1all: pubkeys ca leaves
2
3# The following private keys are never regenerated.
4SERVER_PRIVKEYS=ct-http-server.privkey.pem log-rpc-server.privkey.pem
5
6# Corresponding passwords:
7CT_HTTP_PWD=dirk
8LOG_RPC_PWD=towel
9MAP_RPC_PWD=towel
10
11# Server public keys are derived from the corresponding private keys.
12SERVER_PUBKEYS=$(subst .privkey,.pubkey,$(SERVER_PRIVKEYS))
13
14# Build public keys from private keys
15pubkeys: $(SERVER_PUBKEYS)
16log-rpc-server.pubkey.pem: log-rpc-server.privkey.pem
17 openssl ec -in $< -pubout -out $@ -passin pass:$(LOG_RPC_PWD)
18ct-http-server.pubkey.pem: ct-http-server.privkey.pem
19 openssl ec -in $< -pubout -out $@ -passin pass:$(CT_HTTP_PWD)
20
21
22# We use a fake CA as a trust root for CT tests. This is its private key.
23CA_PRIVKEY=fake-ca.privkey.pem
24CA_PWD=gently
25
26# We also have an intermediate CA, with private key:
27INT_CA_PRIVKEY=int-ca.privkey.pem
28INT_CA_PWD=babelfish
29
30# All the leaf certificates share a private key:
31LEAF_PRIVKEY=leaf.privkey.pem
32LEAF_PWD=liff
33
34ca: fake-ca.cert int-ca.cert
35
36# Fake Root CA
37fake-ca.cert: $(CA_PRIVKEY) fake-ca.cfg
38 openssl req -new -x509 -config fake-ca.cfg -set_serial 0x0406cafe -days 3650 -extensions v3_ca -inform pem -key $(CA_PRIVKEY) -passin pass:$(CA_PWD) -out $@
39show-ca: fake-ca.cert
40 openssl x509 -inform pem -in $< -text -noout
41
42# Fake Intermediate CA
43int-ca.csr.pem: $(INT_CA_PRIVKEY) int-ca.cfg
44 openssl req -new -sha256 -config int-ca.cfg -key $(INT_CA_PRIVKEY) -passin pass:$(INT_CA_PWD) -out $@
45show-int-csr: int-ca.csr.pem
46 openssl req -in $< -text -noout
47int-ca.cert: int-ca.csr.pem $(CA_PRIVKEY) fake-ca.cert
48 openssl x509 -req -in int-ca.csr.pem -sha256 -extfile fake-ca.cfg -extensions v3_int_ca -CA fake-ca.cert -CAkey $(CA_PRIVKEY) -passin pass:$(CA_PWD) -set_serial 0x42424242 -days 3600 -out $@
49show-int-ca: int-ca.cert
50 openssl x509 -inform pem -in $< -text -noout
51
52# Leaf Certificates
53LEAF_CERTS=leaf00.cert leaf01.cert leaf02.cert leaf03.cert leaf04.cert leaf05.cert leaf06.cert leaf07.cert leaf08.cert leaf09.cert leaf10.cert \
54 leaf11.cert leaf12.cert leaf13.cert leaf14.cert leaf15.cert leaf16.cert leaf17.cert leaf18.cert leaf19.cert leaf20.cert
55LEAF_CSRS=$(subst .cert,.csr.pem,$(LEAF_CERTS))
56LEAF_CHAINS=$(subst .cert,.chain,$(LEAF_CERTS))
57leaves: $(LEAF_CERTS) $(LEAF_CHAINS)
58
59leaf%.csr.pem: $(LEAF_PRIVKEY)
60 openssl req -new -sha256 -key $(LEAF_PRIVKEY) -passin pass:$(LEAF_PWD) -subj "/C=GB/ST=London/O=Google/OU=Eng/CN=$@" -out $@
61show-leaf%-csr: leaf%.csr.pem
62 openssl req -in $< -text -noout
63leaf%.cert: leaf%.csr.pem int-ca.cert
64 openssl x509 -req -in $< -sha256 -extfile int-ca.cfg -extensions v3_user -CA int-ca.cert -CAkey $(INT_CA_PRIVKEY) -passin pass:$(INT_CA_PWD) -set_serial 0xdeadbeef -days 2600 -out $@
65show-leaf%: leaf%.cert
66 openssl x509 -inform pem -in $< -text -noout
67leaf%.chain: leaf%.cert int-ca.cert
68 cat $^ > $@
69# Special case: include the root too
70leaf02.chain: leaf02.cert int-ca.cert fake-ca.cert
71 cat $^ > $@
72# Special case: add serverAuth EKU
73leaf00.cert: leaf00.csr.pem leaf.privkey.pem int-ca.cert
74 openssl x509 -req -in $< -sha256 -extfile int-ca.cfg -extensions v3_user_serverAuth -CA int-ca.cert -CAkey $(INT_CA_PRIVKEY) -passin pass:$(INT_CA_PWD) -set_serial 0xdeadbeef -days 2600 -out $@
75# Special case: add an unknown EKU
76leaf03.cert: leaf03.csr.pem leaf.privkey.pem int-ca.cert
77 openssl x509 -req -in $< -sha256 -extfile int-ca.cfg -extensions v3_user_plus -CA int-ca.cert -CAkey $(INT_CA_PRIVKEY) -passin pass:$(INT_CA_PWD) -set_serial 0xdeadbeef -days 2600 -out $@
78
79
80# Pair of intermediate CAs for a longer chain
81INT_CA_1_PRIVKEY=int-ca-1.privkey.pem
82INT_CA_2_PRIVKEY=int-ca-2.privkey.pem
83INT_CA_1_PWD=vogon
84INT_CA_2_PWD=vogon
85
86# Fake Intermediate CA 1
87int-ca-1.csr.pem: $(INT_CA_PRIVKEY) int-ca.cfg
88 openssl req -new -sha256 -config int-ca.cfg -key $(INT_CA_1_PRIVKEY) -passin pass:$(INT_CA_1_PWD) -out $@
89int-ca-1.cert: int-ca-1.csr.pem $(CA_PRIVKEY) fake-ca.cert
90 openssl x509 -req -in int-ca-1.csr.pem -sha256 -extfile fake-ca.cfg -extensions v3_int_ca_pair -CA fake-ca.cert -CAkey $(CA_PRIVKEY) -passin pass:$(CA_PWD) -set_serial 0x01010101 -days 3600 -out $@
91
92# Fake 2nd-level Intermediate CA 2
93int-ca-2.csr.pem: int-ca-2.privkey.pem int-ca-2.cfg
94 openssl req -new -sha256 -config int-ca-2.cfg -key $(INT_CA_2_PRIVKEY) -passin pass:$(INT_CA_2_PWD) -out $@
95int-ca-2.cert: int-ca-2.csr.pem $(INT_CA_PRIVKEY) int-ca-1.cert
96 openssl x509 -req -in int-ca-2.csr.pem -sha256 -extfile fake-ca.cfg -extensions v3_int_ca_pair -CA int-ca-1.cert -CAkey $(INT_CA_1_PRIVKEY) -passin pass:$(INT_CA_1_PWD) -set_serial 0x12121212 -days 3600 -out $@
97
98# Length 4 chain (to allow mis-ordering tests).
99subleaf.csr.pem: $(LEAF_PRIVKEY)
100 openssl req -new -sha256 -key $(LEAF_PRIVKEY) -passin pass:$(LEAF_PWD) -subj "/C=GB/ST=London/O=Google/OU=Eng/CN=$@" -out $@
101subleaf.cert: subleaf.csr.pem int-ca-2.cert
102 openssl x509 -req -in $< -sha256 -extfile int-ca-2.cfg -extensions v3_user -CA int-ca-2.cert -CAkey $(INT_CA_2_PRIVKEY) -passin pass:$(INT_CA_2_PWD) -set_serial 0xdeadbeef -days 2600 -out $@
103subleaf.chain: subleaf.cert int-ca-2.cert int-ca-1.cert fake-ca.cert
104 cat $^ > $@
105subleaf.misordered.chain: subleaf.cert int-ca-1.cert int-ca-2.cert fake-ca.cert
106 cat $^ > $@
107
108# Length 4 chain (to allow mis-ordering tests) for pre-cert.
109subleaf-pre.cert: subleaf.csr.pem int-ca-2.cert
110 openssl x509 -req -in $< -sha256 -extfile int-ca-2.cfg -extensions v3_user_pre -CA int-ca-2.cert -CAkey $(INT_CA_2_PRIVKEY) -passin pass:$(INT_CA_2_PWD) -set_serial 0xdeadbeef -days 2600 -out $@
111subleaf-pre.chain: subleaf-pre.cert int-ca-2.cert int-ca-1.cert fake-ca.cert
112 cat $^ > $@
113subleaf-pre.misordered.chain: subleaf-pre.cert int-ca-1.cert int-ca-2.cert fake-ca.cert
114 cat $^ > $@
115
116
117
118# clean removes things that regenerate exactly the same.
119clean:
120 rm -f $(SERVER_PUBKEYS)
121# distclean removes things that regenerate with changes (e.g. timestamped, randomized).
122distclean: clean
123 rm -f $(SERVER_PUBKEYS) fake-ca.cert int-ca.cert int-ca.csr.pem
124 rm -f $(LEAF_CERTS) $(LEAF_CSRS) $(LEAF_CHAINS)
125
126
127# We also use a second fake CA as a trust root for CT tests. This is its private key.
128CA_1_PRIVKEY=fake-ca-1.privkey.pem
129CA_1_PWD=ahenny
130
131# Corresponding Leaf certificates.
132LEAF_1_PRIVKEY=leaf-1.privkey.pem
133LEAF_1_PWD=louth
134
135# Fake Root CA 1
136fake-ca-1.cert: $(CA_1_PRIVKEY) fake-ca.cfg
137 openssl req -new -x509 -config fake-ca.cfg -set_serial 0x0406efac -days 3650 -extensions v3_ca1 -inform pem -key $(CA_1_PRIVKEY) -passin pass:$(CA_1_PWD) -out $@
138
139leaf-1.csr.pem: $(LEAF_1_PRIVKEY)
140 openssl req -new -sha256 -key $(LEAF_1_PRIVKEY) -passin pass:$(LEAF_1_PWD) -subj "/C=GB/ST=London/O=Google/OU=Eng/CN=$@" -out $@
141leaf-1.cert: leaf-1.csr.pem fake-ca-1.cert
142 openssl x509 -req -in $< -sha256 -extfile fake-ca.cfg -extensions v3_user -CA fake-ca-1.cert -CAkey $(CA_1_PRIVKEY) -passin pass:$(CA_1_PWD) -set_serial 0xdeadbeaf -days 2600 -out $@
143
144# Short chain on CA 1
145leaf-1.chain: leaf-1.cert fake-ca-1.cert
146 cat $^ > $@
147
148
149# The newkey target creates a fresh private key; should never be needed.
150newkey: fresh.privkey.pem
151fresh.privkey.pem:
152 openssl ecparam -genkey -name prime256v1 -noout -out $@.unencrypted
153 openssl ec -in $@.unencrypted -out $@ -des # Prompts for password
154 rm -f $@.unencrypted
View as plain text