xref: /openbsd/regress/lib/libcrypto/CA/Makefile (revision 097a140d) 
1#	$OpenBSD: Makefile,v 1.3 2020/12/26 14:42:09 bluhm Exp $
2
3CLEANFILES +=	*.pem *.serial *.txt *.attr *.old
4
5# Start each regress run from scratch with new keys and CA database.
6REGRESS_SETUP_ONCE +=	clean
7
8REGRESS_SETUP_ONCE +=	root.serial intermediate.serial
9root.serial intermediate.serial:
10	echo 1000 >$@
11
12REGRESS_SETUP_ONCE +=	root.txt intermediate.txt
13root.txt intermediate.txt:
14	true >$@
15
16# Vanna Vanna make me a root cert
17root.key.pem: stamp-clean
18	# generate root rsa 4096 key
19	openssl genrsa -out root.key.pem 4096
20
21root.cert.pem: root.cnf root.key.pem \
22    stamp-root.serial stamp-root.txt
23	# generate root cert
24	openssl req -batch -config ${.CURDIR}/root.cnf -key root.key.pem \
25	    -new -x509 -days 365 -sha256 -extensions v3_ca -out root.cert.pem
26
27# Make intermediate
28intermediate.key.pem: stamp-clean
29	# generate intermediate rsa 2048 key
30	openssl genrsa -out intermediate.key.pem 2048
31
32intermediate.csr.pem: intermediate.cnf intermediate.key.pem
33	# generate intermediate req
34	openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \
35	  -key intermediate.key.pem -out intermediate.csr.pem
36
37# Sign intermediate
38intermediate.cert.pem: root.cnf root.cert.pem intermediate.csr.pem \
39    stamp-intermediate.serial stamp-intermediate.txt
40	# sign intermediate
41	openssl ca -batch -config ${.CURDIR}/root.cnf \
42	    -extensions v3_intermediate_ca -days 10 -notext -md sha256 \
43	    -in intermediate.csr.pem -out intermediate.cert.pem
44
45REGRESS_TARGETS +=	run-verify-intermediate
46# Verify intermediate
47run-verify-intermediate: root.cert.pem intermediate.cert.pem
48	# validate intermediate CA
49	openssl verify -CAfile root.cert.pem intermediate.cert.pem
50
51chain.pem: intermediate.cert.pem root.cert.pem
52	cat intermediate.cert.pem root.cert.pem > chain.pem
53
54# Make a server certificate
55server.key.pem: stamp-clean
56	# genrsa server
57	openssl genrsa -out server.key.pem 2048
58
59server.csr.pem: intermediate.cnf server.key.pem
60	# server req
61	openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \
62	    -subj '/CN=server/O=OpenBSD/OU=So and Sos/C=CA' \
63	    -key server.key.pem -out server.csr.pem
64
65# Sign server key
66server.cert.pem: intermediate.cnf intermediate.cert.pem server.csr.pem
67	# server sign
68	openssl ca -batch -config ${.CURDIR}/intermediate.cnf \
69	    -extensions server_cert -days 5 -notext -md sha256 \
70	    -in server.csr.pem -out server.cert.pem
71
72# Make a client certificate
73client.key.pem: stamp-clean
74	# genrsa client
75	openssl genrsa -out client.key.pem 2048
76
77client.csr.pem: intermediate.cnf intermediate.cert.pem client.key.pem
78	# client req
79	openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \
80	    -subj '/CN=client/O=OpenBSD/OU=So and Sos/C=CA' \
81	    -key client.key.pem -out client.csr.pem
82
83# Sign client key
84client.cert.pem: intermediate.cnf intermediate.cert.pem client.csr.pem
85	# client sign
86	openssl ca -batch -config ${.CURDIR}/intermediate.cnf \
87	    -extensions usr_cert -days 5 -notext -md sha256 \
88	    -in client.csr.pem -out client.cert.pem
89
90REGRESS_TARGETS +=	run-verify-server
91# Verify server with intermediate
92run-verify-server: chain.pem server.cert.pem
93	# validate server cert
94	openssl verify -purpose sslserver -CAfile chain.pem server.cert.pem
95
96REGRESS_TARGETS +=	run-verify-client
97# Verify client with intermediate
98run-verify-client: chain.pem client.cert.pem
99	# validate client cert
100	openssl verify -purpose sslclient -CAfile chain.pem client.cert.pem
101
102.include <bsd.regress.mk>
103