Refactor the sslfiles Makefile target for ease of use

The Makefile handling of certificate and keypairs used for TLS testing
had become quite difficult to work with. Adding a new cert without the
need to regenerate everything was too complicated. This patch refactors
the sslfiles make target such that adding a new certificate requires
only adding a .config file, adding it to the top of the Makefile, and
running make sslfiles.

Improvements:
- Interfile dependencies should be fixed, with the exception of the CRL
  dirs.
- New certificates have serial numbers based on the current time,
  reducing the chance of collision.
- The CA index state is created on demand and cleaned up automatically
  at the end of the Make run.
- *.config files are now self-contained; one certificate needs one
  config file instead of two.
- Duplication is reduced, and along with it some unneeded code (and
  possible copy-paste errors).
- all configuration files underneath the conf/ directory.

The target is moved to its own makefile in order to avoid colliding
with global make settings.

Author: Jacob Champion <pchampion@vmware.com>
Reviewed-by: Michael Paquier <michael@paquier.xyz>
Discussion: https://postgr.es/m/d15a9838344ba090e09fd866abf913584ea19fb7.camel@vmware.com

Author: danielgustafsson

src/test/ssl/Makefile

@@ -15,170 +15,17 @@ include $(top_builddir)/src/Makefile.global
 
 export with_ssl
 
-CERTIFICATES := server_ca server-cn-and-alt-names \
-	server-cn-only server-single-alt-name server-multiple-alt-names \
-	server-no-names server-revoked \
-	client_ca client client-dn client-revoked \
-	root_ca
-
-SSLFILES := $(CERTIFICATES:%=ssl/%.key) $(CERTIFICATES:%=ssl/%.crt) \
-	ssl/server-password.key \
-	ssl/client.crl ssl/server.crl ssl/root.crl \
-	ssl/both-cas-1.crt ssl/both-cas-2.crt \
-	ssl/root+server_ca.crt ssl/root+server.crl \
-	ssl/root+client_ca.crt ssl/root+client.crl \
-	ssl/client+client_ca.crt ssl/client-der.key \
-	ssl/client-encrypted-pem.key ssl/client-encrypted-der.key
-
-SSLDIRS := ssl/client-crldir ssl/server-crldir \
-	ssl/root+client-crldir ssl/root+server-crldir
-
-# This target re-generates all the key and certificate files. Usually we just
-# use the ones that are committed to the tree without rebuilding them.
-#
-# This target will fail unless preceded by sslfiles-clean.
-#
-sslfiles: $(SSLFILES) $(SSLDIRS)
-
-# OpenSSL requires a directory to put all generated certificates in. We don't
-# use this for anything, but we need a location.
-ssl/new_certs_dir:
-	mkdir ssl/new_certs_dir
-
-# Rule for creating private/public key pairs.
-ssl/%.key:
-	openssl genrsa -out $@ 2048
-	chmod 0600 $@
-
-# Root CA certificate
-ssl/root_ca.crt: ssl/root_ca.key cas.config
-	touch ssl/root_ca-certindex
-	openssl req -new -out ssl/root_ca.crt -x509 -config cas.config -config root_ca.config -key ssl/root_ca.key -days 10000 -extensions v3_ca
-	echo "01" > ssl/root_ca.srl
-
-# Client and server CAs
-ssl/%_ca.crt: ssl/%_ca.key %_ca.config ssl/root_ca.crt ssl/new_certs_dir
-	touch ssl/$*_ca-certindex
-	echo "unique_subject=no" > ssl/$*_ca-certindex.attr
-	openssl req -new -out ssl/temp_ca.crt -config cas.config -config $*_ca.config -key ssl/$*_ca.key
-# Sign the certificate with the root CA
-	openssl ca -name root_ca -batch -config cas.config -in ssl/temp_ca.crt -out ssl/temp_ca_signed.crt -extensions v3_ca
-	openssl x509 -in ssl/temp_ca_signed.crt -out ssl/$*_ca.crt # to keep just the PEM cert
-	rm ssl/temp_ca.crt ssl/temp_ca_signed.crt
-	echo "01" > ssl/$*_ca.srl
-
-# Server certificates, signed by server CA:
-ssl/server-%.crt: ssl/server-%.key ssl/server_ca.crt server-%.config
-	openssl req -new -key ssl/server-$*.key -out ssl/server-$*.csr -config server-$*.config
-	openssl ca -name server_ca -batch -config cas.config -in ssl/server-$*.csr -out ssl/temp.crt  -extensions v3_req -extfile server-$*.config
-	openssl x509 -in ssl/temp.crt -out ssl/server-$*.crt # to keep just the PEM cert
-	rm ssl/server-$*.csr
-
-# Password-protected version of server-cn-only.key
-ssl/server-password.key: ssl/server-cn-only.key
-	openssl rsa -aes256 -in $< -out $@ -passout 'pass:secret1'
-
-# Client certificate, signed by the client CA:
-ssl/client.crt: ssl/client.key ssl/client_ca.crt
-	openssl req -new -key ssl/client.key -out ssl/client.csr -config client.config
-	openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client.csr
-	openssl x509 -in ssl/temp.crt -out ssl/client.crt # to keep just the PEM cert
-	rm ssl/client.csr ssl/temp.crt
-
-# Client certificate with multi-part DN, signed by the client CA:
-ssl/client-dn.crt: ssl/client-dn.key ssl/client_ca.crt
-	openssl req -new -key ssl/client-dn.key -out ssl/client-dn.csr -config client-dn.config
-	openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-dn.csr
-	openssl x509 -in ssl/temp.crt -out ssl/client-dn.crt # to keep just the PEM cert
-	rm ssl/client-dn.csr ssl/temp.crt
-
-# Another client certificate, signed by the client CA. This one is revoked.
-ssl/client-revoked.crt: ssl/client-revoked.key ssl/client_ca.crt client.config
-	openssl req -new -key ssl/client-revoked.key -out ssl/client-revoked.csr -config client.config
-	openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-revoked.csr
-	openssl x509 -in ssl/temp.crt -out ssl/client-revoked.crt # to keep just the PEM cert
-	rm ssl/client-revoked.csr ssl/temp.crt
-
-# Convert the key to DER, to test our behaviour there too
-ssl/client-der.key: ssl/client.key
-	openssl rsa -in ssl/client.key -outform DER -out ssl/client-der.key
-
-# Convert the existing key to encrypted PEM (X.509 text) and DER (X.509 ASN.1) formats
-# to test libpq's support for the sslpassword= option.
-ssl/client-encrypted-pem.key: ssl/client.key
-	openssl rsa -in ssl/client.key -outform PEM -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-pem.key
-
-ssl/client-encrypted-der.key: ssl/client.key
-	openssl rsa -in ssl/client.key -outform DER -aes128 -passout 'pass:dUmmyP^#+' -out ssl/client-encrypted-der.key
-
-# Root certificate files that contains both CA certificates, for testing
-# that multiple certificates can be used.
-ssl/both-cas-1.crt: ssl/root_ca.crt ssl/client_ca.crt ssl/server_ca.crt
-	cat $^ > $@
-
-# The same, but the certs are in different order
-ssl/both-cas-2.crt: ssl/root_ca.crt ssl/server_ca.crt ssl/client_ca.crt
-	cat $^ > $@
-
-# A root certificate file for the client, to validate server certs.
-ssl/root+server_ca.crt: ssl/root_ca.crt ssl/server_ca.crt
-	cat $^ > $@
-
-# and for the server, to validate client certs
-ssl/root+client_ca.crt: ssl/root_ca.crt ssl/client_ca.crt
-	cat $^ > $@
-
-ssl/client+client_ca.crt: ssl/client.crt ssl/client_ca.crt
-	cat $^ > $@
-
-#### CRLs
-
-ssl/client.crl: ssl/client-revoked.crt
-	openssl ca -config cas.config -name client_ca -revoke ssl/client-revoked.crt
-	openssl ca -config cas.config -name client_ca -gencrl -out ssl/client.crl
-
-ssl/server.crl: ssl/server-revoked.crt
-	openssl ca -config cas.config -name server_ca -revoke ssl/server-revoked.crt
-	openssl ca -config cas.config -name server_ca -gencrl -out ssl/server.crl
-
-ssl/root.crl: ssl/root_ca.crt
-	openssl ca -config cas.config -name root_ca -gencrl -out ssl/root.crl
-
-# If a CRL is used, OpenSSL requires a CRL file for *all* the CAs in the
-# chain, even if some of them are empty.
-ssl/root+server.crl: ssl/root.crl ssl/server.crl
-	cat $^ > $@
-ssl/root+client.crl: ssl/root.crl ssl/client.crl
-	cat $^ > $@
-
-ssl/root+server-crldir: ssl/server.crl ssl/root.crl
-	mkdir ssl/root+server-crldir
-	cp ssl/server.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
-	cp ssl/root.crl ssl/root+server-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
-
-ssl/root+client-crldir: ssl/client.crl ssl/root.crl
-	mkdir ssl/root+client-crldir
-	cp ssl/client.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
-	cp ssl/root.crl ssl/root+client-crldir/`openssl crl -hash -noout -in ssl/root.crl`.r0
-
-ssl/server-crldir: ssl/server.crl
-	mkdir ssl/server-crldir
-	cp ssl/server.crl ssl/server-crldir/`openssl crl -hash -noout -in ssl/server.crl`.r0
-
-ssl/client-crldir: ssl/client.crl
-	mkdir ssl/client-crldir
-	cp ssl/client.crl ssl/client-crldir/`openssl crl -hash -noout -in ssl/client.crl`.r0
-
-.PHONY: sslfiles-clean
-sslfiles-clean:
-	rm -f $(SSLFILES) ssl/client_ca.srl ssl/server_ca.srl ssl/client_ca-certindex* ssl/server_ca-certindex* ssl/root_ca-certindex* ssl/root_ca.srl ssl/temp_ca.crt ssl/temp_ca_signed.crt
-	rm -rf $(SSLDIRS)
+# The sslfiles targets are separated into their own file due to interactions
+# with settings in Makefile.global.
+.PHONY: sslfiles sslfiles-clean
+sslfiles sslfiles-clean:
+	$(MAKE) -f sslfiles.mk $@
 
 clean distclean maintainer-clean:
 	rm -rf tmp_check
-	rm -rf ssl/*.old ssl/new_certs_dir ssl/client*_tmp.key
+	$(MAKE) -f sslfiles.mk $@
 
-# Doesn't depend on $(SSLFILES) because we don't rebuild them by default
+# Doesn't depend on sslfiles because we don't rebuild them by default
 check:
 	$(prove_check)
 

src/test/ssl/README

@@ -85,7 +85,9 @@ There are also CRLs for each of the CAs: root.crl, server.crl and client.crl.
 
 For convenience, all of these keypairs and certificates are included in the
 ssl/ subdirectory. The Makefile also contains a rule, "make sslfiles", to
-recreate them if you need to make changes.
+recreate them if you need to make changes. "make sslfiles-clean" is required
+in order to recreate the full set of keypairs and certificates. To rebuild
+separate files, touch (or remove) the files in question and run "make sslfiles".
 
 TODO
 ====

src/test/ssl/cas.config renamed to src/test/ssl/conf/cas.config

@@ -1,12 +1,5 @@
 # This file contains the configuration for all the CAs.
 
-[ req ]
-prompt                 = no
-
-# Extensions for CA certs
-[ v3_ca ]
-basicConstraints = CA:true
-
 # Root CA, used to sign the certificates of the intermediary server and
 # client CAs.
 [ root_ca ]
@@ -21,6 +14,7 @@ private_key = ./ssl/root_ca.key
 new_certs_dir = ./ssl/new_certs_dir
 policy					= policy_match
 email_in_dn				= no
+copy_extensions			= copy
 
 # CA used to sign all the server certificates.
 [ server_ca ]
@@ -35,6 +29,7 @@ new_certs_dir = ./ssl/new_certs_dir
 serial = ./ssl/server_ca.srl
 policy					= policy_match
 email_in_dn				= no
+copy_extensions			= copy
 unique_subject = no
 crl = ./ssl/server.crl
 
@@ -51,6 +46,7 @@ new_certs_dir = ./ssl/new_certs_dir
 serial = ./ssl/client_ca.srl
 policy					= policy_match
 email_in_dn				= no
+copy_extensions			= copy
 unique_subject = no
 crl = ./ssl/client.crl
 

src/test/ssl/client-dn.config renamed to src/test/ssl/conf/client-dn.config

@@ -13,4 +13,3 @@ O 					   = PGDG
 CN                     = ssltestuser-dn
 
 # no extensions in client certs
-[ v3_req ]

src/test/ssl/conf/client-revoked.config

@@ -0,0 +1,13 @@
+# An OpenSSL format CSR config file for creating a client certificate.
+#
+# This is identical to the client.config certificate, but this one is revoked
+# later.
+
+[ req ]
+distinguished_name     = req_distinguished_name
+prompt                 = no
+
+[ req_distinguished_name ]
+CN                     = ssltestuser
+
+# no extensions in client certs

src/test/ssl/client.config renamed to src/test/ssl/conf/client.config

@@ -10,4 +10,3 @@ prompt                 = no
 CN                     = ssltestuser
 
 # no extensions in client certs
-[ v3_req ]

src/test/ssl/client_ca.config renamed to src/test/ssl/conf/client_ca.config

@@ -6,6 +6,11 @@
 [ req ]
 distinguished_name     = req_distinguished_name
 prompt                 = no
+req_extensions         = v3_ca
 
 [ req_distinguished_name ]
 CN                     = Test CA for PostgreSQL SSL regression test client certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true

src/test/ssl/root_ca.config renamed to src/test/ssl/conf/root_ca.config

@@ -4,6 +4,7 @@
 [ req ]
 distinguished_name     = req_distinguished_name
 prompt                 = no
+x509_extensions        = v3_ca
 
 [ req_distinguished_name ]
 CN                     = Test root CA for PostgreSQL SSL regression test suite

src/test/ssl/server-cn-and-alt-names.config renamed to src/test/ssl/conf/server-cn-and-alt-names.config

@@ -9,5 +9,4 @@ prompt                 = no
 CN = common-name.pg-ssltest.test
 OU = PostgreSQL test suite
 
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names

src/test/ssl/server-cn-only.config renamed to src/test/ssl/conf/server-cn-only.config

@@ -10,7 +10,4 @@ prompt                 = no
 [ req_distinguished_name ]
 OU = PostgreSQL test suite
 
-# For Subject Alternative Names
-[ v3_req ]
-
-[ alt_names ]
+# No Subject Alternative Names

src/test/ssl/server-multiple-alt-names.config renamed to src/test/ssl/conf/server-multiple-alt-names.config

@@ -11,5 +11,4 @@ prompt                 = no
 CN = common-name.pg-ssltest.test
 OU = PostgreSQL test suite
 
-# For Subject Alternative Names
-[ v3_req ]
+# No Subject Alternative Names

src/test/ssl/server-no-names.config renamed to src/test/ssl/conf/server-no-names.config

@@ -6,6 +6,11 @@
 [ req ]
 distinguished_name     = req_distinguished_name
 prompt                 = no
+req_extensions         = v3_ca
 
 [ req_distinguished_name ]
 CN                     = Test CA for PostgreSQL SSL regression test server certs
+
+# Extensions for CA certs
+[ v3_ca ]
+basicConstraints = CA:true