Fix root CA expiration Make order-only prereqs the norm Change-Id: Ibd1af1f6204f5368160fdaabf4f5a79358eb4a52

commit: ba5c9d36bc514b9b155f6729d066a2d1120ec7ea [log] [tgz]
author: Zack Williams <zdw@opennetworking.org> Sun Jun 05 21:49:18 2022 -0700
committer: Zack Williams <zdw@opennetworking.org> Tue Aug 16 15:22:17 2022 -0700
tree: dcfaeaa8b64d32d56c6a2c91b92490bf81cf48eb
parent: ec61381b0991fc31466c3a6f6d52d814110ad334 [diff] [blame]
diff --git a/Makefile b/Makefile
index e1f3d2b..fda2966 100644
--- a/Makefile
+++ b/Makefile

@@ -7,6 +7,9 @@
 #
 # NOTE: This makefile makes heavy use of Automatic Variables
 #   https://www.gnu.org/software/make/manual/html_node/Automatic-Variables.html
+#  and order-only prerequisites
+#   https://www.gnu.org/software/make/manual/html_node/Prerequisite-Types.html
+#  Please review and understand this documentation before making changes
 
 SHELL = bash -eu -o pipefail
 
@@ -28,6 +31,7 @@
 ROOT_CA_NAME          ?= root_ca
 ROOT_CA_PASSPHRASE    ?= "TestingRootCAPassPhrase"
 ROOT_CA_SUBJECT       ?= /C=US/ST=California/L=Menlo Park/O=ONF/OU=Infra/CN=ONF Test Root CA
+ROOT_EXPIRATION_DAYS  ?= 1825
 
 # intermediate CA
 IM_CA_NAME            ?= im_ca
@@ -38,7 +42,7 @@
 
 # leaf certs
 LEAF_EXPIRATION_DAYS  ?= 730
-LEAF_PURPOSE          ?= server_cert_ext  # alternatively, use client_cert_ext
+LEAF_PURPOSE          ?= server_cert_ext  # alternatively, use client_cert_ext for client certs
 LEAF_SUBJECT_PARTIAL  ?= /C=US/ST=California/L=Menlo Park/O=ONF/OU=Infra/CN=
 LEAF_KEYPAIR          ?= core
 LEAF_SAN              ?= DNS:core.example.com,DNS:core.example.net
@@ -128,13 +132,13 @@
 	  -passout file:$(BASE_DIR)/$(ROOT_CA_NAME)/private/ca_passphrase \
 	  -out $@ $(KEY_SIZE)
 
-# validity time on root CA is set in the .cnf file
-$(BASE_DIR)/$(ROOT_CA_NAME)/ca.pem: $(BASE_DIR)/$(ROOT_CA_NAME)/private/ca_key.pem
+$(BASE_DIR)/$(ROOT_CA_NAME)/ca.pem: | $(BASE_DIR)/$(ROOT_CA_NAME)/private/ca_key.pem
 	@echo "## Creating self-signed root CA cert: $@"
 	BASE_DIR=$(BASE_DIR) CA_NAME=$(ROOT_CA_NAME) openssl req -config $(OPENSSL_CNF) \
 	  -extensions root_ca_ext \
 	  -new -x509 -sha256 \
-	  -key $< \
+	  -days $(ROOT_EXPIRATION_DAYS) \
+	  -key $(@D)/private/ca_key.pem \
 	  -passin file:$(BASE_DIR)/$(ROOT_CA_NAME)/private/ca_passphrase \
 	  -subj "$(ROOT_CA_SUBJECT)" \
 	  -out $@
@@ -148,29 +152,29 @@
 $(BASE_DIR)/$(IM_CA_NAME)/private/ca_passphrase: | $(BASE_DIR)/$(IM_CA_NAME)
 	@echo $(IM_CA_PASSPHRASE) > $@
 
-$(BASE_DIR)/$(IM_CA_NAME)/private/ca_key.pem: $(BASE_DIR)/$(IM_CA_NAME)/private/ca_passphrase
+$(BASE_DIR)/$(IM_CA_NAME)/private/ca_key.pem: | $(BASE_DIR)/$(IM_CA_NAME)/private/ca_passphrase
 	@echo "## Creating intermediate CA private key: $@"
 	BASE_DIR=$(BASE_DIR) CA_NAME=$(IM_CA_NAME) openssl genrsa -aes256 \
 	  -passout file:$(@D)/ca_passphrase \
 	  -out $@ $(KEY_SIZE)
 
-$(BASE_DIR)/$(IM_CA_NAME)/private/im_ca.csr: $(BASE_DIR)/$(IM_CA_NAME)/private/ca_key.pem
+$(BASE_DIR)/$(IM_CA_NAME)/private/im_ca.csr: | $(BASE_DIR)/$(IM_CA_NAME)/private/ca_key.pem
 	@echo "## Creating intermediate CA signing request $@ from $<"
 	BASE_DIR=$(BASE_DIR) CA_NAME=$(IM_CA_NAME) openssl req -config $(OPENSSL_CNF) \
 	  -new -sha256 \
-	  -key $< \
+	  -key $(@D)/ca_key.pem \
 	  -passin file:$(@D)/ca_passphrase \
 	  -subj "$(IM_CA_SUBJECT)" \
 	  -out $@
 
-$(BASE_DIR)/$(IM_CA_NAME)/ca.pem: $(BASE_DIR)/$(IM_CA_NAME)/private/im_ca.csr | $(BASE_DIR)/$(ROOT_CA_NAME)/ca.pem
+$(BASE_DIR)/$(IM_CA_NAME)/ca.pem: | $(BASE_DIR)/$(IM_CA_NAME)/private/im_ca.csr $(BASE_DIR)/$(ROOT_CA_NAME)/ca.pem
 	@echo "## Signing $< with root CA key to create intermediate CA cert: $@"
 	BASE_DIR=$(BASE_DIR) CA_NAME=$(ROOT_CA_NAME) openssl ca -config $(OPENSSL_CNF) \
 	  -extensions im_ca_ext \
 	  -notext -batch -md sha256 \
 	  -days $(IM_EXPIRATION_DAYS) \
 	  -passin file:$(BASE_DIR)/$(ROOT_CA_NAME)/private/ca_passphrase \
-	  -in $< \
+	  -in $(@D)/private/im_ca.csr \
 	  -out $@
 	@echo "## Creating chain with Root CA and IM CA: $@"
 	  cat $@ $(BASE_DIR)/$(ROOT_CA_NAME)/ca.pem > $(@D)/chain.pem
@@ -185,20 +189,20 @@
 $(BASE_DIR)/certout:
 	mkdir -p $@
 
-$(BASE_DIR)/certout/%.key: $(BASE_DIR)/certout
+$(BASE_DIR)/certout/%.key: | $(BASE_DIR)/certout
 	@echo "## Creating leaf private key: $@"
 	openssl genrsa -out $@ $(KEY_SIZE)
 
-$(BASE_DIR)/certout/%.csr: $(BASE_DIR)/certout/%.key
+$(BASE_DIR)/certout/%.csr: | $(BASE_DIR)/certout/%.key
 	@echo "## Creating signing request $@ from $<"
 	BASE_DIR=$(BASE_DIR) CA_NAME=$(IM_CA_NAME) openssl req -config $(OPENSSL_CNF) \
 	  -new -sha256 \
-	  -key $< \
+	  -key $(@D)/$(*F).key \
 	  -subj "$(LEAF_SUBJECT_PARTIAL)$*" \
 	  -addext "subjectAltName = $(LEAF_SAN)" \
 	  -out $@
 
-$(BASE_DIR)/certout/%.pem: $(BASE_DIR)/certout/%.csr | $(BASE_DIR)/$(IM_CA_NAME)/ca.pem
+$(BASE_DIR)/certout/%.pem: | $(BASE_DIR)/certout/%.csr $(BASE_DIR)/$(IM_CA_NAME)/ca.pem
 	@echo "## Signing $< with IM CA key to create signed leaf cert: $@"
 	BASE_DIR=$(BASE_DIR) CA_NAME=$(IM_CA_NAME) openssl ca -config $(OPENSSL_CNF) \
 	  -extensions $(LEAF_PURPOSE) \
@@ -206,7 +210,7 @@
 	  -notext -batch -md sha256 \
 	  -days $(LEAF_EXPIRATION_DAYS) \
 	  -passin file:$(BASE_DIR)/$(IM_CA_NAME)/private/ca_passphrase \
-	  -in $< \
+	  -in $(@D)/$(*F).csr \
 	  -out $@
 	@echo "## Creating bundle with IM CA and Leaf: $(basename $@)_bundle.pem"
 	  cat $@ $(BASE_DIR)/$(IM_CA_NAME)/ca.pem > $(basename $@)_bundle.pem
commit	ba5c9d36bc514b9b155f6729d066a2d1120ec7ea	[log] [tgz]
author	Zack Williams <zdw@opennetworking.org>	Sun Jun 05 21:49:18 2022 -0700
committer	Zack Williams <zdw@opennetworking.org>	Tue Aug 16 15:22:17 2022 -0700
tree	dcfaeaa8b64d32d56c6a2c91b92490bf81cf48eb
parent	ec61381b0991fc31466c3a6f6d52d814110ad334 [diff] [blame]