src/test/ssl/sslfiles.mk

#-------------------------------------------------------------------------
#
# Makefile for sslfiles
#
#   The SSL test files are completely disjoint from the rest of the build; they
#   don't rely on other targets or on Makefile.global. Since these recipes rely
#   on some default Make behavior that's disabled in the main build tree, such
#   as intermediate cleanup, they've been moved into their own separate file.
#   The main Makefile in this directory defers to this helper file when
#   building the sslfiles-related targets.
#
# Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
# Portions Copyright (c) 1994, Regents of the University of California
#
# src/test/ssl/sslfiles.mk
#
#-------------------------------------------------------------------------

#
# To add a new server or client certificate, add a new <name>.config file in
# the conf/ directory, then add <name> to either SERVERS or CLIENTS below. A
# key/certificate pair will be generated for you, signed by the appropriate CA.
#
SERVERS := server-cn-and-alt-names \
	server-cn-and-ip-alt-names \
	server-cn-only \
	server-ip-alt-names \
	server-ip-cn-only \
	server-ip-cn-and-alt-names \
	server-ip-cn-and-dns-alt-names \
	server-ip-in-dnsname \
	server-single-alt-name \
	server-multiple-alt-names \
	server-no-names \
	server-revoked
CLIENTS := client client-dn client-revoked client_ext client-long \
	client-revoked-utf8

#
# To add a new non-standard certificate, add it to SPECIAL_CERTS and then add
# a recipe for creating it to the "Special-case certificates" section below.
#
SPECIAL_CERTS := ssl/server-rsapss.crt

# Likewise for non-standard keys
SPECIAL_KEYS := ssl/server-password.key \
	ssl/client-der.key \
	ssl/client-encrypted-pem.key \
	ssl/client-encrypted-der.key \
	ssl/server-rsapss.key

#
# These files are just concatenations of other files. You can add new ones to
# COMBINATIONS here, then declare the constituent files as dependencies in the
# "Combined files" section below.
#
COMBINATIONS := \
	ssl/both-cas-1.crt \
	ssl/both-cas-2.crt \
	ssl/root+server_ca.crt \
	ssl/root+server.crl \
	ssl/root+client_ca.crt \
	ssl/root+client.crl \
	ssl/client+client_ca.crt \
	ssl/server-cn-only+server_ca.crt

CERTIFICATES := root_ca server_ca client_ca $(SERVERS) $(CLIENTS)
STANDARD_CERTS := $(CERTIFICATES:%=ssl/%.crt)
STANDARD_KEYS := $(CERTIFICATES:%=ssl/%.key)
CRLS := ssl/root.crl \
	ssl/client.crl \
	ssl/server.crl

SSLFILES := \
	$(STANDARD_CERTS) \
	$(STANDARD_KEYS) \
	$(SPECIAL_CERTS) \
	$(SPECIAL_KEYS) \
	$(COMBINATIONS) \
	$(CRLS)
SSLDIRS := ssl/client-crldir \
	ssl/server-crldir \
	ssl/root+client-crldir \
	ssl/root+server-crldir

# This target re-generates all the key and certificate files. Usually we just
# use the ones that are committed to the tree without rebuilding them.
#
.PHONY: sslfiles
sslfiles: $(SSLFILES) $(SSLDIRS)

#
# Special-case certificates
#

# Root CA is self-signed.
ssl/root_ca.crt: ssl/root_ca.key conf/root_ca.config
	$(OPENSSL) req -new -x509 -config conf/root_ca.config -days 10000 -key $< -out $@

# Certificate using RSA-PSS algorithm. Also self-signed.
ssl/server-rsapss.crt: ssl/server-rsapss.key conf/server-rsapss.config
	$(OPENSSL) req -new -x509 -config conf/server-rsapss.config -key $< -out $@

#
# Special-case keys
#
# All targets here are contained in $(SPECIAL_KEYS).
#

# Password-protected version of server-cn-only.key
ssl/server-password.key: ssl/server-cn-only.key
	$(OPENSSL) rsa -aes256 -in $< -out $@ -passout 'pass:secret1'

# Key that uses the RSA-PSS algorithm
ssl/server-rsapss.key:
	$(OPENSSL) genpkey -algorithm rsa-pss -out $@

# DER-encoded version of client.key
ssl/client-der.key: ssl/client.key
	$(OPENSSL) rsa -in $< -outform DER -out $@

# Convert client.key to encrypted PEM (X.509 text) and DER (X.509 ASN.1)
# formats to test libpq's support for the sslpassword= option.
ssl/client-encrypted-pem.key: ssl/client.key
	$(OPENSSL) rsa -in $< -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out $@
# TODO Explicitly choosing -aes128 generates a key unusable to PostgreSQL with
# OpenSSL 3.0.0, so fall back on the default for now.
ssl/client-encrypted-der.key: ssl/client.key
	$(OPENSSL) rsa -in $< -outform DER -passout 'pass:dUmmyP^#+' -out $@

#
# Combined files
#
# All targets in $(COMBINATIONS) share a single recipe; just declare the
# necessary dependencies and they'll be smashed together.
#

# Root certificate file that contains both CA certificates, for testing
# that multiple certificates can be used.
ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt

# The same, but the certs are in different order
ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt

# A root certificate file for the client, to validate server certs.
ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt

# and for the server, to validate client certs
ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt

# and for the client, to present to the server
ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt

# for the server, to present to a client that only knows the root
ssl/server-cn-only+server_ca.crt: ssl/server-cn-only.crt ssl/server_ca.crt

# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
# chain, even if some of them are empty.
ssl/root+server.crl: ssl/root.crl ssl/server.crl
ssl/root+client.crl: ssl/root.crl ssl/client.crl

$(COMBINATIONS):
	cat $^ > $@

#
# Standard keys
#

$(STANDARD_KEYS):
	$(OPENSSL) genrsa -out $@ 2048
	chmod 0600 $@

#
# Standard certificates
#

CA_CERTS     := ssl/server_ca.crt ssl/client_ca.crt
SERVER_CERTS := $(SERVERS:%=ssl/%.crt)
CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt)

# See the "CA State" section below.
root_ca_state_files := ssl/root_ca-certindex ssl/root_ca-certindex.attr ssl/root_ca.srl
server_ca_state_files := ssl/server_ca-certindex ssl/server_ca-certindex.attr ssl/server_ca.srl
client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ssl/client_ca.srl

# These are the workhorse recipes. `openssl ca` can't be safely run from
# parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
.NOTPARALLEL:
$(CA_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/root_ca.crt | ssl/new_certs_dir $(root_ca_state_files)
	$(OPENSSL) ca -batch -config conf/cas.config -name root_ca   -notext -in $< -out $@

$(SERVER_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/server_ca.crt | ssl/new_certs_dir $(server_ca_state_files)
	$(OPENSSL) ca -batch -config conf/cas.config -name server_ca -notext -in $< -out $@

$(CLIENT_CERTS): ssl/%.crt: ssl/%.csr conf/%.config conf/cas.config ssl/client_ca.crt | ssl/new_certs_dir $(client_ca_state_files)
	$(OPENSSL) ca -batch -config conf/cas.config -name client_ca -notext -in $< -out $@

# The CSRs don't need to persist after a build.
.INTERMEDIATE: $(CERTIFICATES:%=ssl/%.csr)
ssl/%.csr: ssl/%.key conf/%.config
	$(OPENSSL) req -new -utf8 -key $< -out $@ -config conf/$*.config

#
# CA State
#
# All of these are intended to be order-only dependencies; additionally, the
# pattern recipes are marked as explicit intermediates. The goal is for Make to
# create the state files once for each CA, allow them to accumulate whatever
# state is needed, and then automatically remove them at the end of the run.
#

.INTERMEDIATE: $(root_ca_state_files) $(server_ca_state_files) $(client_ca_state_files)

# OpenSSL requires a directory to put all generated certificates in. We don't
# use this for anything, but we need a location.
ssl/new_certs_dir:
	mkdir $@

ssl/%-certindex:
	touch $@

ssl/%-certindex.attr:
	echo "unique_subject=no" > $@

# The first serial number for each CA is based on the current timestamp, to
# avoid collisions across Make runs.
ssl/%.srl:
	date +%Y%m%d%H%M%S00 > $@

#
# CRLs
#

ssl/root.crl: ssl/root_ca.crt | $(root_ca_state_files)
	$(OPENSSL) ca -config conf/cas.config -name root_ca   -gencrl -out $@

ssl/server.crl: ssl/server-revoked.crt ssl/server_ca.crt | $(server_ca_state_files)
	$(OPENSSL) ca -config conf/cas.config -name server_ca -revoke $<
	$(OPENSSL) ca -config conf/cas.config -name server_ca -gencrl -out $@

ssl/client.crl: ssl/client-revoked.crt ssl/client-revoked-utf8.crt ssl/client_ca.crt | $(client_ca_state_files)
	$(OPENSSL) ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked.crt
	$(OPENSSL) ca -config conf/cas.config -name client_ca -revoke ssl/client-revoked-utf8.crt
	$(OPENSSL) ca -config conf/cas.config -name client_ca -gencrl -out $@

#
# CRL hash directories
#

ssl/root+server-crldir: ssl/server.crl ssl/root.crl
ssl/root+client-crldir: ssl/client.crl ssl/root.crl
ssl/server-crldir: ssl/server.crl
ssl/client-crldir: ssl/client.crl

crlhashfile = $(shell $(OPENSSL) crl -hash -noout -in $(1)).r0

ssl/%-crldir:
	mkdir -p $@
	rm -f $@/*.r0
	$(foreach crl,$^,cp $(crl) $@/$(call crlhashfile,$(crl)) &&) true
	touch $@

.PHONY: sslfiles-clean
sslfiles-clean:
	rm -f $(SSLFILES) ssl/*.old ssl/*.csr ssl/*.srl ssl/*-certindex*
	rm -rf $(SSLDIRS) ssl/new_certs_dir

# The difference between the below clean targets and sslfiles-clean is that the
# clean targets will be run during a "standard" recursive clean run from the
# main build tree. The sslfiles-clean target must be run explicitly from this
# directory.
.PHONY: clean distclean maintainer-clean
clean distclean maintainer-clean:
	rm -rf ssl/*.old ssl/new_certs_dir ssl/client*_tmp.key