regress/lib/libcrypto/CA/Makefile


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102

#	$OpenBSD: Makefile,v 1.3 2020/12/26 14:42:09 bluhm Exp $

CLEANFILES +=	*.pem *.serial *.txt *.attr *.old

# Start each regress run from scratch with new keys and CA database.
REGRESS_SETUP_ONCE +=	clean

REGRESS_SETUP_ONCE +=	root.serial intermediate.serial
root.serial intermediate.serial:
	echo 1000 >$@

REGRESS_SETUP_ONCE +=	root.txt intermediate.txt
root.txt intermediate.txt:
	true >$@

# Vanna Vanna make me a root cert
root.key.pem: stamp-clean
	# generate root rsa 4096 key
	openssl genrsa -out root.key.pem 4096

root.cert.pem: root.cnf root.key.pem \
    stamp-root.serial stamp-root.txt
	# generate root cert
	openssl req -batch -config ${.CURDIR}/root.cnf -key root.key.pem \
	    -new -x509 -days 365 -sha256 -extensions v3_ca -out root.cert.pem

# Make intermediate
intermediate.key.pem: stamp-clean
	# generate intermediate rsa 2048 key
	openssl genrsa -out intermediate.key.pem 2048

intermediate.csr.pem: intermediate.cnf intermediate.key.pem
	# generate intermediate req
	openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \
	  -key intermediate.key.pem -out intermediate.csr.pem

# Sign intermediate
intermediate.cert.pem: root.cnf root.cert.pem intermediate.csr.pem \
    stamp-intermediate.serial stamp-intermediate.txt
	# sign intermediate
	openssl ca -batch -config ${.CURDIR}/root.cnf \
	    -extensions v3_intermediate_ca -days 10 -notext -md sha256 \
	    -in intermediate.csr.pem -out intermediate.cert.pem

REGRESS_TARGETS +=	run-verify-intermediate
# Verify intermediate
run-verify-intermediate: root.cert.pem intermediate.cert.pem
	# validate intermediate CA
	openssl verify -CAfile root.cert.pem intermediate.cert.pem

chain.pem: intermediate.cert.pem root.cert.pem
	cat intermediate.cert.pem root.cert.pem > chain.pem

# Make a server certificate
server.key.pem: stamp-clean
	# genrsa server
	openssl genrsa -out server.key.pem 2048

server.csr.pem: intermediate.cnf server.key.pem
	# server req
	openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \
	    -subj '/CN=server/O=OpenBSD/OU=So and Sos/C=CA' \
	    -key server.key.pem -out server.csr.pem

# Sign server key
server.cert.pem: intermediate.cnf intermediate.cert.pem server.csr.pem
	# server sign
	openssl ca -batch -config ${.CURDIR}/intermediate.cnf \
	    -extensions server_cert -days 5 -notext -md sha256 \
	    -in server.csr.pem -out server.cert.pem

# Make a client certificate
client.key.pem: stamp-clean
	# genrsa client
	openssl genrsa -out client.key.pem 2048

client.csr.pem: intermediate.cnf intermediate.cert.pem client.key.pem
	# client req
	openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \
	    -subj '/CN=client/O=OpenBSD/OU=So and Sos/C=CA' \
	    -key client.key.pem -out client.csr.pem

# Sign client key
client.cert.pem: intermediate.cnf intermediate.cert.pem client.csr.pem
	# client sign
	openssl ca -batch -config ${.CURDIR}/intermediate.cnf \
	    -extensions usr_cert -days 5 -notext -md sha256 \
	    -in client.csr.pem -out client.cert.pem

REGRESS_TARGETS +=	run-verify-server
# Verify server with intermediate
run-verify-server: chain.pem server.cert.pem
	# validate server cert
	openssl verify -purpose sslserver -CAfile chain.pem server.cert.pem

REGRESS_TARGETS +=	run-verify-client
# Verify client with intermediate
run-verify-client: chain.pem client.cert.pem
	# validate client cert
	openssl verify -purpose sslclient -CAfile chain.pem client.cert.pem

.include <bsd.regress.mk>