From cde9933124b215b3194bfbd3e5b489f086d81093 Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Sat, 11 May 2019 10:11:12 +0200 Subject: [PATCH] build: Generate certificates for unit testing locally --- Makefile.am | 78 ++++++++++++++++++++++++++++++++++++----------- unit/gencerts.cnf | 19 ++++++++++++ unit/test-eapol.c | 24 +++++++-------- 3 files changed, 92 insertions(+), 29 deletions(-) create mode 100644 unit/gencerts.cnf diff --git a/Makefile.am b/Makefile.am index 27d2ba68..b4373f99 100644 --- a/Makefile.am +++ b/Makefile.am @@ -325,11 +325,6 @@ if CLIENT unit_tests += unit/test-client endif - -ell_pem_files = cert-ca-key.pem cert-client-key.pem cert-client-key-pkcs8.pem \ - cert-server-key.pem cert-server-key-pkcs8.pem \ - cert-ca.pem cert-client.pem cert-server.pem - if MAINTAINER_MODE noinst_PROGRAMS += $(unit_tests) endif @@ -404,7 +399,10 @@ unit_test_eapol_SOURCES = unit/test-eapol.c \ src/erp.h src/erp.c \ src/mschaputil.h src/mschaputil.c unit_test_eapol_LDADD = $(ell_ldadd) -unit_test_eapol_DEPENDENCIES = ell/unit/test_data +unit_test_eapol_DEPENDENCIES = unit/cert-server.pem \ + unit/cert-server-key-pkcs8.pem \ + unit/cert-client.pem \ + unit/cert-client-key-pkcs8.pem unit_test_util_SOURCES = src/util.h src/util.c \ unit/test-util.c @@ -465,10 +463,12 @@ endif EXTRA_DIST = src/genbuiltin src/iwd.service.in src/net.connman.iwd.service \ wired/ead.service.in wired/net.connman.ead.service \ - src/pkcs8.conf doc/main.conf $(manual_pages:.1=.txt) + src/pkcs8.conf unit/gencerts.cnf \ + doc/main.conf $(manual_pages:.1=.txt) AM_CFLAGS = $(ell_cflags) -fvisibility=hidden \ - -DELL_UNIT_TEST_DATA=\"$(abs_builddir)/ell/unit/\" + -DUNITDIR=\""$(top_srcdir)/unit/"\" \ + -DCERTDIR=\""$(top_builddir)/unit/"\" CLEANFILES = src/iwd.service wired/ead.service @@ -483,6 +483,58 @@ DISTCLEANFILES = $(BUILT_SOURCES) $(unit_tests) $(manual_pages) MAINTAINERCLEANFILES = Makefile.in configure config.h.in aclocal.m4 +true_redirect_openssl = 2>&1 +false_redirect_openssl = 2>/dev/null + +unit/cert-ca-key.pem: + $(AM_V_GEN)openssl genrsa -out $@ 2048 $($(AM_V_P)_redirect_openssl) + +unit/cert-ca.pem: unit/cert-ca-key.pem unit/gencerts.cnf + $(AM_V_GEN)openssl req -x509 -new -nodes -extensions ca_ext \ + -config $(srcdir)/unit/gencerts.cnf \ + -subj '/O=International Union of Example Organizations/CN=Certificate issuer guy/emailAddress=ca@mail.example' \ + -key $< -sha256 -days 10000 -out $@ + +unit/cert-server-key.pem: + $(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl) + +unit/cert-server-key-pkcs8.pem: unit/cert-server-key.pem + $(AM_V_GEN)openssl pkcs8 -topk8 -nocrypt -in $< -out $@ + +unit/cert-server.csr: unit/cert-server-key.pem unit/gencerts.cnf + $(AM_V_GEN)openssl req -new -extensions cert_ext \ + -config $(srcdir)/unit/gencerts.cnf \ + -subj '/O=Foo Example Organization/CN=Foo Example Organization/emailAddress=foo@mail.example' \ + -key $< -out $@ + +unit/cert-server.pem: unit/cert-server.csr unit/cert-ca.pem unit/gencerts.cnf + $(AM_V_GEN)openssl x509 -req -extensions cert_ext \ + -extfile $(srcdir)/unit/gencerts.cnf \ + -in $< -CA $(builddir)/unit/cert-ca.pem \ + -CAkey $(builddir)/unit/cert-ca-key.pem \ + -CAserial $(builddir)/unit/cert-ca.srl \ + -CAcreateserial -sha256 -days 10000 -out $@ $($(AM_V_P)_redirect_openssl) + +unit/cert-client-key.pem: + $(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl) + +unit/cert-client-key-pkcs8.pem: unit/cert-client-key.pem + $(AM_V_GEN)openssl pkcs8 -topk8 -nocrypt -in $< -out $@ + +unit/cert-client.csr: unit/cert-client-key.pem unit/gencerts.cnf + $(AM_V_GEN)openssl req -new -extensions cert_ext \ + -config $(srcdir)/unit/gencerts.cnf \ + -subj '/O=Bar Example Organization/CN=Bar Example Organization/emailAddress=bar@mail.example' \ + -key $< -out $@ + +unit/cert-client.pem: unit/cert-client.csr unit/cert-ca.pem unit/gencerts.cnf + $(AM_V_GEN)openssl x509 -req -extensions cert_ext \ + -extfile $(srcdir)/unit/gencerts.cnf \ + -in $< -CA $(builddir)/unit/cert-ca.pem \ + -CAkey $(builddir)/unit/cert-ca-key.pem \ + -CAserial $(builddir)/unit/cert-ca.srl \ + -CAcreateserial -sha256 -days 10000 -out $@ $($(AM_V_P)_redirect_openssl) + BUILT_SOURCES = $(ell_built_sources) src/builtin.h ell/internal: Makefile @@ -499,14 +551,6 @@ ell/ell.h: Makefile echo "#include <$$f>" >> $@ ; \ done -ell/unit/test_data: Makefile - $(AM_V_at)$(MKDIR_P) $(abs_builddir)/ell/unit - $(AM_V_GEN)for f in $(ell_pem_files) ; do \ - if [ ! -f $$f ] ; then \ - $(LN_S) -t $(abs_builddir)/ell/unit -f $(abs_srcdir)/../ell/unit/$$f ; \ - fi \ - done > $@ - SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \ $(SED) -e 's,@libexecdir\@,$(libexecdir),g' \ < $< > $@ @@ -518,7 +562,7 @@ SED_PROCESS = $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \ $(AM_V_GEN)$(A2X) --doctype manpage --format manpage $(srcdir)/$< clean-local: - -rm -rf $(abs_builddir)/ell/unit/*.pem $(abs_builddir)/ell/unit/test_data + -rm -f unit/cert-*.pem unit/cert-*.csr unit/cert-*.srl maintainer-clean-local: -rm -rf build-aux ell diff --git a/unit/gencerts.cnf b/unit/gencerts.cnf new file mode 100644 index 00000000..53287341 --- /dev/null +++ b/unit/gencerts.cnf @@ -0,0 +1,19 @@ +[ req ] +distinguished_name = req_distinguished_name + +[ req_distinguished_name ] + +[ ca_ext ] +basicConstraints = CA:TRUE,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always + +[ int_ext ] +basicConstraints = CA:TRUE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always + +[ cert_ext ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always diff --git a/unit/test-eapol.c b/unit/test-eapol.c index b6891553..48a95cd8 100644 --- a/unit/test-eapol.c +++ b/unit/test-eapol.c @@ -2947,9 +2947,9 @@ static void eapol_sm_test_tls(struct eapol_8021x_tls_test_state *s, s->tx_buf_len = 0; s->tx_buf_offset = 0; - assert(l_tls_set_auth_data(s->tls, ELL_UNIT_TEST_DATA "cert-server.pem", - ELL_UNIT_TEST_DATA "cert-server-key-pkcs8.pem", NULL)); - assert(l_tls_set_cacert(s->tls, ELL_UNIT_TEST_DATA "cert-ca.pem")); + assert(l_tls_set_auth_data(s->tls, CERTDIR "cert-server.pem", + CERTDIR "cert-server-key-pkcs8.pem", NULL)); + assert(l_tls_set_cacert(s->tls, CERTDIR "cert-ca.pem")); assert(l_tls_start(s->tls)); start = 1; @@ -3113,9 +3113,9 @@ static void eapol_sm_test_eap_tls(const void *data) static const char *eapol_8021x_config = "[Security]\n" "EAP-Method=TLS\n" "EAP-Identity=abc@example.com\n" - "EAP-TLS-CACert=" ELL_UNIT_TEST_DATA "cert-ca.pem\n" - "EAP-TLS-ClientCert=" ELL_UNIT_TEST_DATA "cert-client.pem\n" - "EAP-TLS-ClientKey=" ELL_UNIT_TEST_DATA "cert-client-key-pkcs8.pem"; + "EAP-TLS-CACert=" CERTDIR "cert-ca.pem\n" + "EAP-TLS-ClientCert=" CERTDIR "cert-client.pem\n" + "EAP-TLS-ClientKey=" CERTDIR "cert-client-key-pkcs8.pem"; struct eapol_8021x_tls_test_state s; s.app_data_cb = eapol_sm_test_tls_new_data; @@ -3189,9 +3189,9 @@ static void eapol_sm_test_eap_ttls_md5(const void *data) static const char *eapol_8021x_config = "[Security]\n" "EAP-Method=TTLS\n" "EAP-Identity=abc@example.com\n" - "EAP-TTLS-CACert=" ELL_UNIT_TEST_DATA "cert-ca.pem\n" - "EAP-TTLS-ClientCert=" ELL_UNIT_TEST_DATA "cert-client.pem\n" - "EAP-TTLS-ClientKey=" ELL_UNIT_TEST_DATA "cert-client-key-pkcs8.pem\n" + "EAP-TTLS-CACert=" CERTDIR "cert-ca.pem\n" + "EAP-TTLS-ClientCert=" CERTDIR "cert-client.pem\n" + "EAP-TTLS-ClientKey=" CERTDIR "cert-client-key-pkcs8.pem\n" "EAP-TTLS-Phase2-Method=MD5\n" "EAP-TTLS-Phase2-Identity=abc@example.com\n" "EAP-TTLS-Phase2-Password=testpasswd"; @@ -3258,9 +3258,9 @@ static void eapol_sm_test_eap_nak(const void *data) static const char *eapol_8021x_config = "[Security]\n" "EAP-Method=TLS\n" "EAP-Identity=abc@example.com\n" - "EAP-TLS-CACert=" ELL_UNIT_TEST_DATA "cert-ca.pem\n" - "EAP-TLS-ClientCert=" ELL_UNIT_TEST_DATA "cert-client.pem\n" - "EAP-TLS-ClientKey=" ELL_UNIT_TEST_DATA "cert-client-key-pkcs8.pem"; + "EAP-TLS-CACert=" CERTDIR "cert-ca.pem\n" + "EAP-TLS-ClientCert=" CERTDIR "cert-client.pem\n" + "EAP-TLS-ClientKey=" CERTDIR "cert-client-key-pkcs8.pem"; static const unsigned char ap_wpa_ie[] = { 0xdd, 0x16, 0x00, 0x50, 0xf2, 0x01, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x00, 0x00, 0x50,