConstraints = CA:TRUE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+
+[ cert_ext ]
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always

unit/test-eapol.c

@@ -2947,9 +2947,9 @@ static void eapol_sm_test_tls(struct eapol_8021x_tls_test_state *s,
 	s->tx_buf_len = 0;
 	s->tx_buf_offset = 0;
 
-	assert(l_tls_set_auth_data(s->tls, ELL_UNIT_TEST_DATA "cert-server.pem",
-			ELL_UNIT_TEST_DATA "cert-server-key-pkcs8.pem", NULL));
-	assert(l_tls_set_cacert(s->tls, ELL_UNIT_TEST_DATA "cert-ca.pem"));
+	assert(l_tls_set_auth_data(s->tls, CERTDIR "cert-server.pem",
+				CERTDIR "cert-server-key-pkcs8.pem", NULL));
+	assert(l_tls_set_cacert(s->tls, CERTDIR "cert-ca.pem"));
 	assert(l_tls_start(s->tls));
 
 	start = 1;
@@ -3113,9 +3113,9 @@ static void eapol_sm_test_eap_tls(const void *data)
 	static const char *eapol_8021x_config = "[Security]\n"
 		"EAP-Method=TLS\n"
 		"EAP-Identity=abc@example.com\n"
-		"EAP-TLS-CACert=" ELL_UNIT_TEST_DATA "cert-ca.pem\n"
-		"EAP-TLS-ClientCert=" ELL_UNIT_TEST_DATA "cert-client.pem\n"
-		"EAP-TLS-ClientKey=" ELL_UNIT_TEST_DATA "cert-client-key-pkcs8.pem";
+		"EAP-TLS-CACert=" CERTDIR "cert-ca.pem\n"
+		"EAP-TLS-ClientCert=" CERTDIR "cert-client.pem\n"
+		"EAP-TLS-ClientKey=" CERTDIR "cert-client-key-pkcs8.pem";
 	struct eapol_8021x_tls_test_state s;
 
 	s.app_data_cb = eapol_sm_test_tls_new_data;
@@ -3189,9 +3189,9 @@ static void eapol_sm_test_eap_ttls_md5(const void *data)
 	static const char *eapol_8021x_config = "[Security]\n"
 		"EAP-Method=TTLS\n"
 		"EAP-Identity=abc@example.com\n"
-		"EAP-TTLS-CACert=" ELL_UNIT_TEST_DATA "cert-ca.pem\n"
-		"EAP-TTLS-ClientCert=" ELL_UNIT_TEST_DATA "cert-client.pem\n"
-		"EAP-TTLS-ClientKey=" ELL_UNIT_TEST_DATA "cert-client-key-pkcs8.pem\n"
+		"EAP-TTLS-CACert=" CERTDIR "cert-ca.pem\n"
+		"EAP-TTLS-ClientCert=" CERTDIR "cert-client.pem\n"
+		"EAP-TTLS-ClientKey=" CERTDIR "cert-client-key-pkcs8.pem\n"
 		"EAP-TTLS-Phase2-Method=MD5\n"
 		"EAP-TTLS-Phase2-Identity=abc@example.com\n"
 		"EAP-TTLS-Phase2-Password=testpasswd";
@@ -3258,9 +3258,9 @@ static void eapol_sm_test_eap_nak(const void *data)
 	static const char *eapol_8021x_config = "[Security]\n"
 		"EAP-Method=TLS\n"
 		"EAP-Identity=abc@example.com\n"
-		"EAP-TLS-CACert=" ELL_UNIT_TEST_DATA "cert-ca.pem\n"
-		"EAP-TLS-ClientCert=" ELL_UNIT_TEST_DATA "cert-client.pem\n"
-		"EAP-TLS-ClientKey=" ELL_UNIT_TEST_DATA "cert-client-key-pkcs8.pem";
+		"EAP-TLS-CACert=" CERTDIR "cert-ca.pem\n"
+		"EAP-TLS-ClientCert=" CERTDIR "cert-client.pem\n"
+		"EAP-TLS-ClientKey=" CERTDIR "cert-client-key-pkcs8.pem";
 	static const unsigned char ap_wpa_ie[] = {
 		0xdd, 0x16, 0x00, 0x50, 0xf2, 0x01, 0x01, 0x00,
 		0x00, 0x50, 0xf2, 0x02, 0x01, 0x00, 0x00, 0x50,