1#-------------------------------------------------------------------------
2#
3# Makefile for src/test/ssl
4#
5# Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
6# Portions Copyright (c) 1994, Regents of the University of California
7#
8# src/test/ssl/Makefile
9#
10#-------------------------------------------------------------------------
11
12subdir = src/test/ssl
13top_builddir = ../../..
14include $(top_builddir)/src/Makefile.global
15
16export with_ssl
17
18CERTIFICATES := server_ca server-cn-and-alt-names \
19	server-cn-only server-single-alt-name server-multiple-alt-names \
20	server-no-names server-revoked server-ss \
21	client_ca client client-dn client-revoked \
22	root_ca
23
24SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
25	ssl/server-password.key \
26	ssl/client.crl ssl/server.crl ssl/root.crl \
27	ssl/both-cas-1.crt ssl/both-cas-2.crt \
28	ssl/root+server_ca.crt ssl/root+server.crl \
29	ssl/root+client_ca.crt ssl/root+client.crl \
30	ssl/client+client_ca.crt ssl/client-der.key \
31	ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
32
33SSLDIRS := ssl/client-crldir ssl/server-crldir \
34	ssl/root+client-crldir ssl/root+server-crldir
35
36# This target re-generates all the key and certificate files. Usually we just
37# use the ones that are committed to the tree without rebuilding them.
38#
39# This target will fail unless preceded by sslfiles-clean.
40#
41sslfiles: $(SSLFILES) $(SSLDIRS)
42
43# OpenSSL requires a directory to put all generated certificates in. We don't
44# use this for anything, but we need a location.
45ssl/new_certs_dir:
46	mkdir ssl/new_certs_dir
47
48# Rule for creating private/public key pairs.
49ssl/%.key:
50	openssl genrsa -out $@ 2048
51	chmod 0600 $@
52
53# Root CA certificate
54ssl/root_ca.crt: ssl/root_ca.key cas.config
55	touch ssl/root_ca-certindex
56	openssl req -new -out ssl/root_ca.crt -x509 -config cas.config -config root_ca.config -key ssl/root_ca.key -days 10000 -extensions v3_ca
57	echo "01" > ssl/root_ca.srl
58
59# Client and server CAs
60ssl/%_ca.crt: ssl/%_ca.key %_ca.config ssl/root_ca.crt ssl/new_certs_dir
61	touch ssl/$*_ca-certindex
62	echo "unique_subject=no" > ssl/$*_ca-certindex.attr
63	openssl req -new -out ssl/temp_ca.crt -config cas.config -config $*_ca.config -key ssl/$*_ca.key
64# Sign the certificate with the root CA
65	openssl ca -name root_ca -batch -config cas.config -in ssl/temp_ca.crt -out ssl/temp_ca_signed.crt -extensions v3_ca
66	openssl x509 -in ssl/temp_ca_signed.crt -out ssl/$*_ca.crt # to keep just the PEM cert
67	rm ssl/temp_ca.crt ssl/temp_ca_signed.crt
68	echo "01" > ssl/$*_ca.srl
69
70# Server certificates, signed by server CA:
71ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config
72	openssl req -new -key ssl/server-$*.key -out ssl/server-$*.csr -config server-$*.config
73	openssl ca -name server_ca -batch -config cas.config -in ssl/server-$*.csr -out ssl/temp.crt  -extensions v3_req -extfile server-$*.config
74	openssl x509 -in ssl/temp.crt -out ssl/server-$*.crt # to keep just the PEM cert
75	rm ssl/server-$*.csr
76
77# Self-signed version of server-cn-only.crt
78ssl/server-ss.crt: ssl/server-cn-only.key ssl/server-cn-only.crt server-cn-only.config
79	openssl req -new -key ssl/server-cn-only.key -out ssl/server-ss.csr -config server-cn-only.config
80	openssl x509 -req -days 10000 -in ssl/server-ss.csr -signkey ssl/server-cn-only.key -out ssl/server-ss.crt  -extensions v3_req -extfile server-cn-only.config
81	rm ssl/server-ss.csr
82
83# Password-protected version of server-cn-only.key
84ssl/server-password.key: ssl/server-cn-only.key
85	openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
86
87# Client certificate, signed by the client CA:
88ssl/client.crt: ssl/client.key ssl/client_ca.crt
89	openssl req -new -key ssl/client.key -out ssl/client.csr -config client.config
90	openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client.csr
91	openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert
92	rm ssl/client.csr ssl/temp.crt
93
94# Client certificate with multi-part DN, signed by the client CA:
95ssl/client-dn.crt: ssl/client-dn.key ssl/client_ca.crt
96	openssl req -new -key ssl/client-dn.key -out ssl/client-dn.csr -config client-dn.config
97	openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-dn.csr
98	openssl x509 -in ssl/temp.crt -out ssl/client-dn.crt # to keep just the PEM cert
99	rm ssl/client-dn.csr ssl/temp.crt
100
101# Another client certificate, signed by the client CA. This one is revoked.
102ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config
103	openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config
104	openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-revoked.csr
105	openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert
106	rm ssl/client-revoked.csr ssl/temp.crt
107
108# Convert the key to DER, to test our behaviour there too
109ssl/client-der.key: ssl/client.key
110	openssl rsa -in ssl/client.key -outform DER -out ssl/client-der.key
111
112# Convert the existing key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
113# to test libpq's support for the sslpassword= option.
114ssl/client-encrypted-pem.key: ssl/client.key
115	openssl rsa -in ssl/client.key -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-pem.key
116
117ssl/client-encrypted-der.key: ssl/client.key
118	openssl rsa -in ssl/client.key -outform DER -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-der.key
119
120# Root certificate files that contains both CA certificates, for testing
121# that multiple certificates can be used.
122ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
123	cat $^ > $@
124
125# The same, but the certs are in different order
126ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
127	cat $^ > $@
128
129# A root certificate file for the client, to validate server certs.
130ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
131	cat $^ > $@
132
133# and for the server, to validate client certs
134ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
135	cat $^ > $@
136
137ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
138	cat $^ > $@
139
140#### CRLs
141
142ssl/client.crl: ssl/client-revoked.crt
143	openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt
144	openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl
145
146ssl/server.crl: ssl/server-revoked.crt
147	openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt
148	openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl
149
150ssl/root.crl: ssl/root_ca.crt
151	openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl
152
153# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
154# chain, even if some of them are empty.
155ssl/root+server.crl: ssl/root.crl ssl/server.crl
156	cat $^ > $@
157ssl/root+client.crl: ssl/root.crl ssl/client.crl
158	cat $^ > $@
159
160ssl/root+server-crldir: ssl/server.crl ssl/root.crl
161	mkdir ssl/root+server-crldir
162	cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
163	cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
164
165ssl/root+client-crldir: ssl/client.crl ssl/root.crl
166	mkdir ssl/root+client-crldir
167	cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
168	cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
169
170ssl/server-crldir: ssl/server.crl
171	mkdir ssl/server-crldir
172	cp ssl/server.crl ssl/server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
173
174ssl/client-crldir: ssl/client.crl
175	mkdir ssl/client-crldir
176	cp ssl/client.crl ssl/client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
177
178.PHONY: sslfiles-clean
179sslfiles-clean:
180	rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
181	rm -rf $(SSLDIRS)
182
183clean distclean maintainer-clean:
184	rm -rf tmp_check
185	rm -rf ssl/*.old ssl/new_certs_dir ssl/client*_tmp.key
186
187# Doesn't depend on $(SSLFILES) because we don't rebuild them by default
188check:
189	$(prove_check)
190
191installcheck:
192	$(prove_installcheck)
193