Merge branch 'stable'

rabbitmq · Mar 30, 2016 · 11233ff · 11233ff
2 parents 67bd680 + 6e33d6d
commit 11233ff
Show file tree

Hide file tree

Showing 2 changed files with 121 additions and 0 deletions.
diff --git a/tools/tls-certs/Makefile b/tools/tls-certs/Makefile
@@ -0,0 +1,67 @@
+ifndef DIR
+$(error DIR must be specified)
+endif
+
+PASSWORD ?= changeme
+
+# Verbosity.
+
+V ?= 0
+
+verbose_0 = @
+verbose_2 = set -x;
+verbose = $(verbose_$(V))
+
+gen_verbose_0 = @echo " GEN   " $@;
+gen_verbose_2 = set -x;
+gen_verbose = $(gen_verbose_$(V))
+
+openssl_output_0 = 2>/dev/null
+openssl_output = $(openssl_output_$(V))
+
+.PRECIOUS: %/testca/cacert.pem
+.PHONY: all testca server client clean
+
+all: server client
+	@:
+
+testca: $(DIR)/testca/cacert.pem
+
+server: TARGET = server
+server: $(DIR)/server/cert.pem
+	@:
+
+client: TARGET = client
+client: $(DIR)/client/cert.pem
+	@:
+
+$(DIR)/testca/cacert.pem:
+	$(gen_verbose) mkdir -p $(dir $@)
+	$(verbose) { ( cd $(dir $@) && \
+	    mkdir -p certs private && \
+	    chmod 700 private && \
+	    echo 01 > serial && \
+	    :> index.txt && \
+	    openssl req -x509 -config $(CURDIR)/openssl.cnf -newkey rsa:2048 -days 365 \
+	      -out cacert.pem -outform PEM -subj /CN=MyTestCA/L=$$$$/ -nodes && \
+	    openssl x509 -in cacert.pem -out cacert.cer -outform DER ) $(openssl_output) \
+	  || (rm -rf $(dir $@) && false); }
+
+$(DIR)/%/cert.pem: $(DIR)/testca/cacert.pem
+	$(gen_verbose) mkdir -p $(DIR)/$(TARGET)
+	$(verbose) { ( cd $(DIR)/$(TARGET) && \
+	    openssl genrsa -out key.pem 2048 &&\
+	    openssl req -new -key key.pem -out req.pem -outform PEM\
+		-subj /CN=$$(hostname)/O=$(TARGET)/L=$$$$/ -nodes &&\
+	    cd ../testca && \
+	    openssl ca -config $(CURDIR)/openssl.cnf -in ../$(TARGET)/req.pem -out \
+	      ../$(TARGET)/cert.pem -notext -batch -extensions \
+	      $(TARGET)_ca_extensions && \
+	    cd ../$(TARGET) && \
+	    openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem \
+	    -passout pass:$(PASSWORD) ) $(openssl_output) || (rm -rf $(DIR)/$(TARGET) && false); }
+
+clean:
+	rm -rf $(DIR)/testca
+	rm -rf $(DIR)/server
+	rm -rf $(DIR)/client
diff --git a/tools/tls-certs/openssl.cnf b/tools/tls-certs/openssl.cnf
@@ -0,0 +1,54 @@
+[ ca ]
+default_ca = testca
+
+[ testca ]
+dir = .
+certificate = $dir/cacert.pem
+database = $dir/index.txt
+new_certs_dir = $dir/certs
+private_key = $dir/private/cakey.pem
+serial = $dir/serial
+
+default_crl_days = 7
+default_days = 365
+default_md = sha1
+
+policy = testca_policy
+x509_extensions = certificate_extensions
+
+[ testca_policy ]
+commonName = supplied
+stateOrProvinceName = optional
+countryName = optional
+emailAddress = optional
+organizationName = optional
+organizationalUnitName = optional
+domainComponent = optional
+
+[ certificate_extensions ]
+basicConstraints = CA:false
+
+[ req ]
+default_bits = 2048
+default_keyfile = ./private/cakey.pem
+default_md = sha1
+prompt = yes
+distinguished_name = root_ca_distinguished_name
+x509_extensions = root_ca_extensions
+
+[ root_ca_distinguished_name ]
+commonName = hostname
+
+[ root_ca_extensions ]
+basicConstraints = CA:true
+keyUsage = keyCertSign, cRLSign
+
+[ client_ca_extensions ]
+basicConstraints = CA:false
+keyUsage = digitalSignature
+extendedKeyUsage = 1.3.6.1.5.5.7.3.2
+
+[ server_ca_extensions ]
+basicConstraints = CA:false
+keyUsage = keyEncipherment
+extendedKeyUsage = 1.3.6.1.5.5.7.3.1