GNUmakefile.in 10.8 KB
Newer Older
1
#
2
# Copyright (c) 2000-2018 University of Utah and the Flux Group.
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
# 
# {{{EMULAB-LICENSE
# 
# This file is part of the Emulab network testbed software.
# 
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
# 
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public
# License for more details.
# 
# You should have received a copy of the GNU Affero General Public License
# along with this file.  If not, see <http://www.gnu.org/licenses/>.
# 
# }}}
22
#
Leigh Stoller's avatar
Leigh Stoller committed
23

24 25 26 27 28 29
SRCDIR		= @srcdir@
TESTBED_SRCDIR	= @top_srcdir@
EVENTSYS	= @EVENTSYS@
OBJDIR		= ..
SUBDIR		= ssl

30 31 32 33 34 35 36
# Installed certs and keys.
APACHE_ETCDIR	    = @INSTALL_APACHE_CONFIG@
APACHE_CERTFILE     = $(APACHE_ETCDIR)/ssl.crt/www.$(OURDOMAIN).crt
APACHE_KEYFILE      = $(APACHE_ETCDIR)/ssl.key/www.$(OURDOMAIN).key
APACHE_CERTFILE_OPS = $(APACHE_ETCDIR)/ssl.crt/$(USERNODE).crt
APACHE_KEYFILE_OPS  = $(APACHE_ETCDIR)/ssl.key/$(USERNODE).key

37 38
include $(OBJDIR)/Makeconf

39
all:	emulab.pem server.pem localnode.pem ctrlnode.pem \
40
	capture.pem capture.fingerprint capture.sha1fingerprint \
41
	keys mksig updatecert
42

43
remote-site:	emulab.pem capture.pem capture.fingerprint server.pem \
Leigh Stoller's avatar
Leigh Stoller committed
44
	localnode.pem capture.sha1fingerprint apache.pem apache-ops.pem \
45
	ctrlnode.pem updatecert
46

47 48
clearinghouse:	emulab.pem apache.pem

49 50 51 52 53 54 55 56 57 58
include $(TESTBED_SRCDIR)/GNUmakerules

#
# You do not want to run these targets unless you are sure you
# know what you are doing! You really do not want to install these
# unless you are very sure you know what you are doing. You could
# mess up all the clients when the CA changes out from under them.
#
pems:	emulab.pem server.pem client.pem

59 60 61
prebuild: dirsmade emulab.cnf emulab-geni.cnf

emulab.pem:	dirsmade emulab.cnf emulab-geni.cnf emulab.key 
62 63
	#
	# Create the Certificate Authority.
64
	# The certificate is installed on both boss and remote nodes.
65
	#
66 67 68 69
ifeq (@PROTOGENI_SUPPORT@,1)
	openssl req -new -x509 -days 2000 -config emulab-geni.cnf \
		    -text -key emulab.key -out emulab.pem
else
70
	openssl req -new -x509 -days 2000 -config emulab.cnf \
71
		    -text -key emulab.key -out emulab.pem
72
endif
73

74 75
server.pem:	dirsmade mkserial server.cnf ca.cnf server.key server.req
	# Create the serial file.
76
	perl ./mkserial
77 78 79
	#
	# Sign the server cert request, creating a server certificate.
	#
80
	openssl ca -batch -policy policy_match -config ca.cnf \
81 82
		-out server.pem -cert emulab.pem -keyfile emulab.key \
		-infiles server.req
83 84 85 86
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by tmcd.
	#
87
	cat server.key >> server.pem
88

89 90 91
#
# This is for the main web server on boss.
# 
92 93
apache.pem:	dirsmade mkserial apache.cnf ca.cnf apache.key apache.req
	# Create the serial file.
94
	perl ./mkserial
95
	#
96
	# Sign the apache cert request, creating an apache certificate.
97 98
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
99 100
		-out apache.pem -cert emulab.pem -keyfile emulab.key \
		-infiles apache.req
101 102 103 104

#
# This is for the secondary web server on users.
# 
105 106
apache-ops.pem:	dirsmade mkserial apache-ops.cnf ca.cnf apache-ops.key apache-ops.req
	# Create the serial file.
107
	perl ./mkserial
108
	#
109
	# Sign the apache cert request, creating an apache certificate.
110 111
	#
	openssl ca -batch -policy policy_sslxmlrpc -config ca.cnf \
112 113
		-out apache-ops.pem -cert emulab.pem -keyfile emulab.key \
		-infiles apache-ops.req
114

115 116
capture.pem:	dirsmade mkserial capture.cnf ca.cnf capture.key capture.req
	# Create the serial file.
117
	perl ./mkserial
118 119 120 121
	#
	# Sign the capture cert request, creating a capture certificate.
	#
	openssl ca -batch -policy policy_match -config ca.cnf \
122 123
		-out capture.pem -cert emulab.pem -keyfile emulab.key \
		-infiles capture.req
124 125 126 127
	#
	# Combine the key and the certificate into one file which is installed
	# on boss and used by capture.
	#
128
	cat capture.key >> capture.pem
129

130 131 132 133 134 135 136 137 138
#
# Generate the fingerprint of the capture certificate
# NOTE: I'd rather use SHA1 than SHA, but we've widely distributed the
# tiptunnel binary, and it needs SHA
#
capture.fingerprint:	capture.pem
	openssl x509 -sha -noout -fingerprint -in capture.pem \
	    > capture.fingerprint

139 140 141 142
capture.sha1fingerprint:	capture.pem
	openssl x509 -sha1 -noout -fingerprint -in capture.pem \
	    > capture.sha1fingerprint

143 144 145
localnode.pem:	dirsmade mkserial localnode.cnf ca.cnf localnode.key localnode.req
	cat localnode.key >> localnode.req
	# Create the serial file.
146
	perl ./mkserial
147 148
	$(SRCDIR)/mkclient.sh localnode

149 150 151
ctrlnode.pem:	dirsmade mkserial ctrlnode.cnf ca.cnf ctrlnode.key ctrlnode.req
	cat ctrlnode.key >> ctrlnode.req
	# Create the serial file.
152
	perl ./mkserial
153 154
	$(SRCDIR)/mkclient.sh ctrlnode

155 156 157 158 159 160 161
keys:		emulab_privkey.pem emulab_pubkey.pem

emulab_privkey.pem:
	#
	# Generate a priv key for signing stuff. This one gets a
	# passphrase.
	# 
162
	openssl genrsa -out emulab_privkey.pem -des3 2048
163 164 165 166 167 168 169

emulab_pubkey.pem:	emulab_privkey.pem
	#
	# Extract a pubkey from the privkey
	# 
	openssl rsa -in emulab_privkey.pem -pubout -out emulab_pubkey.pem

170 171 172 173 174 175
#
# Rule to generate an rsa key with no encryption
# If this fails, check to make sure that ~/.rnd is owned
# by you and writable. 
#
%.key:
176
	openssl genrsa -out $@ -rand .rand 2048
177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197

# The point of the this is to recover the keys from where they were
# originally installed. We do this cause people often lose their
# original build tree, but if want to rebuild the certs, we usually
# want the original keys. 
recover-keys:
	-cp $(INSTALL_DIR)/etc/emulab.key emulab.key
	-cp $(APACHE_KEYFILE) apache.key
	-openssl rsa -in $(INSTALL_DIR)/etc/server.pem -out server.key
	-openssl rsa -in $(INSTALL_DIR)/etc/capture.pem -out capture.key
	-openssl rsa -in $(INSTALL_DIR)/etc/ctrlnode.pem -out ctrlnode.key
	-openssl rsa -in $(INSTALL_DIR)/etc/client.pem -out localnode.key
	-scp ${USERNODE}:${APACHE_KEYFILE_OPS} apache-ops.key
	touch recover-keys

#
# Rule to generate a certificate request using the existing key.
#
%.req:
	# No good place to put this. 
	@chmod +x mkserial
198
	openssl req -new -config $*.cnf -key $*.key -text -out $@
199 200 201 202 203 204
	#
	# Combine key and cert request.
	#
	cat $*.key >> $@

dirsmade: 
205 206 207
	-mkdir -p certs
	-mkdir -p newcerts
	-mkdir -p crl
208 209
	# The initial system certificates start here.
	echo "0001" > serial
210 211 212
	touch index.txt
	touch dirsmade

213 214
install-dirs:
	-mkdir -p $(INSTALL_DIR)/ssl
215
	chmod 770 $(INSTALL_DIR)/ssl
216 217
	-mkdir -p $(INSTALL_DIR)/ssl/certs
	-mkdir -p $(INSTALL_DIR)/ssl/newcerts
218
	chmod 775 $(INSTALL_DIR)/ssl/newcerts
219
	-mkdir -p $(INSTALL_DIR)/ssl/crl
220
	-mkdir -p $(INSTALL_DIR)/ssl/keys
221
	-mkdir -p $(INSTALL_LIBDIR)/ssl
222 223 224 225 226 227 228 229
	-mkdir -p $(APACHE_ETCDIR)/ssl.crt
	-mkdir -p $(APACHE_ETCDIR)/ssl.key
	chmod 700 $(APACHE_ETCDIR)/ssl.crt
	chmod 700 $(APACHE_ETCDIR)/ssl.key

$(INSTALL_DIR)/ssl/serial:
	# It does not matter what we put in here; we use the DB to
	# create unique serial numbers after initial install
230
	echo "01" > $(INSTALL_DIR)/ssl/serial
231 232

$(INSTALL_DIR)/ssl/index.txt:
233 234
	touch $(INSTALL_DIR)/ssl/index.txt

235 236 237
#
# You do not want to run these targets unless you are sure you
# know what you are doing!
238
#
239
install:	install-dirs $(INSTALL_SBINDIR)/mksig
240 241
	@echo "BE VERY CAREFUL! INSTALLING NEW CERTS CAN CAUSE DISASTER!"

242 243 244
boss-installX:	install-dirs \
		$(INSTALL_DIR)/ssl/serial $(INSTALL_DIR)/ssl/index.txt \
		$(INSTALL_ETCDIR)/emulab.pem \
245
		$(INSTALL_ETCDIR)/emulab.key \
246
		$(INSTALL_ETCDIR)/server.pem \
247
		$(INSTALL_ETCDIR)/ctrlnode.pem \
248
		$(INSTALL_ETCDIR)/capture.pem \
249 250
		$(INSTALL_ETCDIR)/capture.fingerprint \
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
251
		$(INSTALL_ETCDIR)/emulab_privkey.pem \
Leigh Stoller's avatar
Leigh Stoller committed
252
		$(INSTALL_ETCDIR)/emulab_pubkey.pem \
253
		$(INSTALL_SBINDIR)/updatecert \
254
		install-conf
255
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
256
	chmod 644 $(INSTALL_ETCDIR)/emulab.pem
257
	chmod 644 $(INSTALL_ETCDIR)/emulab.key
258 259
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
260
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
261
	chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem
262 263 264
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
265

266 267 268 269 270
install-conf:	usercert.cnf syscert.cnf ca.cnf
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
	$(INSTALL_DATA) syscert.cnf $(INSTALL_LIBDIR)/ssl/syscert.cnf
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf

271
remote-site-boss-install:	install-dirs \
272
		$(INSTALL_DIR)/ssl/serial $(INSTALL_DIR)/ssl/index.txt \
273 274
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
275 276
		$(INSTALL_ETCDIR)/capture.pem \
		$(INSTALL_ETCDIR)/capture.fingerprint \
277
		$(INSTALL_ETCDIR)/capture.sha1fingerprint \
278
		$(INSTALL_ETCDIR)/ctrlnode.pem \
Leigh Stoller's avatar
Leigh Stoller committed
279
		$(INSTALL_ETCDIR)/server.pem \
280
		$(INSTALL_SBINDIR)/updatecert \
281
		install-conf
282
	$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
283
	chmod 644 $(INSTALL_ETCDIR)/emulab.pem
284
	chmod 644 $(INSTALL_ETCDIR)/emulab.key
285
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
286
	chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
287
	chmod 644 $(INSTALL_ETCDIR)/capture.sha1fingerprint
288 289
	chmod 640 $(INSTALL_ETCDIR)/server.pem
	chmod 640 $(INSTALL_ETCDIR)/client.pem
290
	chmod 640 $(INSTALL_ETCDIR)/ctrlnode.pem
291

292
# Do not run this if you have a "real" web certificate.
293 294 295
apache-install:
	$(INSTALL_DATA) apache.pem $(DESTDIR)$(APACHE_CERTFILE)
	$(INSTALL_DATA) apache.key $(DESTDIR)$(APACHE_KEYFILE)
296 297
	chmod 640 $(DESTDIR)$(APACHE_CERTFILE)
	chmod 640 $(DESTDIR)$(APACHE_KEYFILE)
298

299
client-install:
300 301 302 303
	$(INSTALL_DATA) localnode.pem $(DESTDIR)$(CLIENT_ETCDIR)/client.pem
	$(INSTALL_DATA) emulab.pem $(DESTDIR)$(CLIENT_ETCDIR)/emulab.pem
	$(INSTALL_DATA) emulab_pubkey.pem \
			$(DESTDIR)$(CLIENT_ETCDIR)/emulab_pubkey.pem
304

Leigh Stoller's avatar
Leigh Stoller committed
305
control-install:	$(INSTALL_ETCDIR)/capture.pem \
306 307
			$(INSTALL_ETCDIR)/emulab.pem
	$(INSTALL_DATA) ctrlnode.pem $(INSTALL_ETCDIR)/client.pem
Leigh Stoller's avatar
Leigh Stoller committed
308
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
309 310 311
	chmod 640 $(INSTALL_ETCDIR)/client.pem
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem

312 313 314 315 316 317 318
clearinghouse-install:	install-dirs \
		$(INSTALL_ETCDIR)/emulab.pem \
		$(INSTALL_ETCDIR)/emulab.key \
		install-conf
	chmod 640 $(INSTALL_ETCDIR)/emulab.pem
	chmod 600 $(INSTALL_ETCDIR)/emulab.key

319 320
tipserv-install:	$(INSTALL_ETCDIR)/capture.pem
	chmod 640 $(INSTALL_ETCDIR)/capture.pem
321

322 323 324
usercert-install:	install-dirs
	-mkdir -p $(INSTALL_LIBDIR)/ssl
	$(INSTALL_DATA) ca.cnf $(INSTALL_LIBDIR)/ssl/ca.cnf
325
	$(INSTALL_DATA) usercert.cnf $(INSTALL_LIBDIR)/ssl/usercert.cnf
326

327
clean:
328 329
	@echo "BE VERY CAREFUL! CLEANING THE SSL DIR CAN CAUSE DISASTER!"

330 331 332 333 334 335 336 337 338 339 340 341 342 343 344
cleanX: clean-certs clean-keys
	rm -f serial index.txt *.old dirsmade *.cnf
	rm -f mkserial updatecert mksig
	rm -rf newcerts certs crl

#
# Leave the private keys behind so that new certs use same keys;
# existing certs still have valid sigs.
#
clean-certs:
	rm -f *.pem *.req *.old *.cnf
	rm -f *fingerprint

clean-keys:
	rm -f *.key