GNUmakefile.in 10.4 KB
Newer Older
1
#
Leigh B Stoller's avatar
Leigh B Stoller committed
2
# Copyright (c) 2000-2013 University of Utah and the Flux Group.
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
# 
# {{{EMULAB-LICENSE
# 
# This file is part of the Emulab network testbed software.
# 
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
# 
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public
# License for more details.
# 
# You should have received a copy of the GNU Affero General Public License
# along with this file.  If not, see <http://www.gnu.org/licenses/>.
# 
# }}}
22
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
23

24 25 26 27 28 29
SRCDIR		= @srcdir@
TESTBED_SRCDIR	= @top_srcdir@
EVENTSYS	= @EVENTSYS@
OBJDIR		= ..
SUBDIR		= ssl

30 31 32 33 34 35 36
# Installed certs and keys.
APACHE_ETCDIR	    = @INSTALL_APACHE_CONFIG@
APACHE_CERTFILE     = $(APACHE_ETCDIR)/ssl.crt/www.$(OURDOMAIN).crt
APACHE_KEYFILE      = $(APACHE_ETCDIR)/ssl.key/www.$(OURDOMAIN).key
APACHE_CERTFILE_OPS = $(APACHE_ETCDIR)/ssl.crt/$(USERNODE).crt
APACHE_KEYFILE_OPS  = $(APACHE_ETCDIR)/ssl.key/$(USERNODE).key

37 38
include $(OBJDIR)/Makeconf

39
all:	emulab.pem server.pem localnode.pem ctrlnode.pem \
40
	capture.pem capture.fingerprint capture.sha1fingerprint \
Leigh B Stoller's avatar
Leigh B Stoller committed
41
	keys mksig updatecert
42

43
remote-site:	emulab.pem capture.pem capture.fingerprint server.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
44
	localnode.pem capture.sha1fingerprint apache.pem apache-ops.pem \
Leigh B Stoller's avatar
Leigh B Stoller committed
45
	ctrlnode.pem updatecert
46

47 48
clearinghouse:	emulab.pem apache.pem

49 50 51 52 53 54 55 56 57 58
include $(TESTBED_SRCDIR)/GNUmakerules

#
# You do not want to run these targets unless you are sure you
# know what you are doing! You really do not want to install these
# unless you are very sure you know what you are doing. You could
# mess up all the clients when the CA changes out from under them.
#
pems:	emulab.pem server.pem client.pem

59
emulab.pem:	dirsmade mkserial emulab.cnf emulab.key 
60 61
	#
	# Create the Certificate Authority.
62
	# The certificate is installed on both boss and remote nodes.
63
	#
64
	openssl req -new -x509 -days 2000 -config emulab.cnf \
65
		    -text -key emulab.key -out emulab.pem
66

67 68
server.pem:	dirsmade mkserial server.cnf ca.cnf server.key server.req
	# Create the serial file.
69
	perl ./mkserial
70 71 72
	#
	# Sign the server cert request, creating a server certificate.
	#
73
	openssl ca -batch -policy policy_match -config ca.cnf \
74 75
		-out server.pem -cert emulab.pem -keyfile emulab.key \
		-infiles server.req
76 77 78 79
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
80
	cat server.key >> server.pem
81

82 83 84
#
# This is for the main web server on boss.
# 
85 86
apache.pem:	dirsmade mkserial apache.cnf ca.cnf apache.key apache.req
	# Create the serial file.
87
	perl ./mkserial
88
	#
89
	# Sign the apache cert request, creating an apache certificate.
90 91
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
92 93
		-out apache.pem -cert emulab.pem -keyfile emulab.key \
		-infiles apache.req
94 95 96 97

#
# This is for the secondary web server on users.
# 
98 99
apache-ops.pem:	dirsmade mkserial apache-ops.cnf ca.cnf apache-ops.key apache-ops.req
	# Create the serial file.
100
	perl ./mkserial
101
	#
102
	# Sign the apache cert request, creating an apache certificate.
103 104
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
105 106
		-out apache-ops.pem -cert emulab.pem -keyfile emulab.key \
		-infiles apache-ops.req
107

108 109
capture.pem:	dirsmade mkserial capture.cnf ca.cnf capture.key capture.req
	# Create the serial file.
110
	perl ./mkserial
Leigh B. Stoller's avatar
Leigh B. Stoller committed
111 112 113 114
	#
	# Sign the capture cert request, creating a capture certificate.
	#
	openssl ca -batch -policy policy_match -config ca.cnf \
115 116
		-out capture.pem -cert emulab.pem -keyfile emulab.key \
		-infiles capture.req
Leigh B. Stoller's avatar
Leigh B. Stoller committed
117 118 119 120
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by capture.
	#
121
	cat capture.key >> capture.pem
Leigh B. Stoller's avatar
Leigh B. Stoller committed
122

123 124 125 126 127 128 129 130 131
#
# Generate the fingerprint of the capture certificate
# NOTE: I'd rather use SHA1 than SHA, but we've widely distributed the
# tiptunnel binary, and it needs SHA
#
capture.fingerprint:	capture.pem
	openssl x509 -sha -noout -fingerprint -in capture.pem \
	    > capture.fingerprint

132 133 134 135
capture.sha1fingerprint:	capture.pem
	openssl x509 -sha1 -noout -fingerprint -in capture.pem \
	    > capture.sha1fingerprint

136 137 138
localnode.pem:	dirsmade mkserial localnode.cnf ca.cnf localnode.key localnode.req
	cat localnode.key >> localnode.req
	# Create the serial file.
139
	perl ./mkserial
140 141
	$(SRCDIR)/mkclient.sh localnode

142 143 144
ctrlnode.pem:	dirsmade mkserial ctrlnode.cnf ca.cnf ctrlnode.key ctrlnode.req
	cat ctrlnode.key >> ctrlnode.req
	# Create the serial file.
145
	perl ./mkserial
146 147
	$(SRCDIR)/mkclient.sh ctrlnode

148 149 150 151 152 153 154 155 156 157 158 159 160 161 162
keys:		emulab_privkey.pem emulab_pubkey.pem

emulab_privkey.pem:
	#
	# Generate a priv key for signing stuff. This one gets a
	# passphrase.
	# 
	openssl genrsa -out emulab_privkey.pem -des3

emulab_pubkey.pem:	emulab_privkey.pem
	#
	# Extract a pubkey from the privkey
	# 
	openssl rsa -in emulab_privkey.pem -pubout -out emulab_pubkey.pem

163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197
#
# Rule to generate an rsa key with no encryption
# If this fails, check to make sure that ~/.rnd is owned
# by you and writable. 
#
%.key:
	openssl genrsa -out $@ -rand .rand 1024

# The point of the this is to recover the keys from where they were
# originally installed. We do this cause people often lose their
# original build tree, but if want to rebuild the certs, we usually
# want the original keys. 
recover-keys:
	-cp $(INSTALL_DIR)/etc/emulab.key emulab.key
	-cp $(APACHE_KEYFILE) apache.key
	-openssl rsa -in $(INSTALL_DIR)/etc/server.pem -out server.key
	-openssl rsa -in $(INSTALL_DIR)/etc/capture.pem -out capture.key
	-openssl rsa -in $(INSTALL_DIR)/etc/ctrlnode.pem -out ctrlnode.key
	-openssl rsa -in $(INSTALL_DIR)/etc/client.pem -out localnode.key
	-scp ${USERNODE}:${APACHE_KEYFILE_OPS} apache-ops.key
	touch recover-keys

#
# Rule to generate a certificate request using the existing key.
#
%.req:
	# No good place to put this. 
	@chmod +x mkserial
	openssl req -new -config $*.cnf -key $*.key -out $@
	#
	# Combine key and cert request.
	#
	cat $*.key >> $@

dirsmade: 
198 199 200
	-mkdir -p certs
	-mkdir -p newcerts
	-mkdir -p crl
201 202
	# The initial system certificates start here.
	echo "0001" > serial
203 204 205
	touch index.txt
	touch dirsmade

206 207
install-dirs:
	-mkdir -p $(INSTALL_DIR)/ssl
208
	chmod 770 $(INSTALL_DIR)/ssl
209 210
	-mkdir -p $(INSTALL_DIR)/ssl/certs
	-mkdir -p $(INSTALL_DIR)/ssl/newcerts
211
	chmod 775 $(INSTALL_DIR)/ssl/newcerts
212
	-mkdir -p $(INSTALL_DIR)/ssl/crl
213
	-mkdir -p $(INSTALL_DIR)/ssl/keys
Leigh B. Stoller's avatar
Leigh B. Stoller committed
214
	-mkdir -p $(INSTALL_LIBDIR)/ssl
215 216 217 218 219 220 221 222
	-mkdir -p $(APACHE_ETCDIR)/ssl.crt
	-mkdir -p $(APACHE_ETCDIR)/ssl.key
	chmod 700 $(APACHE_ETCDIR)/ssl.crt
	chmod 700 $(APACHE_ETCDIR)/ssl.key

$(INSTALL_DIR)/ssl/serial:
	# It does not matter what we put in here; we use the DB to
	# create unique serial numbers after initial install
223
	echo "01" > $(INSTALL_DIR)/ssl/serial
224 225

$(INSTALL_DIR)/ssl/index.txt:
226 227
	touch $(INSTALL_DIR)/ssl/index.txt

228 229 230
#
# You do not want to run these targets unless you are sure you
# know what you are doing!
231
#
232
install:	install-dirs $(INSTALL_SBINDIR)/mksig
233 234
	@echo "BE VERY CAREFUL! INSTALLING NEW CERTS CAN CAUSE DISASTER!"

235 236 237
boss-installX:	install-dirs \
		$(INSTALL_DIR)/ssl/serial $(INSTALL_DIR)/ssl/index.txt \
		$(INSTALL_ETCDIR)/emulab.pem \
238
		$(INSTALL_ETCDIR)/emulab.key \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
239
		$(INSTALL_ETCDIR)/server.pem \
240
		$(INSTALL_ETCDIR)/ctrlnode.pem \
241
		$(INSTALL_ETCDIR)/capture.pem \
242 243
		$(INSTALL_ETCDIR)/capture.fingerprint \
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
244
		$(INSTALL_ETCDIR)/emulab_privkey.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
245
		$(INSTALL_ETCDIR)/emulab_pubkey.pem \
246
		$(INSTALL_SBINDIR)/updatecert \
247
		install-conf
248
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
249
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
250
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
251 252
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
253
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
254
	chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem
255 256 257
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
258

259 260 261 262 263
install-conf:	usercert.cnf syscert.cnf ca.cnf
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
	$(INSTALL_DATA) syscert.cnf $(INSTALL_LIBDIR)/ssl/syscert.cnf
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf

264
remote-site-boss-install:	install-dirs \
265
		$(INSTALL_DIR)/ssl/serial $(INSTALL_DIR)/ssl/index.txt \
266 267
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
268 269
		$(INSTALL_ETCDIR)/capture.pem \
		$(INSTALL_ETCDIR)/capture.fingerprint \
270
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
271
		$(INSTALL_ETCDIR)/ctrlnode.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
272
		$(INSTALL_ETCDIR)/server.pem \
273
		$(INSTALL_SBINDIR)/updatecert \
274
		install-conf
275 276
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
277
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
278
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
279
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
280
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
281 282
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
283
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
284

285 286 287
# Do not run this if you have a "real" web certificate.
apache-install: $(APACHE_CERTFILE) $(APACHE_KEYFILE)

288
client-install:
289 290 291 292
	$(INSTALL_DATA) localnode.pem $(DESTDIR)$(CLIENT_ETCDIR)/client.pem
	$(INSTALL_DATA) emulab.pem $(DESTDIR)$(CLIENT_ETCDIR)/emulab.pem
	$(INSTALL_DATA) emulab_pubkey.pem \
			$(DESTDIR)$(CLIENT_ETCDIR)/emulab_pubkey.pem
293

Leigh B. Stoller's avatar
Leigh B. Stoller committed
294
control-install:	$(INSTALL_ETCDIR)/capture.pem \
295 296
			$(INSTALL_ETCDIR)/emulab.pem
	$(INSTALL_DATA) ctrlnode.pem $(INSTALL_ETCDIR)/client.pem
Leigh B. Stoller's avatar
Leigh B. Stoller committed
297
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
298 299 300
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem

301 302 303 304 305 306 307
clearinghouse-install:	install-dirs \
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
		install-conf
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
	chmod 600 $(INSTALL_ETCDIR)/emulab.key

308 309
tipserv-install:	$(INSTALL_ETCDIR)/capture.pem
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
310

311 312 313
usercert-install:	install-dirs
	-mkdir -p $(INSTALL_LIBDIR)/ssl
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
314
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
315

316
clean:
317 318
	@echo "BE VERY CAREFUL! CLEANING THE SSL DIR CAN CAUSE DISASTER!"

319 320 321 322 323 324 325 326 327 328 329 330 331 332 333
cleanX: clean-certs clean-keys
	rm -f serial index.txt *.old dirsmade *.cnf
	rm -f mkserial updatecert mksig
	rm -rf newcerts certs crl

#
# Leave the private keys behind so that new certs use same keys;
# existing certs still have valid sigs.
#
clean-certs:
	rm -f *.pem *.req *.old *.cnf
	rm -f *fingerprint

clean-keys:
	rm -f *.key