@@ -15,170 +15,17 @@ include $(top_builddir)/src/Makefile.global
1515
1616export with_ssl
1717
18- CERTIFICATES := server_ca server-cn-and-alt-names \
19- server-cn-only server-single-alt-name server-multiple-alt-names \
20- server-no-names server-revoked \
21- client_ca client client-dn client-revoked \
22- root_ca
23-
24- SSLFILES := $(CERTIFICATES:%=ssl/%.key ) $(CERTIFICATES:%=ssl/%.crt ) \
25- ssl/server-password.key \
26- ssl/client.crl ssl/server.crl ssl/root.crl \
27- ssl/both-cas-1.crt ssl/both-cas-2.crt \
28- ssl/root+server_ca.crt ssl/root+server.crl \
29- ssl/root+client_ca.crt ssl/root+client.crl \
30- ssl/client+client_ca.crt ssl/client-der.key \
31- ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
32-
33- SSLDIRS := ssl/client-crldir ssl/server-crldir \
34- ssl/root+client-crldir ssl/root+server-crldir
35-
36- # This target re-generates all the key and certificate files. Usually we just
37- # use the ones that are committed to the tree without rebuilding them.
38- #
39- # This target will fail unless preceded by sslfiles-clean.
40- #
41- sslfiles : $(SSLFILES ) $(SSLDIRS )
42-
43- # OpenSSL requires a directory to put all generated certificates in. We don't
44- # use this for anything, but we need a location.
45- ssl/new_certs_dir :
46- mkdir ssl/new_certs_dir
47-
48- # Rule for creating private/public key pairs.
49- ssl/% .key :
50- openssl genrsa -out $@ 2048
51- chmod 0600 $@
52-
53- # Root CA certificate
54- ssl/root_ca.crt : ssl/root_ca.key cas.config
55- touch ssl/root_ca-certindex
56- openssl req -new -out ssl/root_ca.crt -x509 -config cas.config -config root_ca.config -key ssl/root_ca.key -days 10000 -extensions v3_ca
57- echo " 01" > ssl/root_ca.srl
58-
59- # Client and server CAs
60- ssl/% _ca.crt : ssl/% _ca.key % _ca.config ssl/root_ca.crt ssl/new_certs_dir
61- touch ssl/$* _ca-certindex
62- echo " unique_subject=no" > ssl/$* _ca-certindex.attr
63- openssl req -new -out ssl/temp_ca.crt -config cas.config -config $* _ca.config -key ssl/$* _ca.key
64- # Sign the certificate with the root CA
65- openssl ca -name root_ca -batch -config cas.config -in ssl/temp_ca.crt -out ssl/temp_ca_signed.crt -extensions v3_ca
66- openssl x509 -in ssl/temp_ca_signed.crt -out ssl/$*_ca.crt # to keep just the PEM cert
67- rm ssl/temp_ca.crt ssl/temp_ca_signed.crt
68- echo "01" > ssl/$*_ca.srl
69-
70- # Server certificates, signed by server CA:
71- ssl/server-% .crt : ssl/server-% .key ssl/server_ca.crt server-% .config
72- openssl req -new -key ssl/server-$* .key -out ssl/server-$* .csr -config server-$* .config
73- openssl ca -name server_ca -batch -config cas.config -in ssl/server-$* .csr -out ssl/temp.crt -extensions v3_req -extfile server-$* .config
74- openssl x509 -in ssl/temp.crt -out ssl/server-$* .crt # to keep just the PEM cert
75- rm ssl/server-$* .csr
76-
77- # Password-protected version of server-cn-only.key
78- ssl/server-password.key : ssl/server-cn-only.key
79- openssl rsa -aes256 -in $< -out $@ -passout ' pass:secret1'
80-
81- # Client certificate, signed by the client CA:
82- ssl/client.crt : ssl/client.key ssl/client_ca.crt
83- openssl req -new -key ssl/client.key -out ssl/client.csr -config client.config
84- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client.csr
85- openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert
86- rm ssl/client.csr ssl/temp.crt
87-
88- # Client certificate with multi-part DN, signed by the client CA:
89- ssl/client-dn.crt : ssl/client-dn.key ssl/client_ca.crt
90- openssl req -new -key ssl/client-dn.key -out ssl/client-dn.csr -config client-dn.config
91- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-dn.csr
92- openssl x509 -in ssl/temp.crt -out ssl/client-dn.crt # to keep just the PEM cert
93- rm ssl/client-dn.csr ssl/temp.crt
94-
95- # Another client certificate, signed by the client CA. This one is revoked.
96- ssl/client-revoked.crt : ssl/client-revoked.key ssl/client_ca.crt client.config
97- openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config
98- openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-revoked.csr
99- openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert
100- rm ssl/client-revoked.csr ssl/temp.crt
101-
102- # Convert the key to DER, to test our behaviour there too
103- ssl/client-der.key : ssl/client.key
104- openssl rsa -in ssl/client.key -outform DER -out ssl/client-der.key
105-
106- # Convert the existing key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
107- # to test libpq's support for the sslpassword= option.
108- ssl/client-encrypted-pem.key : ssl/client.key
109- openssl rsa -in ssl/client.key -outform PEM -aes128 -passout ' pass:dUmmyP^#+'
110-
111- ssl/client-encrypted-der.key : ssl/client.key
112- openssl rsa -in ssl/client.key -outform DER -aes128 -passout ' pass:dUmmyP^#+'
113-
114- # Root certificate files that contains both CA certificates, for testing
115- # that multiple certificates can be used.
116- ssl/both-cas-1.crt : ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
117- cat $^ > $@
118-
119- # The same, but the certs are in different order
120- ssl/both-cas-2.crt : ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
121- cat $^ > $@
122-
123- # A root certificate file for the client, to validate server certs.
124- ssl/root+server_ca.crt : ssl/root_ca.crt ssl/server_ca.crt
125- cat $^ > $@
126-
127- # and for the server, to validate client certs
128- ssl/root+client_ca.crt : ssl/root_ca.crt ssl/client_ca.crt
129- cat $^ > $@
130-
131- ssl/client+client_ca.crt : ssl/client.crt ssl/client_ca.crt
132- cat $^ > $@
133-
134- # ### CRLs
135-
136- ssl/client.crl : ssl/client-revoked.crt
137- openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt
138- openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl
139-
140- ssl/server.crl : ssl/server-revoked.crt
141- openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt
142- openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl
143-
144- ssl/root.crl : ssl/root_ca.crt
145- openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl
146-
147- # If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
148- # chain, even if some of them are empty.
149- ssl/root+server.crl : ssl/root.crl ssl/server.crl
150- cat $^ > $@
151- ssl/root+client.crl : ssl/root.crl ssl/client.crl
152- cat $^ > $@
153-
154- ssl/root+server-crldir : ssl/server.crl ssl/root.crl
155- mkdir ssl/root+server-crldir
156- cp ssl/server.crl ssl/root+server-crldir/` openssl crl -hash -noout -in ssl/server.crl`
157- cp ssl/root.crl ssl/root+server-crldir/` openssl crl -hash -noout -in ssl/root.crl`
158-
159- ssl/root+client-crldir : ssl/client.crl ssl/root.crl
160- mkdir ssl/root+client-crldir
161- cp ssl/client.crl ssl/root+client-crldir/` openssl crl -hash -noout -in ssl/client.crl`
162- cp ssl/root.crl ssl/root+client-crldir/` openssl crl -hash -noout -in ssl/root.crl`
163-
164- ssl/server-crldir : ssl/server.crl
165- mkdir ssl/server-crldir
166- cp ssl/server.crl ssl/server-crldir/` openssl crl -hash -noout -in ssl/server.crl`
167-
168- ssl/client-crldir : ssl/client.crl
169- mkdir ssl/client-crldir
170- cp ssl/client.crl ssl/client-crldir/` openssl crl -hash -noout -in ssl/client.crl`
171-
172- .PHONY : sslfiles-clean
173- sslfiles-clean :
174- rm -f $(SSLFILES ) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
175- rm -rf $(SSLDIRS )
18+ # The sslfiles targets are separated into their own file due to interactions
19+ # with settings in Makefile.global.
20+ .PHONY : sslfiles sslfiles-clean
21+ sslfiles sslfiles-clean :
22+ $(MAKE ) -f sslfiles.mk $@
17623
17724clean distclean maintainer-clean :
17825 rm -rf tmp_check
179- rm -rf ssl/ * .old ssl/new_certs_dir ssl/client * _tmp.key
26+ $( MAKE ) -f sslfiles.mk $@
18027
181- # Doesn't depend on $(SSLFILES) because we don't rebuild them by default
28+ # Doesn't depend on sslfiles because we don't rebuild them by default
18229check :
18330 $(prove_check )
18431
0 commit comments