2014-12-09 16:21:18 +01:00
|
|
|
#-------------------------------------------------------------------------
|
|
|
|
|
#
|
|
|
|
|
# Makefile for src/test/ssl
|
|
|
|
|
#
|
2016-01-02 19:33:40 +01:00
|
|
|
# Portions Copyright (c) 1996-2016, PostgreSQL Global Development Group
|
2014-12-09 16:21:18 +01:00
|
|
|
# Portions Copyright (c) 1994, Regents of the University of California
|
|
|
|
|
#
|
|
|
|
|
# src/test/ssl/Makefile
|
|
|
|
|
#
|
|
|
|
|
#-------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
subdir = src/test/ssl
|
|
|
|
|
top_builddir = ../../..
|
|
|
|
|
include $(top_builddir)/src/Makefile.global
|
|
|
|
|
|
|
|
|
|
CERTIFICATES := server_ca server-cn-and-alt-names \
|
|
|
|
|
server-cn-only server-single-alt-name server-multiple-alt-names \
|
|
|
|
|
server-no-names server-revoked server-ss \
|
|
|
|
|
client_ca client client-revoked \
|
|
|
|
|
root_ca
|
|
|
|
|
|
|
|
|
|
SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
|
|
|
|
|
ssl/client.crl ssl/server.crl ssl/root.crl \
|
|
|
|
|
ssl/both-cas-1.crt ssl/both-cas-2.crt \
|
|
|
|
|
ssl/root+server_ca.crt ssl/root+server.crl \
|
|
|
|
|
ssl/root+client_ca.crt ssl/root+client.crl
|
|
|
|
|
|
|
|
|
|
# This target generates all the key and certificate files.
|
|
|
|
|
sslfiles: $(SSLFILES)
|
|
|
|
|
|
|
|
|
|
# Openssl requires a directory to put all generated certificates in. We don't
|
|
|
|
|
# use this for anything, but we need a location.
|
|
|
|
|
ssl/new_certs_dir:
|
|
|
|
|
mkdir ssl/new_certs_dir
|
|
|
|
|
|
|
|
|
|
# Rule for creating private/public key pairs.
|
|
|
|
|
ssl/%.key:
|
|
|
|
|
openssl genrsa -out $@ 1024
|
|
|
|
|
chmod 0600 $@
|
|
|
|
|
|
|
|
|
|
# Root CA certificate
|
|
|
|
|
ssl/root_ca.crt: ssl/root_ca.key cas.config
|
|
|
|
|
touch ssl/root_ca-certindex
|
Support OpenSSL 1.1.0.
Changes needed to build at all:
- Check for SSL_new in configure, now that SSL_library_init is a macro.
- Do not access struct members directly. This includes some new code in
pgcrypto, to use the resource owner mechanism to ensure that we don't
leak OpenSSL handles, now that we can't embed them in other structs
anymore.
- RAND_SSLeay() -> RAND_OpenSSL()
Changes that were needed to silence deprecation warnings, but were not
strictly necessary:
- RAND_pseudo_bytes() -> RAND_bytes().
- SSL_library_init() and OpenSSL_config() -> OPENSSL_init_ssl()
- ASN1_STRING_data() -> ASN1_STRING_get0_data()
- DH_generate_parameters() -> DH_generate_parameters()
- Locking callbacks are not needed with OpenSSL 1.1.0 anymore. (Good
riddance!)
Also change references to SSLEAY_VERSION_NUMBER with OPENSSL_VERSION_NUMBER,
for the sake of consistency. OPENSSL_VERSION_NUMBER has existed since time
immemorial.
Fix SSL test suite to work with OpenSSL 1.1.0. CA certificates must have
the "CA:true" basic constraint extension now, or OpenSSL will refuse them.
Regenerate the test certificates with that. The "openssl" binary, used to
generate the certificates, is also now more picky, and throws an error
if an X509 extension is specified in "req_extensions", but that section
is empty.
Backpatch to all supported branches, per popular demand. In back-branches,
we still support OpenSSL 0.9.7 and above. OpenSSL 0.9.6 should still work
too, but I didn't test it. In master, we only support 0.9.8 and above.
Patch by Andreas Karlsson, with additional changes by me.
Discussion: <20160627151604.GD1051@msg.df7cb.de>
2016-09-15 11:36:21 +02:00
|
|
|
openssl req -new -out ssl/root_ca.crt -x509 -config cas.config -config root_ca.config -key ssl/root_ca.key -days 10000 -extensions v3_ca
|
2014-12-09 16:21:18 +01:00
|
|
|
echo "01" > ssl/root_ca.srl
|
|
|
|
|
|
|
|
|
|
# Client and server CAs
|
|
|
|
|
ssl/%_ca.crt: ssl/%_ca.key %_ca.config ssl/root_ca.crt ssl/new_certs_dir
|
|
|
|
|
touch ssl/$*_ca-certindex
|
Support OpenSSL 1.1.0.
Changes needed to build at all:
- Check for SSL_new in configure, now that SSL_library_init is a macro.
- Do not access struct members directly. This includes some new code in
pgcrypto, to use the resource owner mechanism to ensure that we don't
leak OpenSSL handles, now that we can't embed them in other structs
anymore.
- RAND_SSLeay() -> RAND_OpenSSL()
Changes that were needed to silence deprecation warnings, but were not
strictly necessary:
- RAND_pseudo_bytes() -> RAND_bytes().
- SSL_library_init() and OpenSSL_config() -> OPENSSL_init_ssl()
- ASN1_STRING_data() -> ASN1_STRING_get0_data()
- DH_generate_parameters() -> DH_generate_parameters()
- Locking callbacks are not needed with OpenSSL 1.1.0 anymore. (Good
riddance!)
Also change references to SSLEAY_VERSION_NUMBER with OPENSSL_VERSION_NUMBER,
for the sake of consistency. OPENSSL_VERSION_NUMBER has existed since time
immemorial.
Fix SSL test suite to work with OpenSSL 1.1.0. CA certificates must have
the "CA:true" basic constraint extension now, or OpenSSL will refuse them.
Regenerate the test certificates with that. The "openssl" binary, used to
generate the certificates, is also now more picky, and throws an error
if an X509 extension is specified in "req_extensions", but that section
is empty.
Backpatch to all supported branches, per popular demand. In back-branches,
we still support OpenSSL 0.9.7 and above. OpenSSL 0.9.6 should still work
too, but I didn't test it. In master, we only support 0.9.8 and above.
Patch by Andreas Karlsson, with additional changes by me.
Discussion: <20160627151604.GD1051@msg.df7cb.de>
2016-09-15 11:36:21 +02:00
|
|
|
echo "unique_subject=no" > ssl/$*_ca-certindex.attr
|
2014-12-09 16:21:18 +01:00
|
|
|
openssl req -new -out ssl/temp_ca.crt -config cas.config -config $*_ca.config -key ssl/$*_ca.key
|
|
|
|
|
# Sign the certificate with the root CA
|
Support OpenSSL 1.1.0.
Changes needed to build at all:
- Check for SSL_new in configure, now that SSL_library_init is a macro.
- Do not access struct members directly. This includes some new code in
pgcrypto, to use the resource owner mechanism to ensure that we don't
leak OpenSSL handles, now that we can't embed them in other structs
anymore.
- RAND_SSLeay() -> RAND_OpenSSL()
Changes that were needed to silence deprecation warnings, but were not
strictly necessary:
- RAND_pseudo_bytes() -> RAND_bytes().
- SSL_library_init() and OpenSSL_config() -> OPENSSL_init_ssl()
- ASN1_STRING_data() -> ASN1_STRING_get0_data()
- DH_generate_parameters() -> DH_generate_parameters()
- Locking callbacks are not needed with OpenSSL 1.1.0 anymore. (Good
riddance!)
Also change references to SSLEAY_VERSION_NUMBER with OPENSSL_VERSION_NUMBER,
for the sake of consistency. OPENSSL_VERSION_NUMBER has existed since time
immemorial.
Fix SSL test suite to work with OpenSSL 1.1.0. CA certificates must have
the "CA:true" basic constraint extension now, or OpenSSL will refuse them.
Regenerate the test certificates with that. The "openssl" binary, used to
generate the certificates, is also now more picky, and throws an error
if an X509 extension is specified in "req_extensions", but that section
is empty.
Backpatch to all supported branches, per popular demand. In back-branches,
we still support OpenSSL 0.9.7 and above. OpenSSL 0.9.6 should still work
too, but I didn't test it. In master, we only support 0.9.8 and above.
Patch by Andreas Karlsson, with additional changes by me.
Discussion: <20160627151604.GD1051@msg.df7cb.de>
2016-09-15 11:36:21 +02:00
|
|
|
openssl ca -name root_ca -batch -config cas.config -in ssl/temp_ca.crt -out ssl/temp_ca_signed.crt -extensions v3_ca
|
2014-12-09 16:21:18 +01:00
|
|
|
openssl x509 -in ssl/temp_ca_signed.crt -out ssl/$*_ca.crt # to keep just the PEM cert
|
|
|
|
|
rm ssl/temp_ca.crt ssl/temp_ca_signed.crt
|
|
|
|
|
echo "01" > ssl/$*_ca.srl
|
|
|
|
|
|
|
|
|
|
# Server certificates, signed by server CA:
|
|
|
|
|
ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config
|
|
|
|
|
openssl req -new -key ssl/server-$*.key -out ssl/server-$*.csr -config server-$*.config
|
|
|
|
|
openssl ca -name server_ca -batch -config cas.config -in ssl/server-$*.csr -out ssl/temp.crt -extensions v3_req -extfile server-$*.config
|
|
|
|
|
openssl x509 -in ssl/temp.crt -out ssl/server-$*.crt # to keep just the PEM cert
|
|
|
|
|
rm ssl/server-$*.csr
|
|
|
|
|
|
|
|
|
|
# Self-signed version of server-cn-only.crt
|
|
|
|
|
ssl/server-ss.crt: ssl/server-cn-only.key ssl/server-cn-only.crt server-cn-only.config
|
|
|
|
|
openssl req -new -key ssl/server-cn-only.key -out ssl/server-ss.csr -config server-cn-only.config
|
|
|
|
|
openssl x509 -req -days 10000 -in ssl/server-ss.csr -signkey ssl/server-cn-only.key -out ssl/server-ss.crt -extensions v3_req -extfile server-cn-only.config
|
|
|
|
|
rm ssl/server-ss.csr
|
|
|
|
|
|
|
|
|
|
# Client certificate, signed by the client CA:
|
|
|
|
|
ssl/client.crt: ssl/client.key ssl/client_ca.crt
|
|
|
|
|
openssl req -new -key ssl/client.key -out ssl/client.csr -config client.config
|
|
|
|
|
openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client.csr
|
|
|
|
|
openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert
|
|
|
|
|
rm ssl/client.csr ssl/temp.crt
|
|
|
|
|
|
|
|
|
|
# Another client certificate, signed by the client CA. This one is revoked.
|
|
|
|
|
ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config
|
|
|
|
|
openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config
|
|
|
|
|
openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-revoked.csr
|
|
|
|
|
openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert
|
|
|
|
|
rm ssl/client-revoked.csr ssl/temp.crt
|
|
|
|
|
|
|
|
|
|
# Root certificate files that contains both CA certificates, for testing
|
|
|
|
|
# that multiple certificates can be used.
|
|
|
|
|
ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
|
|
|
|
|
cat $^ > $@
|
|
|
|
|
|
|
|
|
|
# The same, but the certs are in different order
|
|
|
|
|
ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
|
|
|
|
|
cat $^ > $@
|
|
|
|
|
|
|
|
|
|
# A root certificate file for the client, to validate server certs.
|
|
|
|
|
ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
|
|
|
|
|
cat $^ > $@
|
|
|
|
|
|
|
|
|
|
# and for the server, to validate client certs
|
|
|
|
|
ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
|
|
|
|
|
cat $^ > $@
|
|
|
|
|
|
|
|
|
|
#### CRLs
|
|
|
|
|
|
|
|
|
|
ssl/client.crl: ssl/client-revoked.crt
|
|
|
|
|
openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt
|
|
|
|
|
openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl
|
|
|
|
|
|
|
|
|
|
ssl/server.crl: ssl/server-revoked.crt
|
|
|
|
|
openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt
|
|
|
|
|
openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl
|
|
|
|
|
|
|
|
|
|
ssl/root.crl: ssl/root_ca.crt
|
|
|
|
|
openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl
|
|
|
|
|
|
|
|
|
|
# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
|
|
|
|
|
# chain, even if some of them are empty.
|
|
|
|
|
ssl/root+server.crl: ssl/root.crl ssl/server.crl
|
|
|
|
|
cat $^ > $@
|
|
|
|
|
ssl/root+client.crl: ssl/root.crl ssl/client.crl
|
|
|
|
|
cat $^ > $@
|
|
|
|
|
|
|
|
|
|
.PHONY: sslfiles-clean
|
|
|
|
|
sslfiles-clean:
|
|
|
|
|
rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
|
|
|
|
|
|
2016-02-25 05:41:54 +01:00
|
|
|
clean distclean maintainer-clean:
|
|
|
|
|
rm -rf tmp_check
|
|
|
|
|
|
2014-12-09 16:21:18 +01:00
|
|
|
check:
|
|
|
|
|
$(prove_check)
|
