mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-04 20:43:43 +01:00
166b1e0b60
When a trusted CA is rolling its root keys, it could happen that for some users the list of trusted roots contains two versions of the same CA with the same name but different keys. Currently this is supported but wasn't tested. Note: the intermediate file test-ca-alt.csr is commited on purpose, as not commiting intermediate files causes make to regenerate files that we don't want it to touch.
485 lines
27 KiB
Makefile
485 lines
27 KiB
Makefile
## This file contains a record of how some of the test data was
|
|
## generated. The final build products are committed to the repository
|
|
## as well to make sure that the test data is identical. You do not
|
|
## need to use this makefile unless you're extending mbed TLS's tests.
|
|
|
|
## Many data files were generated prior to the existence of this
|
|
## makefile, so the method of their generation was not recorded.
|
|
|
|
## Note that in addition to depending on the version of the data
|
|
## generation tool, many of the build outputs are randomized, so
|
|
## running this makefile twice would not produce the same results.
|
|
|
|
## Tools
|
|
OPENSSL ?= openssl
|
|
FAKETIME ?= faketime
|
|
MBEDTLS_CERT_WRITE ?= $(PWD)/../../programs/x509/cert_write
|
|
|
|
## Build the generated test data. Note that since the final outputs
|
|
## are committed to the repository, this target should do nothing on a
|
|
## fresh checkout. Furthermore, since the generation is randomized,
|
|
## re-running the same targets may result in differing files. The goal
|
|
## of this makefile is primarily to serve as a record of how the
|
|
## targets were generated in the first place.
|
|
default: all_final
|
|
|
|
all_intermediate := # temporary files
|
|
all_final := # files used by tests
|
|
|
|
|
|
|
|
################################################################
|
|
#### Generate certificates from existing keys
|
|
################################################################
|
|
|
|
test_ca_crt = test-ca.crt
|
|
test_ca_key_file_rsa = test-ca.key
|
|
test_ca_pwd_rsa = PolarSSLTest
|
|
test_ca_config_file = test-ca.opensslconf
|
|
|
|
test-ca.csr: $(test_ca_key_file_rsa) $(test_ca_config_file)
|
|
$(OPENSSL) req -new -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test CA" -out $@
|
|
all_intermediate += test-ca.csr
|
|
test-ca-sha1.crt: $(test_ca_key_file_rsa) $(test_ca_config_file) test-ca.csr
|
|
$(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha1 -in test-ca.csr -out $@
|
|
all_final += test-ca-sha1.crt
|
|
test-ca-sha256.crt: $(test_ca_key_file_rsa) $(test_ca_config_file) test-ca.csr
|
|
$(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 0 -days 3653 -sha256 -in test-ca.csr -out $@
|
|
all_final += test-ca-sha256.crt
|
|
|
|
test_ca_key_file_rsa_alt = test-ca-alt.key
|
|
|
|
$(test_ca_key_file_rsa_alt):
|
|
$(OPENSSL) genrsa -out $@ 2048
|
|
test-ca-alt.csr: $(test_ca_key_file_rsa_alt) $(test_ca_config_file)
|
|
$(OPENSSL) req -new -config $(test_ca_config_file) -key $(test_ca_key_file_rsa_alt) -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test CA" -out $@
|
|
all_intermediate += test-ca-alt.csr
|
|
test-ca-alt.crt: $(test_ca_key_file_rsa_alt) $(test_ca_config_file) test-ca-alt.csr
|
|
$(OPENSSL) req -x509 -config $(test_ca_config_file) -key $(test_ca_key_file_rsa_alt) -set_serial 0 -days 3653 -sha256 -in test-ca-alt.csr -out $@
|
|
all_final += test-ca-alt.crt
|
|
test-ca-alt-good.crt: test-ca-alt.crt test-ca-sha256.crt
|
|
cat test-ca-alt.crt test-ca-sha256.crt > $@
|
|
all_final += test-ca-alt-good.crt
|
|
test-ca-good-alt.crt: test-ca-alt.crt test-ca-sha256.crt
|
|
cat test-ca-sha256.crt test-ca-alt.crt > $@
|
|
all_final += test-ca-good-alt.crt
|
|
|
|
test_ca_crt_file_ec = test-ca2.crt
|
|
test_ca_key_file_ec = test-ca2.key
|
|
|
|
test-int-ca.csr: test-int-ca.key $(test_ca_config_file)
|
|
$(OPENSSL) req -new -config $(test_ca_config_file) -key test-int-ca.key -subj "/C=NL/O=PolarSSL/CN=PolarSSL Test Intermediate CA" -out $@
|
|
all_intermediate += test-int-ca.csr
|
|
test-int-ca-exp.crt: $(test_ca_key_file_ec) $(test_ca_config_file) test-int-ca.csr
|
|
$(FAKETIME) -f -3653d $(OPENSSL) x509 -req -extfile $(test_ca_config_file) -extensions v3_ca -CA $(test_ca_crt_file_ec) -CAkey $(test_ca_key_file_ec) -set_serial 14 -days 3653 -sha256 -in test-int-ca.csr -out $@
|
|
all_final += test-int-ca-exp.crt
|
|
|
|
cli_crt_key_file_rsa = cli-rsa.key
|
|
cli_crt_extensions_file = cli.opensslconf
|
|
|
|
cli-rsa.csr: $(cli_crt_key_file_rsa)
|
|
$(OPENSSL) req -new -key $(cli_crt_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=PolarSSL Client 2" -out $@
|
|
all_intermediate += cli-rsa.csr
|
|
cli-rsa-sha1.crt: $(cli_crt_key_file_rsa) test-ca-sha1.crt cli-rsa.csr
|
|
$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha1.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha1 -in cli-rsa.csr -out $@
|
|
all_final += cli-rsa-sha1.crt
|
|
cli-rsa-sha256.crt: $(cli_crt_key_file_rsa) test-ca-sha256.crt cli-rsa.csr
|
|
$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in cli-rsa.csr -out $@
|
|
all_final += cli-rsa-sha256.crt
|
|
|
|
server2-rsa.csr: server2.key
|
|
$(OPENSSL) req -new -key server2.key -passin "pass:$(test_ca_pwd_rsa)" -subj "/C=NL/O=PolarSSL/CN=localhost" -out $@
|
|
all_intermediate += server2-rsa.csr
|
|
server2-sha256.crt: server2-rsa.csr
|
|
$(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA test-ca-sha256.crt -CAkey $(test_ca_key_file_rsa) -passin "pass:$(test_ca_pwd_rsa)" -set_serial 4 -days 3653 -sha256 -in server2-rsa.csr -out $@
|
|
all_final += server2-sha256.crt
|
|
|
|
test_ca_int_rsa1 = test-int-ca.crt
|
|
|
|
server7.csr: server7.key
|
|
$(OPENSSL) req -new -key server7.key -subj "/C=NL/O=PolarSSL/CN=localhost" -out $@
|
|
all_intermediate += server7.csr
|
|
server7-expired.crt: server7.csr $(test_ca_int_rsa1)
|
|
$(FAKETIME) -f -3653d $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA $(test_ca_int_rsa1) -CAkey test-int-ca.key -set_serial 16 -days 3653 -sha256 -in server7.csr | cat - $(test_ca_int_rsa1) > $@
|
|
all_final += server7-expired.crt
|
|
server7-future.crt: server7.csr $(test_ca_int_rsa1)
|
|
$(FAKETIME) -f +3653d $(OPENSSL) x509 -req -extfile $(cli_crt_extensions_file) -extensions cli-rsa -CA $(test_ca_int_rsa1) -CAkey test-int-ca.key -set_serial 16 -days 3653 -sha256 -in server7.csr | cat - $(test_ca_int_rsa1) > $@
|
|
all_final += server7-future.crt
|
|
server7-badsign.crt: server7.crt $(test_ca_int_rsa1)
|
|
{ head -n-2 server7.crt; tail -n-2 server7.crt | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; cat test-int-ca.crt; } > server7-badsign.crt
|
|
all_final += server7-badsign.crt
|
|
server7_int-ca-exp.crt: server7.crt test-int-ca-exp.crt
|
|
cat server7.crt test-int-ca-exp.crt > $@
|
|
all_final += server7_int-ca-exp.crt
|
|
|
|
server5-ss-expired.crt: server5.key
|
|
$(FAKETIME) -f -3653d $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/OU=testsuite/CN=localhost" -days 3653 -sha256 -key $< -out $@
|
|
all_final += server5-ss-expired.crt
|
|
|
|
# try to forge a copy of test-int-ca3 with different key
|
|
server5-ss-forgeca.crt: server5.key
|
|
$(FAKETIME) '2015-09-01 14:08:43' $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/CN=mbed TLS Test intermediate CA 3" -set_serial 77 -config $(test_ca_config_file) -extensions noext_ca -days 3650 -sha256 -key $< -out $@
|
|
all_final += server5-ss-forgeca.crt
|
|
|
|
|
|
|
|
|
|
################################################################
|
|
#### Generate various RSA keys
|
|
################################################################
|
|
|
|
### Password used for PKCS1-encoded encrypted RSA keys
|
|
keys_rsa_basic_pwd = testkey
|
|
|
|
### Password used for PKCS8-encoded encrypted RSA keys
|
|
keys_rsa_pkcs8_pwd = PolarSSLTest
|
|
|
|
### Basic 1024-, 2048- and 4096-bit unencrypted RSA keys from which
|
|
### all other encrypted RSA keys are derived.
|
|
rsa_pkcs1_1024_clear.pem:
|
|
$(OPENSSL) genrsa -out $@ 1024
|
|
all_final += rsa_pkcs1_1024_clear.pem
|
|
rsa_pkcs1_2048_clear.pem:
|
|
$(OPENSSL) genrsa -out $@ 2048
|
|
all_final += rsa_pkcs1_2048_clear.pem
|
|
rsa_pkcs1_4096_clear.pem:
|
|
$(OPENSSL) genrsa -out $@ 4096
|
|
all_final += rsa_pkcs1_4096_clear.pem
|
|
|
|
###
|
|
### PKCS1-encoded, encrypted RSA keys
|
|
###
|
|
|
|
### 1024-bit
|
|
rsa_pkcs1_1024_des.pem: rsa_pkcs1_1024_clear.pem
|
|
$(OPENSSL) rsa -des -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
|
|
all_final += rsa_pkcs1_1024_des.pem
|
|
rsa_pkcs1_1024_3des.pem: rsa_pkcs1_1024_clear.pem
|
|
$(OPENSSL) rsa -des3 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
|
|
all_final += rsa_pkcs1_1024_3des.pem
|
|
rsa_pkcs1_1024_aes128.pem: rsa_pkcs1_1024_clear.pem
|
|
$(OPENSSL) rsa -aes128 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
|
|
all_final += rsa_pkcs1_1024_aes128.pem
|
|
rsa_pkcs1_1024_aes192.pem: rsa_pkcs1_1024_clear.pem
|
|
$(OPENSSL) rsa -aes192 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
|
|
all_final += rsa_pkcs1_1024_aes192.pem
|
|
rsa_pkcs1_1024_aes256.pem: rsa_pkcs1_1024_clear.pem
|
|
$(OPENSSL) rsa -aes256 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
|
|
all_final += rsa_pkcs1_1024_aes256.pem
|
|
keys_rsa_enc_basic_1024: rsa_pkcs1_1024_des.pem rsa_pkcs1_1024_3des.pem rsa_pkcs1_1024_aes128.pem rsa_pkcs1_1024_aes192.pem rsa_pkcs1_1024_aes256.pem
|
|
|
|
# 2048-bit
|
|
rsa_pkcs1_2048_des.pem: rsa_pkcs1_2048_clear.pem
|
|
$(OPENSSL) rsa -des -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
|
|
all_final += rsa_pkcs1_2048_des.pem
|
|
rsa_pkcs1_2048_3des.pem: rsa_pkcs1_2048_clear.pem
|
|
$(OPENSSL) rsa -des3 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
|
|
all_final += rsa_pkcs1_2048_3des.pem
|
|
rsa_pkcs1_2048_aes128.pem: rsa_pkcs1_2048_clear.pem
|
|
$(OPENSSL) rsa -aes128 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
|
|
all_final += rsa_pkcs1_2048_aes128.pem
|
|
rsa_pkcs1_2048_aes192.pem: rsa_pkcs1_2048_clear.pem
|
|
$(OPENSSL) rsa -aes192 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
|
|
all_final += rsa_pkcs1_2048_aes192.pem
|
|
rsa_pkcs1_2048_aes256.pem: rsa_pkcs1_2048_clear.pem
|
|
$(OPENSSL) rsa -aes256 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
|
|
all_final += rsa_pkcs1_2048_aes256.pem
|
|
keys_rsa_enc_basic_2048: rsa_pkcs1_2048_des.pem rsa_pkcs1_2048_3des.pem rsa_pkcs1_2048_aes128.pem rsa_pkcs1_2048_aes192.pem rsa_pkcs1_2048_aes256.pem
|
|
|
|
# 4096-bit
|
|
rsa_pkcs1_4096_des.pem: rsa_pkcs1_4096_clear.pem
|
|
$(OPENSSL) rsa -des -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
|
|
all_final += rsa_pkcs1_4096_des.pem
|
|
rsa_pkcs1_4096_3des.pem: rsa_pkcs1_4096_clear.pem
|
|
$(OPENSSL) rsa -des3 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
|
|
all_final += rsa_pkcs1_4096_3des.pem
|
|
rsa_pkcs1_4096_aes128.pem: rsa_pkcs1_4096_clear.pem
|
|
$(OPENSSL) rsa -aes128 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
|
|
all_final += rsa_pkcs1_4096_aes128.pem
|
|
rsa_pkcs1_4096_aes192.pem: rsa_pkcs1_4096_clear.pem
|
|
$(OPENSSL) rsa -aes192 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
|
|
all_final += rsa_pkcs1_4096_aes192.pem
|
|
rsa_pkcs1_4096_aes256.pem: rsa_pkcs1_4096_clear.pem
|
|
$(OPENSSL) rsa -aes256 -in $< -out $@ -passout "pass:$(keys_rsa_basic_pwd)"
|
|
all_final += rsa_pkcs1_4096_aes256.pem
|
|
keys_rsa_enc_basic_4096: rsa_pkcs1_4096_des.pem rsa_pkcs1_4096_3des.pem rsa_pkcs1_4096_aes128.pem rsa_pkcs1_4096_aes192.pem rsa_pkcs1_4096_aes256.pem
|
|
|
|
###
|
|
### PKCS8-v1 encoded, encrypted RSA keys
|
|
###
|
|
|
|
### 1024-bit
|
|
rsa_pkcs8_pbe_sha1_1024_3des.der: rsa_pkcs1_1024_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
|
|
all_final += rsa_pkcs8_pbe_sha1_1024_3des.der
|
|
rsa_pkcs8_pbe_sha1_1024_3des.pem: rsa_pkcs1_1024_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
|
|
all_final += rsa_pkcs8_pbe_sha1_1024_3des.pem
|
|
keys_rsa_enc_pkcs8_v1_1024_3des: rsa_pkcs8_pbe_sha1_1024_3des.pem rsa_pkcs8_pbe_sha1_1024_3des.der
|
|
|
|
rsa_pkcs8_pbe_sha1_1024_2des.der: rsa_pkcs1_1024_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
|
|
all_final += rsa_pkcs8_pbe_sha1_1024_2des.der
|
|
rsa_pkcs8_pbe_sha1_1024_2des.pem: rsa_pkcs1_1024_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
|
|
all_final += rsa_pkcs8_pbe_sha1_1024_2des.pem
|
|
keys_rsa_enc_pkcs8_v1_1024_2des: rsa_pkcs8_pbe_sha1_1024_2des.pem rsa_pkcs8_pbe_sha1_1024_2des.der
|
|
|
|
rsa_pkcs8_pbe_sha1_1024_rc4_128.der: rsa_pkcs1_1024_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-RC4-128
|
|
all_final += rsa_pkcs8_pbe_sha1_1024_rc4_128.der
|
|
rsa_pkcs8_pbe_sha1_1024_rc4_128.pem: rsa_pkcs1_1024_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-RC4-128
|
|
all_final += rsa_pkcs8_pbe_sha1_1024_rc4_128.pem
|
|
keys_rsa_enc_pkcs8_v1_1024_rc4_128: rsa_pkcs8_pbe_sha1_1024_rc4_128.pem rsa_pkcs8_pbe_sha1_1024_rc4_128.der
|
|
|
|
keys_rsa_enc_pkcs8_v1_1024: keys_rsa_enc_pkcs8_v1_1024_3des keys_rsa_enc_pkcs8_v1_1024_2des keys_rsa_enc_pkcs8_v1_1024_rc4_128
|
|
|
|
### 2048-bit
|
|
rsa_pkcs8_pbe_sha1_2048_3des.der: rsa_pkcs1_2048_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
|
|
all_final += rsa_pkcs8_pbe_sha1_2048_3des.der
|
|
rsa_pkcs8_pbe_sha1_2048_3des.pem: rsa_pkcs1_2048_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
|
|
all_final += rsa_pkcs8_pbe_sha1_2048_3des.pem
|
|
keys_rsa_enc_pkcs8_v1_2048_3des: rsa_pkcs8_pbe_sha1_2048_3des.pem rsa_pkcs8_pbe_sha1_2048_3des.der
|
|
|
|
rsa_pkcs8_pbe_sha1_2048_2des.der: rsa_pkcs1_2048_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
|
|
all_final += rsa_pkcs8_pbe_sha1_2048_2des.der
|
|
rsa_pkcs8_pbe_sha1_2048_2des.pem: rsa_pkcs1_2048_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
|
|
all_final += rsa_pkcs8_pbe_sha1_2048_2des.pem
|
|
keys_rsa_enc_pkcs8_v1_2048_2des: rsa_pkcs8_pbe_sha1_2048_2des.pem rsa_pkcs8_pbe_sha1_2048_2des.der
|
|
|
|
rsa_pkcs8_pbe_sha1_2048_rc4_128.der: rsa_pkcs1_2048_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-RC4-128
|
|
all_final += rsa_pkcs8_pbe_sha1_2048_rc4_128.der
|
|
rsa_pkcs8_pbe_sha1_2048_rc4_128.pem: rsa_pkcs1_2048_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-RC4-128
|
|
all_final += rsa_pkcs8_pbe_sha1_2048_rc4_128.pem
|
|
keys_rsa_enc_pkcs8_v1_2048_rc4_128: rsa_pkcs8_pbe_sha1_2048_rc4_128.pem rsa_pkcs8_pbe_sha1_2048_rc4_128.der
|
|
|
|
keys_rsa_enc_pkcs8_v1_2048: keys_rsa_enc_pkcs8_v1_2048_3des keys_rsa_enc_pkcs8_v1_2048_2des keys_rsa_enc_pkcs8_v1_2048_rc4_128
|
|
|
|
### 4096-bit
|
|
rsa_pkcs8_pbe_sha1_4096_3des.der: rsa_pkcs1_4096_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
|
|
all_final += rsa_pkcs8_pbe_sha1_4096_3des.der
|
|
rsa_pkcs8_pbe_sha1_4096_3des.pem: rsa_pkcs1_4096_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-3DES
|
|
all_final += rsa_pkcs8_pbe_sha1_4096_3des.pem
|
|
keys_rsa_enc_pkcs8_v1_4096_3des: rsa_pkcs8_pbe_sha1_4096_3des.pem rsa_pkcs8_pbe_sha1_4096_3des.der
|
|
|
|
rsa_pkcs8_pbe_sha1_4096_2des.der: rsa_pkcs1_4096_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
|
|
all_final += rsa_pkcs8_pbe_sha1_4096_2des.der
|
|
rsa_pkcs8_pbe_sha1_4096_2des.pem: rsa_pkcs1_4096_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-2DES
|
|
all_final += rsa_pkcs8_pbe_sha1_4096_2des.pem
|
|
keys_rsa_enc_pkcs8_v1_4096_2des: rsa_pkcs8_pbe_sha1_4096_2des.pem rsa_pkcs8_pbe_sha1_4096_2des.der
|
|
|
|
rsa_pkcs8_pbe_sha1_4096_rc4_128.der: rsa_pkcs1_4096_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-RC4-128
|
|
all_final += rsa_pkcs8_pbe_sha1_4096_rc4_128.der
|
|
rsa_pkcs8_pbe_sha1_4096_rc4_128.pem: rsa_pkcs1_4096_clear.pem
|
|
$(OPENSSL) pkcs8 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)" -topk8 -v1 PBE-SHA1-RC4-128
|
|
all_final += rsa_pkcs8_pbe_sha1_4096_rc4_128.pem
|
|
keys_rsa_enc_pkcs8_v1_4096_rc4_128: rsa_pkcs8_pbe_sha1_4096_rc4_128.pem rsa_pkcs8_pbe_sha1_4096_rc4_128.der
|
|
|
|
keys_rsa_enc_pkcs8_v1_4096: keys_rsa_enc_pkcs8_v1_4096_3des keys_rsa_enc_pkcs8_v1_4096_2des keys_rsa_enc_pkcs8_v1_4096_rc4_128
|
|
|
|
###
|
|
### PKCS8-v2 encoded, encrypted RSA keys
|
|
###
|
|
|
|
### 1024-bit
|
|
rsa_pkcs8_pbes2_pbkdf2_1024_3des.der: rsa_pkcs1_1024_clear.pem
|
|
$(OPENSSL) pkcs8 -topk8 -v2 des3 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
|
|
all_final += rsa_pkcs8_pbes2_pbkdf2_1024_3des.der
|
|
rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem: rsa_pkcs1_1024_clear.pem
|
|
$(OPENSSL) pkcs8 -topk8 -v2 des3 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
|
|
all_final += rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem
|
|
keys_rsa_enc_pkcs8_v2_1024_3des: rsa_pkcs8_pbes2_pbkdf2_1024_3des.der rsa_pkcs8_pbes2_pbkdf2_1024_3des.pem
|
|
|
|
rsa_pkcs8_pbes2_pbkdf2_1024_des.der: rsa_pkcs1_1024_clear.pem
|
|
$(OPENSSL) pkcs8 -topk8 -v2 des -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
|
|
all_final += rsa_pkcs8_pbes2_pbkdf2_1024_des.der
|
|
rsa_pkcs8_pbes2_pbkdf2_1024_des.pem: rsa_pkcs1_1024_clear.pem
|
|
$(OPENSSL) pkcs8 -topk8 -v2 des -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
|
|
all_final += rsa_pkcs8_pbes2_pbkdf2_1024_des.pem
|
|
keys_rsa_enc_pkcs8_v2_1024_des: rsa_pkcs8_pbes2_pbkdf2_1024_des.der rsa_pkcs8_pbes2_pbkdf2_1024_des.pem
|
|
|
|
keys_rsa_enc_pkcs8_v2_1024: keys_rsa_enc_pkcs8_v2_1024_3des keys_rsa_enc_pkcs8_v2_1024_des
|
|
|
|
### 2048-bit
|
|
rsa_pkcs8_pbes2_pbkdf2_2048_3des.der: rsa_pkcs1_2048_clear.pem
|
|
$(OPENSSL) pkcs8 -topk8 -v2 des3 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
|
|
all_final += rsa_pkcs8_pbes2_pbkdf2_2048_3des.der
|
|
rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem: rsa_pkcs1_2048_clear.pem
|
|
$(OPENSSL) pkcs8 -topk8 -v2 des3 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
|
|
all_final += rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem
|
|
keys_rsa_enc_pkcs8_v2_2048_3des: rsa_pkcs8_pbes2_pbkdf2_2048_3des.der rsa_pkcs8_pbes2_pbkdf2_2048_3des.pem
|
|
|
|
rsa_pkcs8_pbes2_pbkdf2_2048_des.der: rsa_pkcs1_2048_clear.pem
|
|
$(OPENSSL) pkcs8 -topk8 -v2 des -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
|
|
all_final += rsa_pkcs8_pbes2_pbkdf2_2048_des.der
|
|
rsa_pkcs8_pbes2_pbkdf2_2048_des.pem: rsa_pkcs1_2048_clear.pem
|
|
$(OPENSSL) pkcs8 -topk8 -v2 des -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
|
|
all_final += rsa_pkcs8_pbes2_pbkdf2_2048_des.pem
|
|
keys_rsa_enc_pkcs8_v2_2048_des: rsa_pkcs8_pbes2_pbkdf2_2048_des.der rsa_pkcs8_pbes2_pbkdf2_2048_des.pem
|
|
|
|
keys_rsa_enc_pkcs8_v2_2048: keys_rsa_enc_pkcs8_v2_2048_3des keys_rsa_enc_pkcs8_v2_2048_des
|
|
|
|
### 4096-bit
|
|
rsa_pkcs8_pbes2_pbkdf2_4096_3des.der: rsa_pkcs1_4096_clear.pem
|
|
$(OPENSSL) pkcs8 -topk8 -v2 des3 -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
|
|
all_final += rsa_pkcs8_pbes2_pbkdf2_4096_3des.der
|
|
rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem: rsa_pkcs1_4096_clear.pem
|
|
$(OPENSSL) pkcs8 -topk8 -v2 des3 -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
|
|
all_final += rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem
|
|
keys_rsa_enc_pkcs8_v2_4096_3des: rsa_pkcs8_pbes2_pbkdf2_4096_3des.der rsa_pkcs8_pbes2_pbkdf2_4096_3des.pem
|
|
|
|
rsa_pkcs8_pbes2_pbkdf2_4096_des.der: rsa_pkcs1_4096_clear.pem
|
|
$(OPENSSL) pkcs8 -topk8 -v2 des -inform PEM -in $< -outform DER -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
|
|
all_final += rsa_pkcs8_pbes2_pbkdf2_4096_des.der
|
|
rsa_pkcs8_pbes2_pbkdf2_4096_des.pem: rsa_pkcs1_4096_clear.pem
|
|
$(OPENSSL) pkcs8 -topk8 -v2 des -inform PEM -in $< -outform PEM -out $@ -passout "pass:$(keys_rsa_pkcs8_pwd)"
|
|
all_final += rsa_pkcs8_pbes2_pbkdf2_4096_des.pem
|
|
keys_rsa_enc_pkcs8_v2_4096_des: rsa_pkcs8_pbes2_pbkdf2_4096_des.der rsa_pkcs8_pbes2_pbkdf2_4096_des.pem
|
|
|
|
keys_rsa_enc_pkcs8_v2_4096: keys_rsa_enc_pkcs8_v2_4096_3des keys_rsa_enc_pkcs8_v2_4096_des
|
|
|
|
###
|
|
### Rules to generate all RSA keys from a particular class
|
|
###
|
|
|
|
### Generate basic unencrypted RSA keys
|
|
keys_rsa_unenc: rsa_pkcs1_1024_clear.pem rsa_pkcs1_2048_clear.pem rsa_pkcs1_4096_clear.pem
|
|
|
|
### Generate PKCS1-encoded encrypted RSA keys
|
|
keys_rsa_enc_basic: keys_rsa_enc_basic_1024 keys_rsa_enc_basic_2048 keys_rsa_enc_basic_4096
|
|
|
|
### Generate PKCS8-v1 encrypted RSA keys
|
|
keys_rsa_enc_pkcs8_v1: keys_rsa_enc_pkcs8_v1_1024 keys_rsa_enc_pkcs8_v1_2048 keys_rsa_enc_pkcs8_v1_4096
|
|
|
|
### Generate PKCS8-v2 encrypted RSA keys
|
|
keys_rsa_enc_pkcs8_v2: keys_rsa_enc_pkcs8_v2_1024 keys_rsa_enc_pkcs8_v2_2048 keys_rsa_enc_pkcs8_v2_4096
|
|
|
|
### Generate all RSA keys
|
|
keys_rsa_all: keys_rsa_unenc keys_rsa_enc_basic keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2
|
|
|
|
|
|
|
|
################################################################
|
|
### Generate certificates for CRT write check tests
|
|
################################################################
|
|
|
|
### The test files use the Mbed TLS generated certificates server1*.crt,
|
|
### but for comparison with OpenSSL also rules for OpenSSL-generated
|
|
### certificates server1*.crt.openssl are offered.
|
|
###
|
|
### Known differences:
|
|
### * OpenSSL encodes trailing zero-bits in bit-strings occurring in X.509 extension
|
|
### as unused bits, while Mbed TLS doesn't.
|
|
|
|
test_ca_server1_db = test-ca.server1.db
|
|
test_ca_server1_serial = test-ca.server1.serial
|
|
test_ca_server1_config_file = test-ca.server1.opensslconf
|
|
|
|
server1.csr: server1.key server1_csr.opensslconf
|
|
$(OPENSSL) req -keyform PEM -key server1.key -config server1_csr.opensslconf -out $@ -new
|
|
all_final += server1.csr
|
|
|
|
server1.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
|
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 version=3 output_file=$@
|
|
server1.noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
|
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20110212144406 not_after=20210212144406 md=SHA1 authority_identifier=0 version=3 output_file=$@
|
|
server1.der: server1.crt
|
|
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
|
all_final += server1.crt server1.noauthid.crt server1.der
|
|
|
|
server1.key_usage.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
|
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment version=3 output_file=$@
|
|
server1.key_usage_noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
|
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 key_usage=digital_signature,non_repudiation,key_encipherment authority_identifier=0 version=3 output_file=$@
|
|
server1.key_usage.der: server1.key_usage.crt
|
|
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
|
all_final += server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.der
|
|
|
|
server1.cert_type.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
|
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 ns_cert_type=ssl_server version=3 output_file=$@
|
|
server1.cert_type_noauthid.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
|
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 ns_cert_type=ssl_server authority_identifier=0 version=3 output_file=$@
|
|
server1.cert_type.der: server1.cert_type.crt
|
|
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
|
all_final += server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.der
|
|
|
|
server1.v1.crt: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa)
|
|
$(MBEDTLS_CERT_WRITE) request_file=server1.csr issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) version=1 not_before=20110212144406 not_after=20210212144406 md=SHA1 version=1 output_file=$@
|
|
server1.v1.der: server1.v1.crt
|
|
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
|
all_final += server1.v1.crt server1.v1.der
|
|
|
|
# OpenSSL-generated certificates for comparison
|
|
# Also provide certificates in DER format to allow
|
|
# direct binary comparison using e.g. dumpasn1
|
|
server1.crt.openssl server1.key_usage.crt.openssl server1.cert_type.crt.openssl: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file)
|
|
echo "01" > $(test_ca_server1_serial)
|
|
rm -f $(test_ca_server1_db)
|
|
touch $(test_ca_server1_db)
|
|
$(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.csr -extensions v3_ext -extfile $@.v3_ext -out $@
|
|
server1.der.openssl: server1.crt.openssl
|
|
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
|
server1.key_usage.der.openssl: server1.key_usage.crt.openssl
|
|
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
|
server1.cert_type.der.openssl: server1.cert_type.crt.openssl
|
|
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
|
|
|
server1.v1.crt.openssl: server1.key server1.csr $(test_ca_crt) $(test_ca_key_file_rsa) $(test_ca_server1_config_file)
|
|
echo "01" > $(test_ca_server1_serial)
|
|
rm -f $(test_ca_server1_db)
|
|
touch $(test_ca_server1_db)
|
|
$(OPENSSL) ca -batch -passin "pass:$(test_ca_pwd_rsa)" -config $(test_ca_server1_config_file) -in server1.csr -out $@
|
|
server1.v1.der.openssl: server1.v1.crt.openssl
|
|
$(OPENSSL) x509 -inform PEM -in $< -outform DER -out $@
|
|
|
|
server1_all: server1.csr server1.crt server1.noauthid.crt server1.crt.openssl server1.v1.crt server1.v1.crt.openssl server1.key_usage.crt server1.key_usage_noauthid.crt server1.key_usage.crt.openssl server1.cert_type.crt server1.cert_type_noauthid.crt server1.cert_type.crt.openssl server1.der server1.der.openssl server1.v1.der server1.v1.der.openssl server1.key_usage.der server1.key_usage.der.openssl server1.cert_type.der server1.cert_type.der.openssl
|
|
|
|
|
|
|
|
################################################################
|
|
#### Meta targets
|
|
################################################################
|
|
|
|
all_final: $(all_final)
|
|
all: $(all_intermediate) $(all_final)
|
|
|
|
.PHONY: default all_final all
|
|
.PHONY: keys_rsa_all
|
|
.PHONY: keys_rsa_unenc keys_rsa_enc_basic
|
|
.PHONY: keys_rsa_enc_pkcs8_v1 keys_rsa_enc_pkcs8_v2
|
|
.PHONY: keys_rsa_enc_basic_1024 keys_rsa_enc_basic_2048 keys_rsa_enc_basic_4096
|
|
.PHONY: keys_rsa_enc_pkcs8_v1_1024 keys_rsa_enc_pkcs8_v2_1024
|
|
.PHONY: keys_rsa_enc_pkcs8_v1_2048 keys_rsa_enc_pkcs8_v2_2048
|
|
.PHONY: keys_rsa_enc_pkcs8_v1_4096 keys_rsa_enc_pkcs8_v2_4096
|
|
.PHONY: server1_all
|
|
|
|
# These files should not be committed to the repository.
|
|
list_intermediate:
|
|
@printf '%s\n' $(all_intermediate) | sort
|
|
# These files should be committed to the repository so that the test data is
|
|
# available upon checkout without running a randomized process depending on
|
|
# third-party tools.
|
|
list_final:
|
|
@printf '%s\n' $(all_final) | sort
|
|
.PHONY: list_intermediate list_final
|
|
|
|
## Remove intermediate files
|
|
clean:
|
|
rm -f $(all_intermediate)
|
|
## Remove all build products, even the ones that are committed
|
|
neat: clean
|
|
rm -f $(all_final)
|
|
.PHONY: clean neat
|