forked from aws/rolesanywhere-credential-helper
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Makefile
125 lines (105 loc) · 5.53 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
VERSION=1.1.1-otterize
release:
GOARCH=amd64 GOOS=linux CGO_ENABLED=0 go build -ldflags "-X 'github.com/aws/rolesanywhere-credential-helper/cmd.Version=${VERSION}' -w -s" -trimpath -o build/bin/aws_signing_helper_amd64 main.go
GOARCH=arm64 GOOS=linux CGO_ENABLED=0 go build -ldflags "-X 'github.com/aws/rolesanywhere-credential-helper/cmd.Version=${VERSION}' -w -s" -trimpath -o build/bin/aws_signing_helper_arm64 main.go
# Setting up SoftHSM for PKCS#11 tests.
# This portion is largely copied from https://gitlab.com/openconnect/openconnect/-/blob/v9.12/tests/Makefile.am#L363.
SHM2_UTIL=SOFTHSM2_CONF=tst/softhsm2.conf.tmp softhsm2-util
P11TOOL=SOFTHSM2_CONF=tst/softhsm2.conf.tmp p11tool
certsdir=tst/certs
curdir=$(shell pwd)
RSAKEYS := $(foreach keylen, 1024 2048 4096, $(certsdir)/rsa-$(keylen)-key.pem)
ECKEYS := $(foreach curve, prime256v1 secp384r1, $(certsdir)/ec-$(curve)-key.pem)
PKCS8KEYS := $(patsubst %-key.pem,%-key-pkcs8.pem,$(RSAKEYS) $(ECKEYS))
ECCERTS := $(foreach digest, sha1 sha256 sha384 sha512, $(patsubst %-key.pem, %-$(digest)-cert.pem, $(ECKEYS)))
RSACERTS := $(foreach digest, md5 sha1 sha256 sha384 sha512, $(patsubst %-key.pem, %-$(digest)-cert.pem, $(RSAKEYS)))
PKCS12CERTS := $(patsubst %-cert.pem, %.p12, $(RSACERTS) $(ECCERTS))
# It's hard to do a file-based rule for the contents of the SoftHSM token.
# So just populate it as a side-effect of creating the softhsm2.conf file.
tst/softhsm2.conf: tst/softhsm2.conf.template $(PKCS8KEYS) $(RSACERTS) $(ECCERTS)
rm -rf tst/softhsm/*
sed 's|@top_srcdir@|${curdir}|g' $< > $@.tmp
$(SHM2_UTIL) --show-slots
$(SHM2_UTIL) --init-token --free --label credential-helper-test \
--so-pin 12345678 --pin 1234
$(SHM2_UTIL) --token credential-helper-test --pin 1234 \
--import $(certsdir)/rsa-2048-key-pkcs8.pem --label rsa-2048 --id 01
$(P11TOOL) --load-certificate $(certsdir)/rsa-2048-sha256-cert.pem \
--no-mark-private --label rsa-2048 --id 01 --set-pin 1234 --login \
--write "pkcs11:token=credential-helper-test;pin-value=1234"
$(SHM2_UTIL) --token credential-helper-test --pin 1234 \
--import $(certsdir)/ec-prime256v1-key-pkcs8.pem --label ec-prime256v1 --id 02
$(P11TOOL) --load-certificate $(certsdir)/ec-prime256v1-sha256-cert.pem \
--no-mark-private --label ec-prime256v1 --id 02 --set-pin 1234 --login \
--write "pkcs11:token=credential-helper-test;pin-value=1234"
$(P11TOOL) --load-privkey $(certsdir)/rsa-2048-key-pkcs8.pem \
--label rsa-2048-always-auth --id 03 --set-pin 1234 --login \
--write "pkcs11:token=credential-helper-test;pin-value=1234" \
--mark-always-authenticate
$(P11TOOL) --load-privkey $(certsdir)/ec-prime256v1-key-pkcs8.pem \
--label ec-prime256v1-always-auth --id 04 --set-pin 1234 --login \
--write "pkcs11:token=credential-helper-test;pin-value=1234" \
--mark-always-authenticate
mv $@.tmp $@
test: test-certs tst/softhsm2.conf
SOFTHSM2_CONF=$(curdir)/tst/softhsm2.conf go test -v ./...
%-md5-cert.pem: %-key.pem
SUBJ=$$(echo "$@" | sed -r 's|.*/([^/]+)-cert.pem|\1|'); \
openssl req -x509 -new -key $< -out $@ -days 10000 -subj "/CN=roles-anywhere-$${SUBJ}" -md5
%-sha1-cert.pem: %-key.pem
SUBJ=$$(echo "$@" | sed -r 's|.*/([^/]+)-cert.pem|\1|'); \
openssl req -x509 -new -key $< -out $@ -days 10000 -subj "/CN=roles-anywhere-$${SUBJ}" -sha1
%-sha256-cert.pem: %-key.pem
SUBJ=$$(echo "$@" | sed -r 's|.*/([^/]+)-cert.pem|\1|'); \
openssl req -x509 -new -key $< -out $@ -days 10000 -subj "/CN=roles-anywhere-$${SUBJ}" -sha256
%-sha384-cert.pem: %-key.pem
SUBJ=$$(echo "$@" | sed -r 's|.*/([^/]+)-cert.pem|\1|'); \
openssl req -x509 -new -key $< -out $@ -days 10000 -subj "/CN=roles-anywhere-$${SUBJ}" -sha384
%-sha512-cert.pem: %-key.pem
SUBJ=$$(echo "$@" | sed -r 's|.*/([^/]+)-cert.pem|\1|'); \
openssl req -x509 -new -key $< -out $@ -days 10000 -subj "/CN=roles-anywhere-$${SUBJ}" -sha512
# Go PKCS#12 only supports SHA1 and 3DES!!
%.p12: %-pass.p12
echo Creating $@...
ls -l $<
KEY=$$(echo "$@" | sed 's/-[^-]*\.p12/-key.pem/'); \
CERT=$$(echo "$@" | sed 's/.p12/-cert.pem/'); \
openssl pkcs12 -export -passout pass: -macalg SHA1 \
-certpbe pbeWithSHA1And3-KeyTripleDES-CBC \
-keypbe pbeWithSHA1And3-KeyTripleDES-CBC \
-inkey $${KEY} -out "$@" -in $${CERT}
# And once again, it's hard to do a file-based rule for the contents of the certificate store.
# So just populate it as a side-effect of creating the p12 file.
%-pass.p12: %-cert.pem
echo Creating $@...
ls -l $<
KEY=$$(echo "$@" | sed 's/-[^-]*\-pass.p12/-key.pem/'); \
openssl pkcs12 -export -passout pass:test -macalg SHA1 \
-certpbe pbeWithSHA1And3-KeyTripleDES-CBC \
-keypbe pbeWithSHA1And3-KeyTripleDES-CBC \
-inkey $${KEY} -out "$@" -in "$<"
%-pkcs8.pem: %.pem
openssl pkcs8 -topk8 -inform PEM -outform PEM -in $< -out $@ -nocrypt
$(RSAKEYS):
KEYLEN=$$(echo "$@" | sed 's/.*rsa-\([0-9]*\)-key.pem/\1/'); \
openssl genrsa -out $@ $${KEYLEN}
$(ECKEYS):
CURVE=$$(echo "$@" | sed 's/.*ec-\([^-]*\)-key.pem/\1/'); \
openssl ecparam -name $${CURVE} -genkey -out $@
$(certsdir)/cert-bundle.pem: $(RSACERTS) $(ECCERTS)
cat $^ > $@
$(certsdir)/cert-bundle-with-comments.pem: $(RSACERTS) $(ECCERTS)
for dep in $^; do \
cat $$dep >> $@; \
echo "Comment in bundle\n" >> $@; \
done
test-certs: $(PKCS8KEYS) $(RSAKEYS) $(ECKEYS) $(RSACERTS) $(ECCERTS) $(PKCS12CERTS) $(certsdir)/cert-bundle.pem $(certsdir)/cert-bundle-with-comments.pem tst/softhsm2.conf
test-clean:
rm -f $(RSAKEYS) $(ECKEYS)
rm -f $(PKCS8KEYS)
rm -f $(RSACERTS) $(ECCERTS)
rm -f $(PKCS12CERTS)
rm -f $(certsdir)/cert-bundle.pem
rm -f $(certsdir)/cert-with-comments.pem
rm -f tst/softhsm2.conf
rm -rf tst/softhsm/*