GNUmakefile.in 10.9 KB
Newer Older
1
#
2
# Copyright (c) 2000-2012 University of Utah and the Flux Group.
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
# 
# {{{EMULAB-LICENSE
# 
# This file is part of the Emulab network testbed software.
# 
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
# 
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public
# License for more details.
# 
# You should have received a copy of the GNU Affero General Public License
# along with this file.  If not, see <http://www.gnu.org/licenses/>.
# 
# }}}
22
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
23

24 25 26 27 28 29
SRCDIR		= @srcdir@
TESTBED_SRCDIR	= @top_srcdir@
EVENTSYS	= @EVENTSYS@
OBJDIR		= ..
SUBDIR		= ssl

30 31 32 33 34 35 36
# Installed certs and keys.
APACHE_ETCDIR	    = @INSTALL_APACHE_CONFIG@
APACHE_CERTFILE     = $(APACHE_ETCDIR)/ssl.crt/www.$(OURDOMAIN).crt
APACHE_KEYFILE      = $(APACHE_ETCDIR)/ssl.key/www.$(OURDOMAIN).key
APACHE_CERTFILE_OPS = $(APACHE_ETCDIR)/ssl.crt/$(USERNODE).crt
APACHE_KEYFILE_OPS  = $(APACHE_ETCDIR)/ssl.key/$(USERNODE).key

37 38
include $(OBJDIR)/Makeconf

39
all:	emulab.pem server.pem localnode.pem ctrlnode.pem \
40
	capture.pem capture.fingerprint capture.sha1fingerprint \
41
	keys mksig jabber.pem updatecert
42

43
remote-site:	emulab.pem capture.pem capture.fingerprint server.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
44
	localnode.pem capture.sha1fingerprint apache.pem apache-ops.pem \
45
	ctrlnode.pem jabber.pem updatecert
46

47 48
clearinghouse:	emulab.pem apache.pem

49 50 51 52 53 54 55 56 57 58
include $(TESTBED_SRCDIR)/GNUmakerules

#
# You do not want to run these targets unless you are sure you
# know what you are doing! You really do not want to install these
# unless you are very sure you know what you are doing. You could
# mess up all the clients when the CA changes out from under them.
#
pems:	emulab.pem server.pem client.pem

59
emulab.pem:	dirsmade mkserial emulab.cnf emulab.key 
60 61
	#
	# Create the Certificate Authority.
62
	# The certificate is installed on both boss and remote nodes.
63
	#
64
	openssl req -new -x509 -days 2000 -config emulab.cnf \
65
		    -text -key emulab.key -out emulab.pem
66

67 68 69
server.pem:	dirsmade mkserial server.cnf ca.cnf server.key server.req
	# Create the serial file.
	./mkserial
70 71 72
	#
	# Sign the server cert request, creating a server certificate.
	#
73
	openssl ca -batch -policy policy_match -config ca.cnf \
74 75
		-out server.pem -cert emulab.pem -keyfile emulab.key \
		-infiles server.req
76 77 78 79
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
80
	cat server.key >> server.pem
81

82 83 84
#
# This is for the main web server on boss.
# 
85 86 87
apache.pem:	dirsmade mkserial apache.cnf ca.cnf apache.key apache.req
	# Create the serial file.
	./mkserial
88
	#
89
	# Sign the apache cert request, creating an apache certificate.
90 91
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
92 93
		-out apache.pem -cert emulab.pem -keyfile emulab.key \
		-infiles apache.req
94 95 96 97

#
# This is for the secondary web server on users.
# 
98 99 100
apache-ops.pem:	dirsmade mkserial apache-ops.cnf ca.cnf apache-ops.key apache-ops.req
	# Create the serial file.
	./mkserial
101
	#
102
	# Sign the apache cert request, creating an apache certificate.
103 104
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
105 106
		-out apache-ops.pem -cert emulab.pem -keyfile emulab.key \
		-infiles apache-ops.req
107

108 109 110
capture.pem:	dirsmade mkserial capture.cnf ca.cnf capture.key capture.req
	# Create the serial file.
	./mkserial
Leigh B. Stoller's avatar
Leigh B. Stoller committed
111 112 113 114
	#
	# Sign the capture cert request, creating a capture certificate.
	#
	openssl ca -batch -policy policy_match -config ca.cnf \
115 116
		-out capture.pem -cert emulab.pem -keyfile emulab.key \
		-infiles capture.req
Leigh B. Stoller's avatar
Leigh B. Stoller committed
117 118 119 120
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by capture.
	#
121
	cat capture.key >> capture.pem
Leigh B. Stoller's avatar
Leigh B. Stoller committed
122

123 124 125
jabber.pem:	dirsmade mkserial jabber.cnf ca.cnf jabber.key jabber.req
	# Create the serial file.
	./mkserial
126 127 128 129
	#
	# Sign the server cert request, creating a server certificate.
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
130 131
		-out jabber.pem -cert emulab.pem -keyfile emulab.key \
		-infiles jabber.req
132 133 134 135
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
136
	cat jabber.key >> jabber.pem
137 138 139 140 141 142 143 144 145 146

#
# Generate the fingerprint of the capture certificate
# NOTE: I'd rather use SHA1 than SHA, but we've widely distributed the
# tiptunnel binary, and it needs SHA
#
capture.fingerprint:	capture.pem
	openssl x509 -sha -noout -fingerprint -in capture.pem \
	    > capture.fingerprint

147 148 149 150
capture.sha1fingerprint:	capture.pem
	openssl x509 -sha1 -noout -fingerprint -in capture.pem \
	    > capture.sha1fingerprint

151 152 153 154
localnode.pem:	dirsmade mkserial localnode.cnf ca.cnf localnode.key localnode.req
	cat localnode.key >> localnode.req
	# Create the serial file.
	./mkserial
155 156
	$(SRCDIR)/mkclient.sh localnode

157 158 159 160
ctrlnode.pem:	dirsmade mkserial ctrlnode.cnf ca.cnf ctrlnode.key ctrlnode.req
	cat ctrlnode.key >> ctrlnode.req
	# Create the serial file.
	./mkserial
161 162
	$(SRCDIR)/mkclient.sh ctrlnode

163 164 165 166 167 168 169 170 171 172 173 174 175 176 177
keys:		emulab_privkey.pem emulab_pubkey.pem

emulab_privkey.pem:
	#
	# Generate a priv key for signing stuff. This one gets a
	# passphrase.
	# 
	openssl genrsa -out emulab_privkey.pem -des3

emulab_pubkey.pem:	emulab_privkey.pem
	#
	# Extract a pubkey from the privkey
	# 
	openssl rsa -in emulab_privkey.pem -pubout -out emulab_pubkey.pem

178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213
#
# Rule to generate an rsa key with no encryption
# If this fails, check to make sure that ~/.rnd is owned
# by you and writable. 
#
%.key:
	openssl genrsa -out $@ -rand .rand 1024

# The point of the this is to recover the keys from where they were
# originally installed. We do this cause people often lose their
# original build tree, but if want to rebuild the certs, we usually
# want the original keys. 
recover-keys:
	-cp $(INSTALL_DIR)/etc/emulab.key emulab.key
	-cp $(APACHE_KEYFILE) apache.key
	-openssl rsa -in $(INSTALL_DIR)/etc/server.pem -out server.key
	-openssl rsa -in $(INSTALL_DIR)/etc/capture.pem -out capture.key
	-openssl rsa -in $(INSTALL_DIR)/etc/jabber.pem -out jabber.key
	-openssl rsa -in $(INSTALL_DIR)/etc/ctrlnode.pem -out ctrlnode.key
	-openssl rsa -in $(INSTALL_DIR)/etc/client.pem -out localnode.key
	-scp ${USERNODE}:${APACHE_KEYFILE_OPS} apache-ops.key
	touch recover-keys

#
# Rule to generate a certificate request using the existing key.
#
%.req:
	# No good place to put this. 
	@chmod +x mkserial
	openssl req -new -config $*.cnf -key $*.key -out $@
	#
	# Combine key and cert request.
	#
	cat $*.key >> $@

dirsmade: 
214 215 216
	-mkdir -p certs
	-mkdir -p newcerts
	-mkdir -p crl
217 218
	# The initial system certificates start here.
	echo "0001" > serial
219 220 221
	touch index.txt
	touch dirsmade

222 223
install-dirs:
	-mkdir -p $(INSTALL_DIR)/ssl
224
	chmod 770 $(INSTALL_DIR)/ssl
225 226
	-mkdir -p $(INSTALL_DIR)/ssl/certs
	-mkdir -p $(INSTALL_DIR)/ssl/newcerts
227
	chmod 775 $(INSTALL_DIR)/ssl/newcerts
228
	-mkdir -p $(INSTALL_DIR)/ssl/crl
229
	-mkdir -p $(INSTALL_DIR)/ssl/keys
Leigh B. Stoller's avatar
Leigh B. Stoller committed
230
	-mkdir -p $(INSTALL_LIBDIR)/ssl
231 232 233 234 235 236 237 238
	-mkdir -p $(APACHE_ETCDIR)/ssl.crt
	-mkdir -p $(APACHE_ETCDIR)/ssl.key
	chmod 700 $(APACHE_ETCDIR)/ssl.crt
	chmod 700 $(APACHE_ETCDIR)/ssl.key

$(INSTALL_DIR)/ssl/serial:
	# It does not matter what we put in here; we use the DB to
	# create unique serial numbers after initial install
239
	echo "01" > $(INSTALL_DIR)/ssl/serial
240 241

$(INSTALL_DIR)/ssl/index.txt:
242 243
	touch $(INSTALL_DIR)/ssl/index.txt

244 245 246
#
# You do not want to run these targets unless you are sure you
# know what you are doing!
247
#
248
install:	install-dirs $(INSTALL_SBINDIR)/mksig
249 250
	@echo "BE VERY CAREFUL! INSTALLING NEW CERTS CAN CAUSE DISASTER!"

251 252 253
boss-installX:	install-dirs \
		$(INSTALL_DIR)/ssl/serial $(INSTALL_DIR)/ssl/index.txt \
		$(INSTALL_ETCDIR)/emulab.pem \
254
		$(INSTALL_ETCDIR)/emulab.key \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
255
		$(INSTALL_ETCDIR)/server.pem \
256
		$(INSTALL_ETCDIR)/ctrlnode.pem \
257
		$(INSTALL_ETCDIR)/capture.pem \
258 259
		$(INSTALL_ETCDIR)/capture.fingerprint \
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
260
		$(INSTALL_ETCDIR)/emulab_privkey.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
261
		$(INSTALL_ETCDIR)/emulab_pubkey.pem \
262
		$(INSTALL_SBINDIR)/updatecert \
263
		install-conf
264
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
265
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
266
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
267 268
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
269
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
270
	chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem
271 272 273
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
274

275 276 277 278 279
install-conf:	usercert.cnf syscert.cnf ca.cnf
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
	$(INSTALL_DATA) syscert.cnf $(INSTALL_LIBDIR)/ssl/syscert.cnf
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf

280
remote-site-boss-install:	install-dirs \
281
		$(INSTALL_DIR)/ssl/serial $(INSTALL_DIR)/ssl/index.txt \
282 283
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
284 285
		$(INSTALL_ETCDIR)/capture.pem \
		$(INSTALL_ETCDIR)/capture.fingerprint \
286
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
287
		$(INSTALL_ETCDIR)/ctrlnode.pem \
Leigh B. Stoller's avatar
Leigh B. Stoller committed
288
		$(INSTALL_ETCDIR)/server.pem \
289
		$(INSTALL_SBINDIR)/updatecert \
290
		install-conf
291 292
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
293
	chmod 600 $(INSTALL_ETCDIR)/emulab.key
294
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
295
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
296
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
297 298
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
299
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
300

301 302 303
# Do not run this if you have a "real" web certificate.
apache-install: $(APACHE_CERTFILE) $(APACHE_KEYFILE)

304
client-install:
305 306 307 308
	$(INSTALL_DATA) localnode.pem $(DESTDIR)$(CLIENT_ETCDIR)/client.pem
	$(INSTALL_DATA) emulab.pem $(DESTDIR)$(CLIENT_ETCDIR)/emulab.pem
	$(INSTALL_DATA) emulab_pubkey.pem \
			$(DESTDIR)$(CLIENT_ETCDIR)/emulab_pubkey.pem
309

Leigh B. Stoller's avatar
Leigh B. Stoller committed
310
control-install:	$(INSTALL_ETCDIR)/capture.pem \
311 312
			$(INSTALL_ETCDIR)/emulab.pem
	$(INSTALL_DATA) ctrlnode.pem $(INSTALL_ETCDIR)/client.pem
Leigh B. Stoller's avatar
Leigh B. Stoller committed
313
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
314 315 316
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem

317 318 319 320 321 322 323
clearinghouse-install:	install-dirs \
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
		install-conf
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
	chmod 600 $(INSTALL_ETCDIR)/emulab.key

324 325
tipserv-install:	$(INSTALL_ETCDIR)/capture.pem
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
326

327 328 329
usercert-install:	install-dirs
	-mkdir -p $(INSTALL_LIBDIR)/ssl
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
330
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
331

332
clean:
333 334
	@echo "BE VERY CAREFUL! CLEANING THE SSL DIR CAN CAUSE DISASTER!"

335 336 337 338 339 340 341 342 343 344 345 346 347 348 349
cleanX: clean-certs clean-keys
	rm -f serial index.txt *.old dirsmade *.cnf
	rm -f mkserial updatecert mksig
	rm -rf newcerts certs crl

#
# Leave the private keys behind so that new certs use same keys;
# existing certs still have valid sigs.
#
clean-certs:
	rm -f *.pem *.req *.old *.cnf
	rm -f *fingerprint

clean-keys:
	rm -f *.key