1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
all: pubkeys ca leaves
# The following private keys are never regenerated.
SERVER_PRIVKEYS=ct-http-server.privkey.pem log-rpc-server.privkey.pem
# Corresponding passwords:
CT_HTTP_PWD=dirk
LOG_RPC_PWD=towel
MAP_RPC_PWD=towel
# Server public keys are derived from the corresponding private keys.
SERVER_PUBKEYS=$(subst .privkey,.pubkey,$(SERVER_PRIVKEYS))
# Build public keys from private keys
pubkeys: $(SERVER_PUBKEYS)
log-rpc-server.pubkey.pem: log-rpc-server.privkey.pem
openssl ec -in $< -pubout -out $@ -passin pass:$(LOG_RPC_PWD)
ct-http-server.pubkey.pem: ct-http-server.privkey.pem
openssl ec -in $< -pubout -out $@ -passin pass:$(CT_HTTP_PWD)
# We use a fake CA as a trust root for CT tests. This is its private key.
CA_PRIVKEY=fake-ca.privkey.pem
CA_PWD=gently
# We also have an intermediate CA, with private key:
INT_CA_PRIVKEY=int-ca.privkey.pem
INT_CA_PWD=babelfish
# All the leaf certificates share a private key:
LEAF_PRIVKEY=leaf.privkey.pem
LEAF_PWD=liff
ca: fake-ca.cert int-ca.cert
# Fake Root CA
fake-ca.cert: $(CA_PRIVKEY) fake-ca.cfg
openssl req -new -x509 -config fake-ca.cfg -set_serial 0x0406cafe -days 3650 -extensions v3_ca -inform pem -key $(CA_PRIVKEY) -passin pass:$(CA_PWD) -out $@
show-ca: fake-ca.cert
openssl x509 -inform pem -in $< -text -noout
# Fake Intermediate CA
int-ca.csr.pem: $(INT_CA_PRIVKEY) int-ca.cfg
openssl req -new -sha256 -config int-ca.cfg -key $(INT_CA_PRIVKEY) -passin pass:$(INT_CA_PWD) -out $@
show-int-csr: int-ca.csr.pem
openssl req -in $< -text -noout
int-ca.cert: int-ca.csr.pem $(CA_PRIVKEY) fake-ca.cert
openssl x509 -req -in int-ca.csr.pem -sha256 -extfile fake-ca.cfg -extensions v3_int_ca -CA fake-ca.cert -CAkey $(CA_PRIVKEY) -passin pass:$(CA_PWD) -set_serial 0x42424242 -days 3600 -out $@
show-int-ca: int-ca.cert
openssl x509 -inform pem -in $< -text -noout
# Leaf Certificates
LEAF_CERTS=leaf00.cert leaf01.cert leaf02.cert leaf03.cert leaf04.cert leaf05.cert leaf06.cert leaf07.cert leaf08.cert leaf09.cert leaf10.cert \
leaf11.cert leaf12.cert leaf13.cert leaf14.cert leaf15.cert leaf16.cert leaf17.cert leaf18.cert leaf19.cert leaf20.cert
LEAF_CSRS=$(subst .cert,.csr.pem,$(LEAF_CERTS))
LEAF_CHAINS=$(subst .cert,.chain,$(LEAF_CERTS))
leaves: $(LEAF_CERTS) $(LEAF_CHAINS)
leaf%.csr.pem: $(LEAF_PRIVKEY)
openssl req -new -sha256 -key $(LEAF_PRIVKEY) -passin pass:$(LEAF_PWD) -subj "/C=GB/ST=London/O=Google/OU=Eng/CN=$@" -out $@
show-leaf%-csr: leaf%.csr.pem
openssl req -in $< -text -noout
leaf%.cert: leaf%.csr.pem int-ca.cert
openssl x509 -req -in $< -sha256 -extfile int-ca.cfg -extensions v3_user -CA int-ca.cert -CAkey $(INT_CA_PRIVKEY) -passin pass:$(INT_CA_PWD) -set_serial 0xdeadbeef -days 2600 -out $@
show-leaf%: leaf%.cert
openssl x509 -inform pem -in $< -text -noout
leaf%.chain: leaf%.cert int-ca.cert
cat $^ > $@
# Special case: include the root too
leaf02.chain: leaf02.cert int-ca.cert fake-ca.cert
cat $^ > $@
# Special case: add serverAuth EKU
leaf00.cert: leaf00.csr.pem leaf.privkey.pem int-ca.cert
openssl x509 -req -in $< -sha256 -extfile int-ca.cfg -extensions v3_user_serverAuth -CA int-ca.cert -CAkey $(INT_CA_PRIVKEY) -passin pass:$(INT_CA_PWD) -set_serial 0xdeadbeef -days 2600 -out $@
# Special case: add an unknown EKU
leaf03.cert: leaf03.csr.pem leaf.privkey.pem int-ca.cert
openssl x509 -req -in $< -sha256 -extfile int-ca.cfg -extensions v3_user_plus -CA int-ca.cert -CAkey $(INT_CA_PRIVKEY) -passin pass:$(INT_CA_PWD) -set_serial 0xdeadbeef -days 2600 -out $@
# Pair of intermediate CAs for a longer chain
INT_CA_1_PRIVKEY=int-ca-1.privkey.pem
INT_CA_2_PRIVKEY=int-ca-2.privkey.pem
INT_CA_1_PWD=vogon
INT_CA_2_PWD=vogon
# Fake Intermediate CA 1
int-ca-1.csr.pem: $(INT_CA_PRIVKEY) int-ca.cfg
openssl req -new -sha256 -config int-ca.cfg -key $(INT_CA_1_PRIVKEY) -passin pass:$(INT_CA_1_PWD) -out $@
int-ca-1.cert: int-ca-1.csr.pem $(CA_PRIVKEY) fake-ca.cert
openssl x509 -req -in int-ca-1.csr.pem -sha256 -extfile fake-ca.cfg -extensions v3_int_ca_pair -CA fake-ca.cert -CAkey $(CA_PRIVKEY) -passin pass:$(CA_PWD) -set_serial 0x01010101 -days 3600 -out $@
# Fake 2nd-level Intermediate CA 2
int-ca-2.csr.pem: int-ca-2.privkey.pem int-ca-2.cfg
openssl req -new -sha256 -config int-ca-2.cfg -key $(INT_CA_2_PRIVKEY) -passin pass:$(INT_CA_2_PWD) -out $@
int-ca-2.cert: int-ca-2.csr.pem $(INT_CA_PRIVKEY) int-ca-1.cert
openssl x509 -req -in int-ca-2.csr.pem -sha256 -extfile fake-ca.cfg -extensions v3_int_ca_pair -CA int-ca-1.cert -CAkey $(INT_CA_1_PRIVKEY) -passin pass:$(INT_CA_1_PWD) -set_serial 0x12121212 -days 3600 -out $@
# Length 4 chain (to allow mis-ordering tests).
subleaf.csr.pem: $(LEAF_PRIVKEY)
openssl req -new -sha256 -key $(LEAF_PRIVKEY) -passin pass:$(LEAF_PWD) -subj "/C=GB/ST=London/O=Google/OU=Eng/CN=$@" -out $@
subleaf.cert: subleaf.csr.pem int-ca-2.cert
openssl x509 -req -in $< -sha256 -extfile int-ca-2.cfg -extensions v3_user -CA int-ca-2.cert -CAkey $(INT_CA_2_PRIVKEY) -passin pass:$(INT_CA_2_PWD) -set_serial 0xdeadbeef -days 2600 -out $@
subleaf.chain: subleaf.cert int-ca-2.cert int-ca-1.cert fake-ca.cert
cat $^ > $@
subleaf.misordered.chain: subleaf.cert int-ca-1.cert int-ca-2.cert fake-ca.cert
cat $^ > $@
# Length 4 chain (to allow mis-ordering tests) for pre-cert.
subleaf-pre.cert: subleaf.csr.pem int-ca-2.cert
openssl x509 -req -in $< -sha256 -extfile int-ca-2.cfg -extensions v3_user_pre -CA int-ca-2.cert -CAkey $(INT_CA_2_PRIVKEY) -passin pass:$(INT_CA_2_PWD) -set_serial 0xdeadbeef -days 2600 -out $@
subleaf-pre.chain: subleaf-pre.cert int-ca-2.cert int-ca-1.cert fake-ca.cert
cat $^ > $@
subleaf-pre.misordered.chain: subleaf-pre.cert int-ca-1.cert int-ca-2.cert fake-ca.cert
cat $^ > $@
# clean removes things that regenerate exactly the same.
clean:
rm -f $(SERVER_PUBKEYS)
# distclean removes things that regenerate with changes (e.g. timestamped, randomized).
distclean: clean
rm -f $(SERVER_PUBKEYS) fake-ca.cert int-ca.cert int-ca.csr.pem
rm -f $(LEAF_CERTS) $(LEAF_CSRS) $(LEAF_CHAINS)
# We also use a second fake CA as a trust root for CT tests. This is its private key.
CA_1_PRIVKEY=fake-ca-1.privkey.pem
CA_1_PWD=ahenny
# Corresponding Leaf certificates.
LEAF_1_PRIVKEY=leaf-1.privkey.pem
LEAF_1_PWD=louth
# Fake Root CA 1
fake-ca-1.cert: $(CA_1_PRIVKEY) fake-ca.cfg
openssl req -new -x509 -config fake-ca.cfg -set_serial 0x0406efac -days 3650 -extensions v3_ca1 -inform pem -key $(CA_1_PRIVKEY) -passin pass:$(CA_1_PWD) -out $@
leaf-1.csr.pem: $(LEAF_1_PRIVKEY)
openssl req -new -sha256 -key $(LEAF_1_PRIVKEY) -passin pass:$(LEAF_1_PWD) -subj "/C=GB/ST=London/O=Google/OU=Eng/CN=$@" -out $@
leaf-1.cert: leaf-1.csr.pem fake-ca-1.cert
openssl x509 -req -in $< -sha256 -extfile fake-ca.cfg -extensions v3_user -CA fake-ca-1.cert -CAkey $(CA_1_PRIVKEY) -passin pass:$(CA_1_PWD) -set_serial 0xdeadbeaf -days 2600 -out $@
# Short chain on CA 1
leaf-1.chain: leaf-1.cert fake-ca-1.cert
cat $^ > $@
# The newkey target creates a fresh private key; should never be needed.
newkey: fresh.privkey.pem
fresh.privkey.pem:
openssl ecparam -genkey -name prime256v1 -noout -out $@.unencrypted
openssl ec -in $@.unencrypted -out $@ -des # Prompts for password
rm -f $@.unencrypted
|
