From 7e7776ec8b3d09f2ad00c55897e2437d39b0f398 Mon Sep 17 00:00:00 2001
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Fri, 12 Jul 2024 11:40:18 -0700
Subject: [PATCH 1/2] WIP: simplify .res generation

---
 src/test/ssl/sslfiles.mk | 49 ++++++++++++++--------------------------
 1 file changed, 17 insertions(+), 32 deletions(-)

diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk
index fd92970698..9ba88f0be9 100644
--- a/src/test/ssl/sslfiles.mk
+++ b/src/test/ssl/sslfiles.mk
@@ -308,38 +308,23 @@ ssl/server-ca-ocsp-expired.idx: ssl/server_ca.crt ssl/server-ocsp-good.idx
 	cat ssl/server-ocsp-good.idx > $@; \
 	echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" >> $@
 
-$(OCSPRES):
-# server-cn-only: 'good'
-ssl/server-ocsp-good.res: ssl/server-ocsp-good.idx ssl/server-cn-only.crt ssl/ocsp_ca.crt ssl/root+server_ca.crt
-	$(OPENSSL) ocsp -index $< -rsigner ssl/ocsp_ca.crt -rkey ssl/ocsp_ca.key -CA ssl/root+server_ca.crt -issuer ssl/server_ca.crt -ndays 10000 -cert ssl/server-cn-only.crt -respout $@
-
-# server-cn-only: 'revoked'
-ssl/server-ocsp-revoked.res: ssl/server-ocsp-revoked.idx ssl/server-cn-only.crt ssl/ocsp_ca.crt ssl/root+server_ca.crt
-	$(OPENSSL) ocsp -index $< -rsigner ssl/ocsp_ca.crt -rkey ssl/ocsp_ca.key -CA ssl/root+server_ca.crt -issuer ssl/server_ca.crt -ndays 10000 -cert ssl/server-cn-only.crt -respout $@
-
-# server-cn-only: 'unknown'
-ssl/server-ocsp-unknown.res: ssl/server-ocsp-unknown.idx ssl/server-cn-only.crt ssl/ocsp_ca.crt ssl/root+server_ca.crt
-	$(OPENSSL) ocsp -index $< -rsigner ssl/ocsp_ca.crt -rkey ssl/ocsp_ca.key -CA ssl/root+server_ca.crt -issuer ssl/server_ca.crt -ndays 10000 -cert ssl/server-cn-only.crt -respout $@
-
-# server-cn-only: 'expired'
-ssl/server-ocsp-expired.res: ssl/server-ocsp-expired.idx ssl/server-cn-only.crt ssl/ocsp_ca.crt ssl/root+server_ca.crt
-	$(OPENSSL) ocsp -index $< -rsigner ssl/ocsp_ca.crt -rkey ssl/ocsp_ca.key -CA ssl/root+server_ca.crt -issuer ssl/server_ca.crt -nmin 1 -cert ssl/server-cn-only.crt -respout $@
-
-# server-cn-only, server_ca: 'good, good'
-ssl/server-ca-ocsp-good.res: ssl/server-ca-ocsp-good.idx ssl/server-cn-only.crt ssl/ocsp_ca.crt ssl/root+server_ca.crt ssl/server_ca.crt
-	$(OPENSSL) ocsp -index $< -rsigner ssl/ocsp_ca.crt -rkey ssl/ocsp_ca.key -CA ssl/root+server_ca.crt -ndays 10000 -issuer ssl/server_ca.crt -cert ssl/server-cn-only.crt -issuer ssl/root_ca.crt -cert ssl/server_ca.crt -respout $@
-
-# server-cn-only, server_ca: 'good, revoked'
-ssl/server-ca-ocsp-revoked.res: ssl/server-ca-ocsp-revoked.idx ssl/server-cn-only.crt ssl/ocsp_ca.crt ssl/root+server_ca.crt ssl/server_ca.crt
-	$(OPENSSL) ocsp -index $< -rsigner ssl/ocsp_ca.crt -rkey ssl/ocsp_ca.key -CA ssl/root+server_ca.crt -ndays 10000 -issuer ssl/server_ca.crt -cert ssl/server-cn-only.crt -issuer ssl/root_ca.crt -cert ssl/server_ca.crt -respout $@
-
-# server-cn-only, server_ca: 'good, unknown'
-ssl/server-ca-ocsp-unknown.res: ssl/server-ca-ocsp-unknown.idx ssl/server-cn-only.crt ssl/ocsp_ca.crt ssl/root+server_ca.crt ssl/server_ca.crt
-	$(OPENSSL) ocsp -index $< -rsigner ssl/ocsp_ca.crt -rkey ssl/ocsp_ca.key -CA ssl/root+server_ca.crt -ndays 10000 -issuer ssl/server_ca.crt -cert ssl/server-cn-only.crt -issuer ssl/root_ca.crt -cert ssl/server_ca.crt -respout $@
-
-# server-cn-only, server_ca: 'good, expired'
-ssl/server-ca-ocsp-expired.res: ssl/server-ca-ocsp-expired.idx ssl/server-cn-only.crt ssl/ocsp_ca.crt ssl/root+server_ca.crt ssl/server_ca.crt
-	$(OPENSSL) ocsp -index $< -rsigner ssl/ocsp_ca.crt -rkey ssl/ocsp_ca.key -CA ssl/root+server_ca.crt -nmin 1 -issuer ssl/server_ca.crt -cert ssl/server-cn-only.crt -issuer ssl/root_ca.crt -cert ssl/server_ca.crt -respout $@
+# All of the responses have the server cert in the chain.
+OCSPCHAIN = -issuer ssl/server_ca.crt -cert ssl/server-cn-only.crt
+$(OCSPRES): ssl/server_ca.crt ssl/server-cn-only.crt
+
+# Additionally, the server CA is part of the server-ca-* responses.
+ssl/server-ca-%.res: OCSPCHAIN += -issuer ssl/root_ca.crt -cert ssl/server_ca.crt
+ssl/server-ca-%.res: ssl/root_ca.crt
+
+# Most responses should "never" expire, except the ones being explicitly tested
+# for expiration.
+OCSPEXP = -ndays 10000
+ssl/%-ocsp-expired.res: OCSPEXP = -nmin 1
+
+$(OCSPRES): ssl/%.res: ssl/%.idx ssl/ocsp_ca.crt ssl/ocsp_ca.key ssl/root+server_ca.crt
+	$(OPENSSL) ocsp -index $< -respout $@ -rsigner ssl/ocsp_ca.crt \
+		-rkey ssl/ocsp_ca.key -CA ssl/root+server_ca.crt \
+		$(OCSPEXP) $(OCSPCHAIN)
 
 #
 # CRLs
-- 
2.34.1