1#------------------------------------------------------------------------- 2# 3# Makefile for src/test/ssl 4# 5# Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group 6# Portions Copyright (c) 1994, Regents of the University of California 7# 8# src/test/ssl/Makefile 9# 10#------------------------------------------------------------------------- 11 12subdir = src/test/ssl 13top_builddir = ../../.. 14include $(top_builddir)/src/Makefile.global 15 16export with_ssl 17 18CERTIFICATES := server_ca server-cn-and-alt-names \ 19 server-cn-only server-single-alt-name server-multiple-alt-names \ 20 server-no-names server-revoked server-ss \ 21 client_ca client client-dn client-revoked \ 22 root_ca 23 24SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \ 25 ssl/server-password.key \ 26 ssl/client.crl ssl/server.crl ssl/root.crl \ 27 ssl/both-cas-1.crt ssl/both-cas-2.crt \ 28 ssl/root+server_ca.crt ssl/root+server.crl \ 29 ssl/root+client_ca.crt ssl/root+client.crl \ 30 ssl/client+client_ca.crt ssl/client-der.key \ 31 ssl/client-encrypted-pem.key ssl/client-encrypted-der.key 32 33SSLDIRS := ssl/client-crldir ssl/server-crldir \ 34 ssl/root+client-crldir ssl/root+server-crldir 35 36# This target re-generates all the key and certificate files. Usually we just 37# use the ones that are committed to the tree without rebuilding them. 38# 39# This target will fail unless preceded by sslfiles-clean. 40# 41sslfiles: $(SSLFILES) $(SSLDIRS) 42 43# OpenSSL requires a directory to put all generated certificates in. We don't 44# use this for anything, but we need a location. 45ssl/new_certs_dir: 46 mkdir ssl/new_certs_dir 47 48# Rule for creating private/public key pairs. 49ssl/%.key: 50 openssl genrsa -out $@ 2048 51 chmod 0600 $@ 52 53# Root CA certificate 54ssl/root_ca.crt: ssl/root_ca.key cas.config 55 touch ssl/root_ca-certindex 56 openssl req -new -out ssl/root_ca.crt -x509 -config cas.config -config root_ca.config -key ssl/root_ca.key -days 10000 -extensions v3_ca 57 echo "01" > ssl/root_ca.srl 58 59# Client and server CAs 60ssl/%_ca.crt: ssl/%_ca.key %_ca.config ssl/root_ca.crt ssl/new_certs_dir 61 touch ssl/$*_ca-certindex 62 echo "unique_subject=no" > ssl/$*_ca-certindex.attr 63 openssl req -new -out ssl/temp_ca.crt -config cas.config -config $*_ca.config -key ssl/$*_ca.key 64# Sign the certificate with the root CA 65 openssl ca -name root_ca -batch -config cas.config -in ssl/temp_ca.crt -out ssl/temp_ca_signed.crt -extensions v3_ca 66 openssl x509 -in ssl/temp_ca_signed.crt -out ssl/$*_ca.crt # to keep just the PEM cert 67 rm ssl/temp_ca.crt ssl/temp_ca_signed.crt 68 echo "01" > ssl/$*_ca.srl 69 70# Server certificates, signed by server CA: 71ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config 72 openssl req -new -key ssl/server-$*.key -out ssl/server-$*.csr -config server-$*.config 73 openssl ca -name server_ca -batch -config cas.config -in ssl/server-$*.csr -out ssl/temp.crt -extensions v3_req -extfile server-$*.config 74 openssl x509 -in ssl/temp.crt -out ssl/server-$*.crt # to keep just the PEM cert 75 rm ssl/server-$*.csr 76 77# Self-signed version of server-cn-only.crt 78ssl/server-ss.crt: ssl/server-cn-only.key ssl/server-cn-only.crt server-cn-only.config 79 openssl req -new -key ssl/server-cn-only.key -out ssl/server-ss.csr -config server-cn-only.config 80 openssl x509 -req -days 10000 -in ssl/server-ss.csr -signkey ssl/server-cn-only.key -out ssl/server-ss.crt -extensions v3_req -extfile server-cn-only.config 81 rm ssl/server-ss.csr 82 83# Password-protected version of server-cn-only.key 84ssl/server-password.key: ssl/server-cn-only.key 85 openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1' 86 87# Client certificate, signed by the client CA: 88ssl/client.crt: ssl/client.key ssl/client_ca.crt 89 openssl req -new -key ssl/client.key -out ssl/client.csr -config client.config 90 openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client.csr 91 openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert 92 rm ssl/client.csr ssl/temp.crt 93 94# Client certificate with multi-part DN, signed by the client CA: 95ssl/client-dn.crt: ssl/client-dn.key ssl/client_ca.crt 96 openssl req -new -key ssl/client-dn.key -out ssl/client-dn.csr -config client-dn.config 97 openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-dn.csr 98 openssl x509 -in ssl/temp.crt -out ssl/client-dn.crt # to keep just the PEM cert 99 rm ssl/client-dn.csr ssl/temp.crt 100 101# Another client certificate, signed by the client CA. This one is revoked. 102ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config 103 openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config 104 openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-revoked.csr 105 openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert 106 rm ssl/client-revoked.csr ssl/temp.crt 107 108# Convert the key to DER, to test our behaviour there too 109ssl/client-der.key: ssl/client.key 110 openssl rsa -in ssl/client.key -outform DER -out ssl/client-der.key 111 112# Convert the existing key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats 113# to test libpq's support for the sslpassword= option. 114ssl/client-encrypted-pem.key: ssl/client.key 115 openssl rsa -in ssl/client.key -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-pem.key 116 117ssl/client-encrypted-der.key: ssl/client.key 118 openssl rsa -in ssl/client.key -outform DER -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-der.key 119 120# Root certificate files that contains both CA certificates, for testing 121# that multiple certificates can be used. 122ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt 123 cat $^ > $@ 124 125# The same, but the certs are in different order 126ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt 127 cat $^ > $@ 128 129# A root certificate file for the client, to validate server certs. 130ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt 131 cat $^ > $@ 132 133# and for the server, to validate client certs 134ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt 135 cat $^ > $@ 136 137ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt 138 cat $^ > $@ 139 140#### CRLs 141 142ssl/client.crl: ssl/client-revoked.crt 143 openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt 144 openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl 145 146ssl/server.crl: ssl/server-revoked.crt 147 openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt 148 openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl 149 150ssl/root.crl: ssl/root_ca.crt 151 openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl 152 153# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the 154# chain, even if some of them are empty. 155ssl/root+server.crl: ssl/root.crl ssl/server.crl 156 cat $^ > $@ 157ssl/root+client.crl: ssl/root.crl ssl/client.crl 158 cat $^ > $@ 159 160ssl/root+server-crldir: ssl/server.crl ssl/root.crl 161 mkdir ssl/root+server-crldir 162 cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0 163 cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0 164 165ssl/root+client-crldir: ssl/client.crl ssl/root.crl 166 mkdir ssl/root+client-crldir 167 cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0 168 cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0 169 170ssl/server-crldir: ssl/server.crl 171 mkdir ssl/server-crldir 172 cp ssl/server.crl ssl/server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0 173 174ssl/client-crldir: ssl/client.crl 175 mkdir ssl/client-crldir 176 cp ssl/client.crl ssl/client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0 177 178.PHONY: sslfiles-clean 179sslfiles-clean: 180 rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt 181 rm -rf $(SSLDIRS) 182 183clean distclean maintainer-clean: 184 rm -rf tmp_check 185 rm -rf ssl/*.old ssl/new_certs_dir ssl/client*_tmp.key 186 187# Doesn't depend on $(SSLFILES) because we don't rebuild them by default 188check: 189 $(prove_check) 190 191installcheck: 192 $(prove_installcheck) 193