GNUmakefile.in 6.87 KB
Newer Older
1
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
2
# EMULAB-COPYRIGHT
3
# Copyright (c) 2000-2004 University of Utah and the Flux Group.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
4
# All rights reserved.
5
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
6

7
8
9
10
11
12
13
14
SRCDIR		= @srcdir@
TESTBED_SRCDIR	= @top_srcdir@
EVENTSYS	= @EVENTSYS@
OBJDIR		= ..
SUBDIR		= ssl

include $(OBJDIR)/Makeconf

15
16
all:	emulab.pem server.pem localnode.pem ronnode.pem pcwa.pem ctrlnode.pem \
	keys mksig
17

18
remote-site:	emulab.pem capture.pem capture.fingerprint server.pem \
19
	localnode.pem capture.sha1fingerprint
20

21
22
23
24
25
26
27
28
29
30
include $(TESTBED_SRCDIR)/GNUmakerules

#
# You do not want to run these targets unless you are sure you
# know what you are doing! You really do not want to install these
# unless you are very sure you know what you are doing. You could
# mess up all the clients when the CA changes out from under them.
#
pems:	emulab.pem server.pem client.pem

31
emulab.pem:	dirsmade emulab.cnf
32
33
34
35
	#
	# Create the Certificate Authority.
	# The certificate (no key!) is installed on both boss and remote nodes.
	#
36
	openssl req -new -x509 -days 1000 -config emulab.cnf \
37
38
		    -keyout cakey.pem -out cacert.pem
	cp cacert.pem emulab.pem
39
	cp cakey.pem emulab.key
40

41
server.pem:	dirsmade server.cnf ca.cnf
42
43
44
	#
	# Create the server side private key and certificate request.
	#
45
46
	openssl req -new -config server.cnf \
		-keyout server_key.pem -out server_req.pem
47
48
49
	#
	# Combine key and cert request.
	#
50
	cat server_key.pem server_req.pem > newreq.pem
51
52
53
	#
	# Sign the server cert request, creating a server certificate.
	#
54
55
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out server_cert.pem \
56
57
58
59
60
61
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
62
	cat server_key.pem server_cert.pem > server.pem
63
64
	rm -f newreq.pem

Leigh B. Stoller's avatar
Leigh B. Stoller committed
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
capture.pem:	dirsmade capture.cnf ca.cnf
	#
	# Create the server side private key and certificate request.
	#
	openssl req -new -config capture.cnf \
		-keyout capture_key.pem -out capture_req.pem
	#
	# Combine key and cert request.
	#
	cat capture_key.pem capture_req.pem > newreq.pem
	#
	# Sign the capture cert request, creating a capture certificate.
	#
	openssl ca -batch -policy policy_match -config ca.cnf \
		-out capture_cert.pem \
		-cert cacert.pem -keyfile cakey.pem \
		-infiles newreq.pem
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by capture.
	#
	cat capture_key.pem capture_cert.pem > capture.pem
	rm -f newreq.pem

89
90
91
92
93
94
95
96
97
98

#
# Generate the fingerprint of the capture certificate
# NOTE: I'd rather use SHA1 than SHA, but we've widely distributed the
# tiptunnel binary, and it needs SHA
#
capture.fingerprint:	capture.pem
	openssl x509 -sha -noout -fingerprint -in capture.pem \
	    > capture.fingerprint

99
100
101
102
capture.sha1fingerprint:	capture.pem
	openssl x509 -sha1 -noout -fingerprint -in capture.pem \
	    > capture.sha1fingerprint

103
104
105
localnode.pem:	dirsmade localnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh localnode

106
107
108
ctrlnode.pem:	dirsmade ctrlnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ctrlnode

109
110
ronnode.pem:	dirsmade ronnode.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh ronnode
111

112
113
114
pcplab.pem:		dirsmade pcplab.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcplab

115
116
117
pcwa.pem:		dirsmade pcwa.cnf ca.cnf $(SRCDIR)/mkclient.sh
	$(SRCDIR)/mkclient.sh pcwa

118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
keys:		emulab_privkey.pem emulab_pubkey.pem

emulab_privkey.pem:
	#
	# Generate a priv key for signing stuff. This one gets a
	# passphrase.
	# 
	openssl genrsa -out emulab_privkey.pem -des3

emulab_pubkey.pem:	emulab_privkey.pem
	#
	# Extract a pubkey from the privkey
	# 
	openssl rsa -in emulab_privkey.pem -pubout -out emulab_pubkey.pem

133
134
135
136
137
138
139
140
dirsmade:
	-mkdir -p certs
	-mkdir -p newcerts
	-mkdir -p crl
	echo "01" > serial
	touch index.txt
	touch dirsmade

141
142
143
144
145
146
147
install-dirs:
	-mkdir -p $(INSTALL_DIR)/ssl
	-chmod 770 $(INSTALL_DIR)/ssl
	-mkdir -p $(INSTALL_DIR)/ssl/certs
	-mkdir -p $(INSTALL_DIR)/ssl/newcerts
	-chmod 775 $(INSTALL_DIR)/ssl/newcerts
	-mkdir -p $(INSTALL_DIR)/ssl/crl
Leigh B. Stoller's avatar
Leigh B. Stoller committed
148
        -mkdir -p $(INSTALL_LIBDIR)/ssl
149
150
151
152
	echo "01" > $(INSTALL_DIR)/ssl/serial
	touch $(INSTALL_DIR)/ssl/index.txt
	touch install-dirs

153
154
155
#
# You do not want to run these targets unless you are sure you
# know what you are doing!
156
#
157
install:	install-dirs $(INSTALL_SBINDIR)/mksig
158
159
	@echo "BE VERY CAREFUL! INSTALLING NEW CERTS CAN CAUSE DISASTER!"

160
boss-installX:	$(INSTALL_ETCDIR)/emulab.pem \
161
		$(INSTALL_ETCDIR)/emulab.key \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
162
		$(INSTALL_ETCDIR)/server.pem \
163
		$(INSTALL_ETCDIR)/pcplab.pem \
164
		$(INSTALL_ETCDIR)/pcwa.pem \
165
		$(INSTALL_ETCDIR)/ronnode.pem \
166
		$(INSTALL_ETCDIR)/ctrlnode.pem \
167
168
169
		$(INSTALL_ETCDIR)/capture.pem \
		$(INSTALL_ETCDIR)/emulab_privkey.pem \
		$(INSTALL_ETCDIR)/emulab_pubkey.pem
170
171
	$(INSTALL_DATA) $(SRCDIR)/usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
172
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
173
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
174
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
175
176
177
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/pcplab.pem
178
	chmod 640 $(INSTALL_ETCDIR)/ronnode.pem
179
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
180
	chmod 640 $(INSTALL_ETCDIR)/pcwa.pem
181
	chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem
182

183
184
185
remote-site-boss-install:	install-dirs \
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
186
187
		$(INSTALL_ETCDIR)/capture.pem \
		$(INSTALL_ETCDIR)/capture.fingerprint \
188
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
189
		$(INSTALL_ETCDIR)/ctrlnode.pem \
190
		$(INSTALL_ETCDIR)/server.pem
191
192
	$(INSTALL_DATA) $(SRCDIR)/usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
193
194
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
195
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
196
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
197
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
198
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
199
200
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
201
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
202

203
client-install:
204
205
206
207
	$(INSTALL_DATA) localnode.pem $(DESTDIR)$(CLIENT_ETCDIR)/client.pem
	$(INSTALL_DATA) emulab.pem $(DESTDIR)$(CLIENT_ETCDIR)/emulab.pem
	$(INSTALL_DATA) emulab_pubkey.pem \
			$(DESTDIR)$(CLIENT_ETCDIR)/emulab_pubkey.pem
208

209
210
211
212
213
214
215
control-install:	$(INSTALL_SBINDIR)/capture.pem \
			$(INSTALL_ETCDIR)/emulab.pem
	$(INSTALL_DATA) ctrlnode.pem $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_SBINDIR)/capture.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem

216
217
218
tipserv-install:	$(INSTALL_SBINDIR)/capture.pem
	chmod 640 $(INSTALL_SBINDIR)/capture.pem

219
220
221
222
223
usercert-install:	install-dirs
	-mkdir -p $(INSTALL_LIBDIR)/ssl
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
	$(INSTALL_DATA) $(SRCDIR)/usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf

224
clean:
225
226
227
	@echo "BE VERY CAREFUL! CLEANING THE SSL DIR CAN CAUSE DISASTER!"

cleanX:
228
229
	rm -f *.pem serial index.txt *.old dirsmade *.cnf
	rm -rf newcerts certs