1#------------------------------------------------------------------------- 2# 3# Makefile for src/test/ssl 4# 5# Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group 6# Portions Copyright (c) 1994, Regents of the University of California 7# 8# src/test/ssl/Makefile 9# 10#------------------------------------------------------------------------- 11 12subdir = src/test/ssl 13top_builddir = ../../.. 14include $(top_builddir)/src/Makefile.global 15 16CERTIFICATES := server_ca server-cn-and-alt-names \ 17 server-cn-only server-single-alt-name server-multiple-alt-names \ 18 server-no-names server-revoked server-ss \ 19 client_ca client client-revoked \ 20 root_ca 21 22SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \ 23 ssl/client.crl ssl/server.crl ssl/root.crl \ 24 ssl/both-cas-1.crt ssl/both-cas-2.crt \ 25 ssl/root+server_ca.crt ssl/root+server.crl \ 26 ssl/root+client_ca.crt ssl/root+client.crl \ 27 ssl/client+client_ca.crt 28 29# This target generates all the key and certificate files. 30sslfiles: $(SSLFILES) 31 32# Openssl requires a directory to put all generated certificates in. We don't 33# use this for anything, but we need a location. 34ssl/new_certs_dir: 35 mkdir ssl/new_certs_dir 36 37# Rule for creating private/public key pairs. 38ssl/%.key: 39 openssl genrsa -out $@ 2048 40 chmod 0600 $@ 41 42# Root CA certificate 43ssl/root_ca.crt: ssl/root_ca.key cas.config 44 touch ssl/root_ca-certindex 45 openssl req -new -out ssl/root_ca.crt -x509 -config cas.config -config root_ca.config -key ssl/root_ca.key -days 10000 -extensions v3_ca 46 echo "01" > ssl/root_ca.srl 47 48# Client and server CAs 49ssl/%_ca.crt: ssl/%_ca.key %_ca.config ssl/root_ca.crt ssl/new_certs_dir 50 touch ssl/$*_ca-certindex 51 echo "unique_subject=no" > ssl/$*_ca-certindex.attr 52 openssl req -new -out ssl/temp_ca.crt -config cas.config -config $*_ca.config -key ssl/$*_ca.key 53# Sign the certificate with the root CA 54 openssl ca -name root_ca -batch -config cas.config -in ssl/temp_ca.crt -out ssl/temp_ca_signed.crt -extensions v3_ca 55 openssl x509 -in ssl/temp_ca_signed.crt -out ssl/$*_ca.crt # to keep just the PEM cert 56 rm ssl/temp_ca.crt ssl/temp_ca_signed.crt 57 echo "01" > ssl/$*_ca.srl 58 59# Server certificates, signed by server CA: 60ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config 61 openssl req -new -key ssl/server-$*.key -out ssl/server-$*.csr -config server-$*.config 62 openssl ca -name server_ca -batch -config cas.config -in ssl/server-$*.csr -out ssl/temp.crt -extensions v3_req -extfile server-$*.config 63 openssl x509 -in ssl/temp.crt -out ssl/server-$*.crt # to keep just the PEM cert 64 rm ssl/server-$*.csr 65 66# Self-signed version of server-cn-only.crt 67ssl/server-ss.crt: ssl/server-cn-only.key ssl/server-cn-only.crt server-cn-only.config 68 openssl req -new -key ssl/server-cn-only.key -out ssl/server-ss.csr -config server-cn-only.config 69 openssl x509 -req -days 10000 -in ssl/server-ss.csr -signkey ssl/server-cn-only.key -out ssl/server-ss.crt -extensions v3_req -extfile server-cn-only.config 70 rm ssl/server-ss.csr 71 72# Client certificate, signed by the client CA: 73ssl/client.crt: ssl/client.key ssl/client_ca.crt 74 openssl req -new -key ssl/client.key -out ssl/client.csr -config client.config 75 openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client.csr 76 openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert 77 rm ssl/client.csr ssl/temp.crt 78 79# Another client certificate, signed by the client CA. This one is revoked. 80ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config 81 openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config 82 openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-revoked.csr 83 openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert 84 rm ssl/client-revoked.csr ssl/temp.crt 85 86# Root certificate files that contains both CA certificates, for testing 87# that multiple certificates can be used. 88ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt 89 cat $^ > $@ 90 91# The same, but the certs are in different order 92ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt 93 cat $^ > $@ 94 95# A root certificate file for the client, to validate server certs. 96ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt 97 cat $^ > $@ 98 99# and for the server, to validate client certs 100ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt 101 cat $^ > $@ 102 103ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt 104 cat $^ > $@ 105 106#### CRLs 107 108ssl/client.crl: ssl/client-revoked.crt 109 openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt 110 openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl 111 112ssl/server.crl: ssl/server-revoked.crt 113 openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt 114 openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl 115 116ssl/root.crl: ssl/root_ca.crt 117 openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl 118 119# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the 120# chain, even if some of them are empty. 121ssl/root+server.crl: ssl/root.crl ssl/server.crl 122 cat $^ > $@ 123ssl/root+client.crl: ssl/root.crl ssl/client.crl 124 cat $^ > $@ 125 126.PHONY: sslfiles-clean 127sslfiles-clean: 128 rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt 129 130clean distclean maintainer-clean: 131 rm -rf tmp_check 132 133check: 134 $(prove_check) 135