# builded from instructions told at http://sapiens.wustl.edu/~sysmain/info/openssl/
#
# This makefile is not compatible with BSD make, unfortunatly.

# configurable variables from the command line
CA_CONF?=LocalCA.cnf
# the Distinguised Named used in the configuration. Used to figure out where to put the certificates and which config to use
DN?=SNAKEOIL
SERVER_CONF?=configs/${DN}.cnf
APACHE_CONF_DIR?=/usr/local/etc/apache2/
COURIER_IMAP_CONF_DIR?=/usr/local/share/courier-imap/
REVOKE_CERT?=${ARCHIVE_DIR}/server_key.pem
# can also be "self" if we sign our own
CA?=cacert

ifeq (${CA},cacert)
ARCHIVE_DIR=certs-${CA}/${DN}/
else
ARCHIVE_DIR=certs-${CA}/${PREV_SERIAL}-${DN}/
endif

ECHO_MSG=echo "===>"
SERVER_CERTS=${ARCHIVE_DIR}/server.pem ${ARCHIVE_DIR}/server_key.pem ${ARCHIVE_DIR}/server_crt.pem ${ARCHIVE_DIR}/server_req.pem ${ARCHIVE_DIR}/${PREV_SERIAL}.pem
CAKEY=cakey.pem
CACERT=cacert.pem
CA_CERTS=${CAKEY} ${CACERT}
# setup the backup directory, using the current serial number
SERIAL:=$(shell cat serial 2>/dev/null)
SERIAL:=$(shell printf "%02d" ${SERIAL})
PREV_SERIAL:=$(shell echo $$((${SERIAL} - 1)))
PREV_SERIAL:=$(shell printf "%02d" ${PREV_SERIAL})
NEXT_SERIAL:=$(shell echo $$((${SERIAL} + 1)))
NEXT_SERIAL:=$(shell printf "%02d" ${NEXT_SERIAL})

help: usage

usage:
	@echo "OpenSSL Certificates management Makefile"
	@echo
	@echo "Available targets:"
	@echo "  cert[ificate]: create a new certificate"
	@echo "  sign: sign an existing certificate with our CA certificate"
	@echo "  pem: create a composite certificate suitable for apache"
	@echo "  install: install the certificate into the apache and courier configs"
	@echo "  archive: archive current certificate in directory ${ARCHIVE_DIR}"
	@echo "  ca: create a CA certificate (should rarely be used)"
	@echo "  clean: remove the current server certs. Handle with care."
	@echo "  clean-db: remove the current server from database. Handle with care."
	@echo "  clean-all: remove everything (ca certs and server certs but not the archive). Handle with care."
	@echo "  revoke: revoke the ${REVOKE_CERT} certificate"
	@echo "  verify: verify signatures"
	@echo "  fingerprint: print fingerprints of the ? certificates"
	@echo
	@echo "The certificates will be regenerated if the config files have changed"
	@echo
	@echo "The current configurable variables are:"
	@echo
	@echo "DN=${DN} specifies which config to use in configs/DN.cnf"
	@echo "SERVER_CONF=${SERVER_CONF}"
	@echo "APACHE_CONF_DIR=${APACHE_CONF_DIR}"
	@echo "COURIER_IMAP_CONF_DIR=${COURIER_IMAP_CONF_DIR}"
	@echo "CA_CONF=${CA_CONF}"
	@echo "REVOKE_CERT=${REVOKE_CERT}"
	@echo "CA=${CA}" # if we use a cert signed by CACert ("cacert") or our own ("self")
	@echo
	@echo "Those variables can be overriden on make's command line."
	@echo "If the config directories are unset, the config files will not be installed."

cert certificate: ${ARCHIVE_DIR}/server_key.pem


pem: ${ARCHIVE_DIR}/server.pem


${ARCHIVE_DIR}/server.pem: cert sign ${ARCHIVE_DIR}
	@${ECHO_MSG} Generating composite certificate
	@cat ${ARCHIVE_DIR}/server_key.pem ${ARCHIVE_DIR}/server_crt.pem > $@

ca: ${CA_CERTS}

cakey.pem: cacert.pem
	@chmod og-rx $@

# does not depend on ${CA_CONF} since we have to change it without regenerating the CA sometimes
cacert.pem: 
	@${ECHO_MSG} Generating Certificate Authority signing certificate
	@env OPENSSL_CONF=${CA_CONF} openssl req -x509 -newkey rsa -out $@ -outform PEM -days 1825
	@chmod og-rx $@

serial:
	@if [ ! -x $@ ]; then echo 01 > $@; fi

db.txt:
	@touch $@

${ARCHIVE_DIR}/server_req.pem ${ARCHIVE_DIR}/server_key.pem: ${SERVER_CONF} ${ARCHIVE_DIR}
	@${ECHO_MSG} Generating Server Key
	@env OPENSSL_CONF=${SERVER_CONF} openssl req -newkey rsa:1024 -keyout ${ARCHIVE_DIR}/server_key.pem -keyform PEM -out ${ARCHIVE_DIR}/server_req.pem -outform PEM
	@chmod 400 ${ARCHIVE_DIR}/server_key.pem

# if we wanted to decrypt the key generated above
# openssl rsa < server_key.pem > server_key_clear.pem

sign: ${ARCHIVE_DIR}/server_crt.pem


ifeq (${CA},cacert)
${ARCHIVE_DIR}/server_crt.pem: ${ARCHIVE_DIR} certificate
	@if [ ! -r ${ARCHIVE_DIR}/server_crt.pem ] ; then \
		${ECHO_MSG} 'Missing certificate from CACert, copy-paste it into ${ARCHIVE_DIR}/server_crt.pem' ; \
		${ECHO_MSG} 'The CSR (Certificate Signing Request) follows' ; cat ${ARCHIVE_DIR}/server_req.pem ; \
		${ECHO_MSG} 'Paste the signature from CACert here or hit control-d to cancel' ; \
		cat > ${ARCHIVE_DIR}/server_crt.pem ; \
		grep -q CERTIFICATE ${ARCHIVE_DIR}/server_crt.pem || rm -f ${ARCHIVE_DIR}/server_crt.pem ; \
	fi
else
${ARCHIVE_DIR}/server_crt.pem: ${CA_CERTS} ${ARCHIVE_DIR}/server_req.pem serial db.txt ${ARCHIVE_DIR}
	@${ECHO_MSG} Generating Server Certificate Signature
	@env OPENSSL_CONF=${CA_CONF} openssl ca -in ${ARCHIVE_DIR}/server_req.pem -out $@
# remove duplicate
	@rm -f ${ARCHIVE_DIR}/${SERIAL}.pem ${ARCHIVE_DIR}/${NEXT_SERIAL}.pem
endif

revoke:
	env OPENSSL_CONF=${CA_CONF} openssl ca -revoke ${REVOKE_CERT}

verify: verify-purpose verify-sig


verify-purpose: ${ARCHIVE_DIR}/server.pem
	openssl x509 -purpose < $<

verify-sig: ${ARCHIVE_DIR}/server.pem
	openssl verify -CAfile ${CACERT} -purpose sslclient ${ARCHIVE_DIR}/server.pem

fingerprint: fingerprint-md5 fingerprint-sha1


fingerprint-sha1:
	@openssl x509 -in cacert.pem -noout -sha1 -fingerprint < ${ARCHIVE_DIR}/server.pem

fingerprint-md5:
	@openssl x509 -in cacert.pem -noout -md5 -fingerprint < ${ARCHIVE_DIR}/server.pem

fingerprint-sha256:
	@openssl x509 -in cacert.pem -noout -sha256 -fingerprint < ${ARCHIVE_DIR}/server.pem

install: 
ifdef APACHE_CONF_DIR
	mkdir -p ${APACHE_CONF_DIR}/ssl.key ${APACHE_CONF_DIR}/ssl.crt
	cp -f ${ARCHIVE_DIR}/server_key.pem ${APACHE_CONF_DIR}/ssl.key/server.key
	cp -f ${ARCHIVE_DIR}/server_crt.pem ${APACHE_CONF_DIR}/ssl.crt/server.crt
#	cp -f ${ARCHIVE_DIR}/cakey.pem ${APACHE_CONF_DIR}/ssl.key/ca.key
endif
ifdef COURIER_IMAP_CONF_DIR
	cp -f ${ARCHIVE_DIR}/server.pem ${COURIER_IMAP_CONF_DIR}/imapd.pem
endif

debian-install: 
ifdef APACHE_CONF_DIR
	cp -f ${ARCHIVE_DIR}/server_key.pem ${APACHE_CONF_DIR}/ssl/server.key
	cp -f ${ARCHIVE_DIR}/server_crt.pem ${APACHE_CONF_DIR}/ssl/server.crt
#	cp -f ${ARCHIVE_DIR}/cakey.pem ${APACHE_CONF_DIR}/ssl/ca.key
endif
ifdef COURIER_IMAP_CONF_DIR
	cp -f ${ARCHIVE_DIR}/server.pem ${COURIER_IMAP_CONF_DIR}/imapd.pem
endif

archive: ${ARCHIVE_DIR}
	@if [ -e ${ARCHIVE_DIR} ] ; then cp -Rp ${ARCHIVE_DIR} ${ARCHIVE_DIR}-`date +%Y%m%d`.bak; fi ; true
	@-mv -f ${SERVER_CERTS}  ${ARCHIVE_DIR}
	@${ECHO_MSG} "server certificates archived to ${ARCHIVE_DIR}"

${ARCHIVE_DIR}:
	@mkdir -p ${ARCHIVE_DIR}

# clean the server certs created
clean: clean-db
	rm -f -- ${SERVER_CERTS} 

clean-db:
	-sed -i -e '/	${PREV_SERIAL}	/d' db.txt
	-mv -f serial.old serial

# warning: this will destroy everything!
clean-all: clean
	rm -f -- ${CA_CERTS}

symlink: ${ARCHIVE_DIR}/server.pem
	ln -s ${ARCHIVE_DIR}/server.pem ${ARCHIVE_DIR}/`openssl x509 -hash -in server.pem -noout`.0