rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
postgresql/src/test/ssl/sslfiles.mk

275 lines
9.2 KiB
Makefile
Raw Blame History

#-------------------------------------------------------------------------
#
# Makefile for sslfiles
#
# The SSL test files are completely disjoint from the rest of the build; they
# don't rely on other targets or on Makefile.global. Since these recipes rely
# on some default Make behavior that's disabled in the main build tree, such
# as intermediate cleanup, they've been moved into their own separate file.
# The main Makefile in this directory defers to this helper file when
# building the sslfiles-related targets.
#
# Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
# Portions Copyright (c) 1994, Regents of the University of California
#
# src/test/ssl/sslfiles.mk
#
#-------------------------------------------------------------------------
#
# To add a new server or client certificate, add a new <name>.config file in
# the conf/ directory, then add <name> to either SERVERS or CLIENTS below. A
# key/certificate pair will be generated for you, signed by the appropriate CA.
#
SERVERS := server-cn-and-alt-names \
server-cn-and-ip-alt-names \
server-cn-only \
server-ip-alt-names \
server-ip-cn-only \
server-ip-cn-and-alt-names \
server-ip-cn-and-dns-alt-names \
server-ip-in-dnsname \
server-single-alt-name \
server-multiple-alt-names \
server-no-names \
server-revoked
CLIENTS := client client-dn client-revoked client_ext client-long \
client-revoked-utf8
#
# To add a new non-standard certificate, add it to SPECIAL_CERTS and then add
# a recipe for creating it to the "Special-case certificates" section below.
#
SPECIAL_CERTS := ssl/server-rsapss.crt
# Likewise for non-standard keys
SPECIAL_KEYS := ssl/server-password.key \
ssl/client-der.key \
ssl/client-encrypted-pem.key \
ssl/client-encrypted-der.key \
ssl/server-rsapss.key
#
# These files are just concatenations of other files. You can add new ones to
# COMBINATIONS here, then declare the constituent files as dependencies in the
# "Combined files" section below.
#
COMBINATIONS := \
ssl/both-cas-1.crt \
ssl/both-cas-2.crt \
ssl/root+server_ca.crt \
ssl/root+server.crl \
ssl/root+client_ca.crt \
ssl/root+client.crl \
ssl/client+client_ca.crt \
ssl/server-cn-only+server_ca.crt
CERTIFICATES := root_ca server_ca client_ca $(SERVERS) $(CLIENTS)
STANDARD_CERTS := $(CERTIFICATES:%=ssl/%.crt)
STANDARD_KEYS := $(CERTIFICATES:%=ssl/%.key)
CRLS := ssl/root.crl \
ssl/client.crl \
ssl/server.crl
SSLFILES := \
$(STANDARD_CERTS) \
$(STANDARD_KEYS) \
$(SPECIAL_CERTS) \
$(SPECIAL_KEYS) \
$(COMBINATIONS) \
$(CRLS)
SSLDIRS := ssl/client-crldir \
ssl/server-crldir \
ssl/root+client-crldir \
ssl/root+server-crldir
# This target re-generates all the key and certificate files. Usually we just
# use the ones that are committed to the tree without rebuilding them.
#
.PHONY: sslfiles
sslfiles: $(SSLFILES) $(SSLDIRS)
#
# Special-case certificates
#
# Root CA is self-signed.
ssl/root_ca.crt: ssl/root_ca.key conf/root_ca.config
$(OPENSSL) req -new -x509 -config conf/root_ca.config -days 10000 -key $< -out $@
# Certificate using RSA-PSS algorithm. Also self-signed.
ssl/server-rsapss.crt: ssl/server-rsapss.key conf/server-rsapss.config
$(OPENSSL) req -new -x509 -config conf/server-rsapss.config -key $< -out $@
#
# Special-case keys
#
# All targets here are contained in $(SPECIAL_KEYS).
#
# Password-protected version of server-cn-only.key
ssl/server-password.key: ssl/server-cn-only.key
$(OPENSSL) pkey -aes256 -in $< -out $@ -passout 'pass:secret1'
# Key that uses the RSA-PSS algorithm
ssl/server-rsapss.key:
$(OPENSSL) genpkey -algorithm rsa-pss -out $@
# DER-encoded version of client.key
ssl/client-der.key: ssl/client.key
$(OPENSSL) rsa -in $< -outform DER -out $@
# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1)
# formats to test libpq's support for the sslpassword= option.
ssl/client-encrypted-pem.key: ssl/client.key
$(OPENSSL) pkey -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out $@
# TODO Explicitly choosing -aes128 generates a key unusable to PostgreSQL with
# OpenSSL 3.0.0, so fall back on the default for now.
ssl/client-encrypted-der.key: ssl/client.key
$(OPENSSL) rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@
#
# Combined files
#
# All targets in $(COMBINATIONS) share a single recipe; just declare the
# necessary dependencies and they'll be smashed together.
#
# Root certificate file that contains both CA certificates, for testing
# that multiple certificates can be used.
ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
# The same, but the certs are in different order
ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
# A root certificate file for the client, to validate server certs.
ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
# and for the server, to validate client certs
ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
# and for the client, to present to the server
ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
# for the server, to present to a client that only knows the root
ssl/server-cn-only+server_ca.crt: ssl/server-cn-only.crt ssl/server_ca.crt
# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
# chain, even if some of them are empty.
ssl/root+server.crl: ssl/root.crl ssl/server.crl
ssl/root+client.crl: ssl/root.crl ssl/client.crl
$(COMBINATIONS):
cat $^ > $@
#
# Standard keys
#
$(STANDARD_KEYS):
$(OPENSSL) genrsa -out $@ 2048
chmod 0600 $@
#
# Standard certificates
#
CA_CERTS := ssl/server_ca.crt ssl/client_ca.crt
SERVER_CERTS := $(SERVERS:%=ssl/%.crt)
CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt)
# See the "CA State" section below.
root_ca_state_files := ssl/root_ca-certindex ssl/root_ca-certindex.attr ssl/root_ca.srl
server_ca_state_files := ssl/server_ca-certindex ssl/server_ca-certindex.attr ssl/server_ca.srl
client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ssl/client_ca.srl
# These are the workhorse recipes. `openssl ca` can't be safely run from
# parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
.NOTPARALLEL:
$(CA_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
$(OPENSSL) ca -batch -config conf/cas.config -name root_ca -notext -in $< -out $@
$(SERVER_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
$(OPENSSL) ca -batch -config conf/cas.config -name server_ca -notext -in $< -out $@
$(CLIENT_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
$(OPENSSL) ca -batch -config conf/cas.config -name client_ca -notext -in $< -out $@
# The CSRs don't need to persist after a build.
.INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
ssl/%.csr: ssl/%.key conf/%.config
$(OPENSSL) req -new -utf8 -key $< -out $@ -config conf/$*.config
#
# CA State
#
# All of these are intended to be order-only dependencies; additionally, the
# pattern recipes are marked as explicit intermediates. The goal is for Make to
# create the state files once for each CA, allow them to accumulate whatever
# state is needed, and then automatically remove them at the end of the run.
#
.INTERMEDIATE: $(root_ca_state_files) $(server_ca_state_files) $(client_ca_state_files)
# OpenSSL requires a directory to put all generated certificates in. We don't
# use this for anything, but we need a location.
ssl/new_certs_dir:
mkdir $@
ssl/%-certindex:
touch $@
ssl/%-certindex.attr:
echo "unique_subject=no" > $@
# The first serial number for each CA is based on the current timestamp, to
# avoid collisions across Make runs.
ssl/%.srl:
date +%Y%m%d%H%M%S00 > $@
#
# CRLs
#
ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
$(OPENSSL) ca -config conf/cas.config -name root_ca -gencrl -out $@
ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files)
$(OPENSSL) ca -config conf/cas.config -name server_ca -revoke $<
$(OPENSSL) ca -config conf/cas.config -name server_ca -gencrl -out $@
ssl/client.crl: ssl/client-revoked.crt ssl/client-revoked-utf8.crt ssl/client_ca.crt | $(client_ca_state_files)
$(OPENSSL) ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked.crt
$(OPENSSL) ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked-utf8.crt
$(OPENSSL) ca -config conf/cas.config -name client_ca -gencrl -out $@
#
# CRL hash directories
#
ssl/root+server-crldir: ssl/server.crl ssl/root.crl
ssl/root+client-crldir: ssl/client.crl ssl/root.crl
ssl/server-crldir: ssl/server.crl
ssl/client-crldir: ssl/client.crl
crlhashfile = $(shell $(OPENSSL) crl -hash -noout -in $(1)).r0
ssl/%-crldir:
mkdir -p $@
rm -f $@/*.r0
$(foreach crl,$^,cp $(crl) $@/$(call crlhashfile,$(crl)) &&) true
touch $@
.PHONY: sslfiles-clean
sslfiles-clean:
rm -f $(SSLFILES) ssl/*.old ssl/*.csr ssl/*.srl ssl/*-certindex*
rm -rf $(SSLDIRS) ssl/new_certs_dir
# The difference between the below clean targets and sslfiles-clean is that the
# clean targets will be run during a "standard" recursive clean run from the
# main build tree. The sslfiles-clean target must be run explicitly from this
# directory.
.PHONY: clean distclean
clean distclean:
rm -rf ssl/*.old ssl/new_certs_dir ssl/client*_tmp.key
Reference in New Issue View Git Blame Copy Permalink