Moved demonstration/radiusclient files into place from Dubner's ldap-radius project

b856110f · Robert Dubner · 78efa120 · b856110f · b856110f · b856110f
Commit b856110f authored Oct 10, 2021 by Robert Dubner
--- a/contrib/slapd-modules/radiusov/demonstration/ldap/.gitignore
+++ b/contrib/slapd-modules/radiusov/demonstration/ldap/.gitignore
+!Makefile
 *.log
 schema/
 sch/

--- a/contrib/slapd-modules/radiusov/demonstration/ldap/Makefile
+++ b/contrib/slapd-modules/radiusov/demonstration/ldap/Makefile
+SLAPD = ~/repos/openldap/servers/slapd/.libs/slapd
+
+DEBUG_LEVEL=STATS
+DEBUG_LEVEL=-1
+DEBUG_LEVEL= 4083	# Everything but LDAP_DEBUG_CONNS (8) and LDAP_DEBUG_ARGS(4)
+DEBUG_LEVEL=0
+DEBUG_LEVEL= 4087	# Everything but LDAP_DEBUG_CONNS (8); it cuts down on noise during debugging
+
+all:
+	@echo "'make scratch'  to build up the LDAP DIT from scratch"
+	@echo "'make slapd'    to launch the OpenLDAP   slapd daemon"
+	@echo "'make radiusd'  to launch the FreeRADIUS radiusd daemon"
+	@echo "'make kill'     to kill both slapd and radiusd"
+	@echo "'make slapdd'   for GDB-launched version of the daemons"
+	@echo "'make radiusdd' for GDB-launched version of the daemons"
+
+scratch:
+#	Make sure slapd isn't running
+	sudo pkill -KILL slapd || true
+	sudo pkill -KILL slapd || true
+	sudo pkill -KILL slapd || true
+	sudo pkill -KILL slapd || true
+#	Clear out the log files
+	rm -f slapd.log
+	rm -f debug.log
+#	Clear out the database directory completely:
+	rm -fr testdir
+#	Create the database directory:
+	mkdir -p testdir/openldap-data
+#	Launch SLAPD
+	LDAPNOINIT=1 /usr/local/libexec/slapd -h "ldap://127.0.0.1:3899/" -s 0 -f slapd.conf -d $(DEBUG_LEVEL) > slapd.log 2>&1 &
+	@echo "Waiting 1 second..."
+	sleep 1
+#	Do the initial database population:
+	ldapadd -H ldap://127.0.0.1:3899/ -x -D "cn=Manager,dc=renbud,dc=com" -w secret -f renbud.ldif
+	@echo "slapd is running; use 'make kill' to shut it and the radiusd daemon down"
+	
+slapd:
+#	Make sure slapd isn't running
+	sudo pkill -KILL slapd || true
+	sudo pkill -KILL slapd || true
+	sudo pkill -KILL slapd || true
+	sudo pkill -KILL slapd || true
+#	Clear out the log files
+	rm -f slapd.log
+	rm -f debug.log
+#	Launch SLAPD
+#	LDAPNOINIT=1 sudo chrt -rr 49 /usr/local/libexec/slapd -h "ldap://127.0.0.1:3899/" -s 0 -f slapd.conf -d $(DEBUG_LEVEL) 2>&1 | tee slapd.log &
+	LDAPNOINIT=1 $(SLAPD) -h "ldap://127.0.0.1:3899/" -s 0 -f slapd.conf -d $(DEBUG_LEVEL) 2>&1 | tee slapd.log &
+	
+slapdd:
+#	Make sure slapd isn't running
+	sudo pkill -KILL slapd || true
+	sudo pkill -KILL slapd || true
+	sudo pkill -KILL slapd || true
+	sudo pkill -KILL slapd || true
+#	Clear out the log files
+	sudo rm -f testdir/slapd.pid
+	sudo rm -f testdir/slapd.args
+	rm -f slapd.log
+	rm -f debug.log
+#	Launch SLAPD with the debugger:
+	LDAPNOINIT=1 gdb --args $(SLAPD) -h "ldap://127.0.0.1:3899/" -s 0 -f ./slapd.conf -d -1
+
+nc:
+	echo "abel1,abel1" | nc -w 1 -4u localhost 18129
+	echo "abel1,badpassword" | nc -w 1 -4u localhost 18129
+
+whoami:
+	ldapwhoami -Hldap://127.0.0.1:3899/ -x -D "uid=abel1,ou=People,dc=renbud,dc=com" -w abel1
+
+search:
+	ldapsearch -LLL -Hldap://127.0.0.1:3899/ -x -b "dc=renbud,dc=com" '(uid=abe1)' sn cn
+
+searchd:
+	gdb --args /home/bob/repos/openldap/clients/tools/.libs/ldapsearch -LLL -Hldap://127.0.0.1:3899/ -x -b "dc=renbud,dc=com" '(uid=abe1)' sn cn
+
+kill:
+	sudo pkill -KILL slapd || true
+	sudo pkill -KILL slapd || true
+	sudo pkill -KILL slapd || true
+	sudo pkill -KILL slapd || true
+
+	sudo pkill -KILL radiusd || true
+	sudo pkill -KILL radiusd || true
+	sudo pkill -KILL radiusd || true
+	sudo pkill -KILL radiusd || true
+
+radiusd:
+	sudo pkill -KILL radiusd || true
+	sudo pkill -KILL radiusd || true
+	sudo pkill -KILL radiusd || true
+	sudo pkill -KILL radiusd || true
+	rm -f radiust.log
+	cp eap_for_demo /usr/local/etc/raddb/mods-available
+	rm -f /usr/local/etc/raddb/mods-enabled/eap
+	ln -s ../mods-available/eap_for_demo /usr/local/etc/raddb/mods-enabled/eap
+	$(MAKE) -C radius-config
+	radiusd -X 2>&1 | tee radiusd.log &
+
+radiusdd:
+	sudo pkill -KILL radiusd || true
+	sudo pkill -KILL radiusd || true
+	sudo pkill -KILL radiusd || true
+	sudo pkill -KILL radiusd || true
+	rm -f radiust.log
+	cp eap_for_demo /usr/local/etc/raddb/mods-available
+	rm -f /usr/local/etc/raddb/mods-enabled/eap
+	ln -s ../mods-available/eap_for_demo /usr/local/etc/raddb/mods-enabled/eap
+	$(MAKE) -C radius-config
+	gdb --args radiusd -sfxx -l stdout
+
+.PHONY: both
+both: radiusd slapd
+
+radius:
+	rm -f radiust.log
+	sudo chrt -rr 49 radiusd
+
+rtest:
+	radtest testing password 127.0.0.1 0 testing123
+#	radtest abel1 abel1 127.0.0.1 0 testing123
+
+dump-config:
+	ldapsearch -H ldap://127.0.0.1:3899/ -x -D cn=config -w VerySecret -b cn=config
+
+
--- a/contrib/slapd-modules/radiusov/demonstration/ldap/radius-config/Makefile
+++ b/contrib/slapd-modules/radiusov/demonstration/ldap/radius-config/Makefile
+
+
+all:
+	@echo "Hi!"
+	cp mod-ldap.original mod-ldap
+	sed -i '/port = 389/a \\tport = 3899' mod-ldap
+	sed -i "/identity = /a\ \tidentity = \'cn=Manager,dc=renbud,dc=com\'" mod-ldap 
+	sed -i "/password = /a\ \tpassword = secret" mod-ldap 
+	sed -i 's/dc=example,dc=org/dc=renbud,dc=com/g' mod-ldap
+	scp mod-ldap /usr/local/etc/raddb/mods-available/ldap
+	ln -f -s /usr/local/etc/raddb/mods-available/ldap /usr/local/etc/raddb/mods-enabled/ldap
+	# Disable ldap by uncommenting the following line
+	rm /usr/local/etc/raddb/mods-enabled/ldap
+
+	cp clients.conf.original clients.conf.mod
+	sed -i -e '$$aclient lap90a90 {' clients.conf.mod
+	sed -i -e '$$a\\tipaddr = 10.0.1.250' clients.conf.mod
+	sed -i -e '$$a\\tsecret = testing123' clients.conf.mod
+	sed -i -e '$$a\\trequire_message_authenticator = yes' clients.conf.mod
+	sed -i -e '$$a}' clients.conf.mod
+	cp clients.conf.mod /usr/local/etc/raddb/clients.conf
--- a/contrib/slapd-modules/radiusov/demonstration/ldap/roundtrip/Makefile
+++ b/contrib/slapd-modules/radiusov/demonstration/ldap/roundtrip/Makefile
+
+GCC  = gcc
+OPTS = -Wall -ggdb -O0
+#OPTS = -Wall -g -O2
+
+all:
+	$(GCC) $(OPTS) roundtrip.c -o roundtrip
--- a/contrib/slapd-modules/radiusov/demonstration/radiusclient/Makefile
+++ b/contrib/slapd-modules/radiusov/demonstration/radiusclient/Makefile
-
+FREERADIUS_FILES = /usr/local/etc/raddb/

 GCC   = gcc
 COPTS = -ggdb -O0 -Wall
 ALLH  = $(wildcard *.h)
 LIBS  = -L/usr/lib -lssl -lcrypto

-TCPSERVER_OBJS = tcpserver.o ourtls.o
-TCPCLIENT_OBJS = tcpclient.o ourtls.o
-MEMCOMMS_OBJS = memcomms.o ourtls.o session.o
 RADIUSCLIENT_OBJS = radiusclient.o ourtls.o session.o rpacket.o md5.o \
                    hmacmd5.o reap.o mschap.o sha1.o md4.o des.o

-SERVER_CONF = server-demand.conf
 CLIENT_CONF = client-good.conf

 HOST = 127.0.0.1
 PORT = 1081

-.SUFFIXES: 
+.SUFFIXES:

 .PHONEY: all
-all: tcpserver tcpclient memcommsxxxx radiusclient
-
-tcpserver: $(TCPSERVER_OBJS)
-	$(GCC) $(COPTS) -o $@ $^ $(LIBS)
-
-tcpclient: $(TCPCLIENT_OBJS)
-	$(GCC) $(COPTS) -o $@ $^ $(LIBS)
-
-memcomms: $(MEMCOMMS_OBJS)
-	$(GCC) $(COPTS) -o $@ $^ $(LIBS)
+all: radiusclient certificates

 radiusclient: $(RADIUSCLIENT_OBJS)
 	$(GCC) $(COPTS) -o $@ $^ $(LIBS)

-tcpserver.o: tcpserver.c $(ALLH)
-	gcc $(COPTS) -c -o $@ $<
-
-tcpclient.o: tcpclient.c $(ALLH)
-	gcc $(COPTS) -c -o $@ $<
-
 ourtls.o: ourtls.c $(ALLH)
 	gcc $(COPTS) -c -o $@ $<

 session.o: session.c $(ALLH)
 	gcc $(COPTS) -c -o $@ $<

-memcomms.o: memcomms.c $(ALLH)
-	gcc $(COPTS) -c -o $@ $<
-
 radiusclient.o: radiusclient.c $(ALLH)
 	gcc $(COPTS) -c -o $@ $<

@@ -76,105 +54,49 @@ md4.o: md4.c $(ALLH)
 des.o: des.c $(ALLH)
 	gcc $(COPTS) -c -o $@ $<

-.PHONY: certs
-certs:
-	# If you get an error about a .rnd file:
-	#     cd ~
-	#     openssl rand -writerand .rnd
-	#
-	mkdir -p certs
-	mkdir -p ca_certs
-	rm -f certs/*.pem
-	rm -f ca_certs/*.pem
-
-#	Note that 4,383 days is twelve years to the day, being 3*(4*365+1))
-
-#	NIST has recommended a 2,048 RSA key (112 bit security) starting in 2015, and
-#	expects that to be the recommendation through 2030, at which point 3,072 RSA
-#	(128-bit security) should be used.
-
-#	For ephemeral key exchange, even 2,048 bits is overkill, since the assymetric
-#	cryptography is used only to create the session key, which itself is providing
-#	forward secrecy, so even if, in the future, the RSA encryption is broken,
-#	the messages themselves will still be encrypted.  But a recommendation is a
-#	recommendation.  I am using 2,048 because then I don't have to explain to
-#	security auditors why I used something smaller than the NIST recommendation.
-
-	# Create a couple of simple self-signed certificates, one with a passphrase, the other without
-	openssl req -x509 -days 4383 -newkey rsa:2048 -keyout certs/simple-cert1.pem -out certs/simple-cert1.pem -subj "/C=US/ST=New York/L=Saugerties/O=Symas Corporation/OU=SimpleCertificate/CN=*.symas.com/emailAddress=support@symas.com"               -nodes 
-	openssl req -x509 -days 4383 -newkey rsa:2048 -keyout certs/simple-cert2.pem -out certs/simple-cert2.pem -subj "/C=US/ST=New York/L=Saugerties/O=Symas Corporation/OU=SimpleCertificateWithPassphrase/CN=*.symas.com/emailAddress=support@symas.com" -passout pass:ishkabibble 
-	
-	# Create several self-signed CA certificates, each with a passphrase
-	openssl req -x509 -passout pass:ca1passphrase -days 4383 -newkey rsa:2048 -keyout ca_certs/ca1-cert.pem -out ca_certs/ca1-cert.pem -subj "/C=US/ST=New York/L=Saugerties/O=Symas Corporation/OU=Certificate Authority CA1/CN=*.symas.com/emailAddress=support@symas.com"
-	openssl req -x509 -passout pass:ca2passphrase -days 4383 -newkey rsa:2048 -keyout ca_certs/ca2-cert.pem -out ca_certs/ca2-cert.pem -subj "/C=US/ST=New York/L=Saugerties/O=Symas Corporation/OU=Certificate Authority CA2/CN=*.symas.com/emailAddress=support@symas.com"
-	openssl req -x509 -passout pass:ca3passphrase -days 4383 -newkey rsa:2048 -keyout ca_certs/ca3-cert.pem -out ca_certs/ca3-cert.pem -subj "/C=US/ST=New York/L=Saugerties/O=Symas Corporation/OU=Certificate Authority CA3/CN=*.symas.com/emailAddress=support@symas.com"
-	openssl req -x509 -passout pass:ca4passphrase -days 4383 -newkey rsa:2048 -keyout ca_certs/ca4-cert.pem -out ca_certs/ca4-cert.pem -subj "/C=US/ST=New York/L=Saugerties/O=Symas Corporation/OU=Certificate Authority CA4/CN=*.symas.com/emailAddress=support@symas.com"
-
-	# hash their subject fields in order to facilitate SSL_CTX_load_verify_locations():
-	c_rehash ca_certs
-
-	# Generate a Certificate Signing Request (CSR) for the server:
-	openssl req -passout pass:serverpassphrase -newkey rsa:2048 -keyout certs/server-key.pem -out certs/server-req.pem -subj "/C=US/ST=New York/L=Saugerties/O=Symas Corporation/OU=Server Certificate/CN=*.symas.com/emailAddress=support@symas.com"
-	# Sign it with ca1:
-	openssl x509 -req -passin pass:ca1passphrase -days 4383 -in certs/server-req.pem -CA ca_certs/ca1-cert.pem -CAkey ca_certs/ca1-cert.pem -CAcreateserial -out certs/server-cert.pem
-	# Get rid of the no-longer-needed CSR
-	rm certs/server-req.pem
-
-	# Generate a Certificate Signing Request (CSR) for the client:
-	openssl req -passout pass:clientpassphrase -newkey rsa:2048 -keyout certs/client-key.pem -out certs/client-req.pem -subj "/C=US/ST=New York/L=Saugerties/O=Symas Corporation/OU=Client Certificate/CN=*.symas.com/emailAddress=support@symas.com"
-	# Sign it with ca3:
-	openssl x509 -req -passin pass:ca3passphrase -days 4383 -in certs/client-req.pem -CA ca_certs/ca3-cert.pem -CAkey ca_certs/ca3-cert.pem -CAcreateserial -out certs/client-cert.pem
-	# Get rid of the no-longer-needed CSR
-	rm certs/client-req.pem
-
-#	When you want to look at a certificate, you will need this instruction:
-#	openssl x509 -noout -text -in certs/simple-cert1.pem
-#	openssl x509 -noout -text -in certs/simple-cert2.pem
-#	openssl x509 -noout -text -in certs/server-cert.pem
-#	openssl x509 -noout -text -in certs/client-cert.pem
-
-.PHONEY: server
-server: all
-	sudo pkill tcpserver || true
-	sudo ./tcpserver -f $(SERVER_CONF) -p $(PORT)
-
-.PHONEY: serverd
-serverd: all
-	sudo pkill tcpserver || true
-	sudo gdb --args ./tcpserver -f $(SERVER_CONF) -p $(PORT)
-
-client: all
-	./tcpclient -f $(CLIENT_CONF) -h $(HOST) -p $(PORT)
-
-clientd: all
-	gdb --args ./tcpclient -f $(CLIENT_CONF) -h $(HOST) -p $(PORT)
-
-run: all
-	sudo pkill tcpserver || true
-	sudo ./tcpserver -f $(SERVER_CONF) -p $(PORT) &
-	sleep 1
-	./tcpclient -f $(CLIENT_CONF) -h $(HOST) -p $(PORT)
-
-mem: all
-	./memcomms -s $(SERVER_CONF) -c $(CLIENT_CONF)
-
-memd: all
-	gdb --args ./memcomms -s $(SERVER_CONF) -c $(CLIENT_CONF)
+.PHONY: certificates
+certificates: $(FREERADIUS_FILES)/certs/ca.pem
+# If you get an error about a .rnd file:
+#     cd ~
+#     openssl rand -writerand .rnd
+#
+
+# For the purposes of the radiusclient demonstration, where we want radiusclient
+# to authenticate against both FreeRADIUS and OpenLDAP, we need the various
+# certificate files to be in a common location known to all three.  So, I shamelessly
+# duplicated the FreeRADIUS Makefile that creates their "snake oil" test certificates,
+# which should *not* be used in production.  I then copy those certificates to
+# where FreeRADIUS usually puts them.
+
+$(FREERADIUS_FILES)/certs/ca.pem: certs/ca.pem
+	mkdir -p $(FREERADIUS_FILES)/certs
+	cp certs/ca.* $(FREERADIUS_FILES)/certs
+	cp certs/server.* $(FREERADIUS_FILES)/certs
+	cp certs/client.* $(FREERADIUS_FILES)/certs
+
+certs/ca.pem:
+	$(MAKE) -C certs
+
+#	Should you want to look at what's in those certificates,
+#	you will need these commands:
+#	openssl x509 -noout -text -in certs/ca.pem
+#	openssl x509 -noout -text -in certs/server.pem
+#	openssl x509 -noout -text -in certs/client.pem

 rad: all
-	./radiusclient -c $(CLIENT_CONF) -h 127.0.0.1 -p 18129 -m peap -s testing123 abel1 abel1 
-	./radiusclient -c $(CLIENT_CONF) -h 127.0.0.1 -p 18129 -m ttls -s testing123 abel1 abel1 
-	./radiusclient -c $(CLIENT_CONF) -h 127.0.0.1 -p 1812 -m peap -s testing123 testing password 
-	./radiusclient -c $(CLIENT_CONF) -h 127.0.0.1 -p 1812 -m ttls -s testing123 testing password 
+	./radiusclient -c $(CLIENT_CONF) -h 127.0.0.1 -p 18129 -m peap -s testing123 abel1 abel1
+	./radiusclient -c $(CLIENT_CONF) -h 127.0.0.1 -p 18129 -m ttls -s testing123 abel1 abel1
+	./radiusclient -c $(CLIENT_CONF) -h 127.0.0.1 -p 1812 -m peap -s testing123 testing password
+	./radiusclient -c $(CLIENT_CONF) -h 127.0.0.1 -p 1812 -m ttls -s testing123 testing password

 radd: all
-	gdb --args ./radiusclient -c $(CLIENT_CONF) -h 127.0.0.1 -p 18129 -m peap -s testing123 abel1 abel1 
-	gdb --args ./radiusclient -c $(CLIENT_CONF) -h 127.0.0.1 -p 1812 -m peap -s testing123 testing password 
+#	gdb --args ./radiusclient -c $(CLIENT_CONF) -h 127.0.0.1 -p 18129 -m peap -s testing123 abel1 abel1
+#	gdb --args ./radiusclient -c $(CLIENT_CONF) -h 127.0.0.1 -p 1812 -m peap -s testing123 testing password

 test: all
 	./test.scr

-kill: 
+kill:
 	sudo pkill radiusclient || true

 clean:
@@ -183,4 +105,4 @@ clean:
 	rm -f tcpserver
 	rm -f memcomms
 	rm -f radiusclient
-	
\ No newline at end of file
+	$(MAKE) -C certs destroycerts
--- a/contrib/slapd-modules/radiusov/demonstration/radiusclient/certs/.gitignore
+++ b/contrib/slapd-modules/radiusov/demonstration/radiusclient/certs/.gitignore
+*.pem
+*.crl
+*.der
+*.key
+*.crt
+*.csr
+*.p12
+index*
+serial*
--- a/contrib/slapd-modules/radiusov/demonstration/radiusclient/certs/Makefile
+++ b/contrib/slapd-modules/radiusov/demonstration/radiusclient/certs/Makefile
+######################################################################
+#
+#	Make file to be installed in /etc/raddb/certs to enable
+#	the easy creation of certificates.
+#
+#	See the README file in this directory for more information.
+#
+#	$Id: c9fbc9e8646bb157092e48c95352cb2866bafeaf $
+#
+######################################################################
+
+OPENSSL		= openssl
+EXTERNAL_CA	= $(wildcard external_ca.*)
+
+ifneq "$(EXTERNAL_CA)" ""
+PARTIAL		= -partial_chain
+endif
+
+#
+#  Set the passwords
+#
+include passwords.mk
+
+######################################################################
+#
+#  Make the necessary files, but not client certificates.
+#
+######################################################################
+.PHONY: all
+all: index.txt serial ca server client
+
+.PHONY: client
+client: client.pem
+
+.PHONY: ca
+ca: ca.der ca.crl
+
+.PHONY: server
+server: server.pem server.vrfy
+
+.PHONY: inner-server
+inner-server: inner-server.pem inner-server.vrfy
+
+.PHONY: verify
+verify: server.vrfy client.vrfy
+
+passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
+	@echo "PASSWORD_SERVER	= '$(shell grep output_password server.cnf | sed 's/.*=//;s/^ *//')'"		> $@
+	@echo "PASSWORD_INNER	= '$(shell grep output_password inner-server.cnf | sed 's/.*=//;s/^ *//')'"	>> $@
+	@echo "PASSWORD_CA	= '$(shell grep output_password ca.cnf | sed 's/.*=//;s/^ *//')'"		>> $@
+	@echo "PASSWORD_CLIENT	= '$(shell grep output_password client.cnf | sed 's/.*=//;s/^ *//')'"		>> $@
+	@echo "USER_NAME	= '$(shell grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//')'"	>> $@
+	@echo "CA_DEFAULT_DAYS  = '$(shell grep default_days ca.cnf | sed 's/.*=//;s/^ *//')'"			>> $@
+
+######################################################################
+#
+#  Create a new self-signed CA certificate
+#
+######################################################################
+ca.key ca.pem: ca.cnf
+	@[ -f index.txt ] || $(MAKE) index.txt
+	@[ -f serial ] || $(MAKE) serial
+	$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
+		-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
+		-passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
+	chmod g+r ca.key
+
+ca.der: ca.pem
+	$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
+
+ca.crl: ca.pem
+	$(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
+	$(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
+	rm ca-crl.pem
+
+######################################################################
+#
+#  Create a new server certificate, signed by the above CA.
+#
+######################################################################
+server.csr server.key: server.cnf
+	$(OPENSSL) req -new  -out server.csr -keyout server.key -config ./server.cnf
+	chmod g+r server.key
+
+server.crt: ca.key ca.pem server.csr
+	$(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
+
+server.p12: server.crt
+	$(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+	chmod g+r server.p12
+
+server.pem: server.p12
+	$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+	chmod g+r server.pem
+
+.PHONY: server.vrfy
+server.vrfy: ca.pem
+	@$(OPENSSL) verify $(PARTIAL) -CAfile ca.pem server.pem
+
+######################################################################
+#
+#  Create a new client certificate, signed by the the above server
+#  certificate.
+#
+######################################################################
+client.csr client.key: client.cnf
+	$(OPENSSL) req -new  -out client.csr -keyout client.key -config ./client.cnf
+	chmod g+r client.key
+
+client.crt: ca.key ca.pem client.csr
+	$(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
+
+client.p12: client.crt
+	$(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+	chmod g+r client.p12
+	cp client.p12 $(USER_NAME).p12
+
+client.pem: client.p12
+	$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+	chmod g+r client.pem
+	cp client.pem $(USER_NAME).pem
+
+.PHONY: client.vrfy
+client.vrfy: ca.pem client.pem
+	c_rehash .
+	$(OPENSSL) verify -CApath . client.pem
+
+######################################################################
+#
+#  Create a new inner-server certificate, signed by the above CA.
+#
+######################################################################
+inner-server.csr inner-server.key: inner-server.cnf
+	$(OPENSSL) req -new  -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
+	chmod g+r inner-server.key
+
+inner-server.crt: ca.key ca.pem inner-server.csr
+	$(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr  -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf
+
+inner-server.p12: inner-server.crt
+	$(OPENSSL) pkcs12 -export -in inner-server.crt -inkey inner-server.key -out inner-server.p12  -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
+	chmod g+r inner-server.p12
+
+inner-server.pem: inner-server.p12
+	$(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
+	chmod g+r inner-server.pem
+
+.PHONY: inner-server.vrfy
+inner-server.vrfy: ca.pem
+	@$(OPENSSL) verify $(PARTIAL) -CAfile ca.pem inner-server.pem
+
+######################################################################
+#
+#  Miscellaneous rules.
+#
+######################################################################
+index.txt:
+	@touch index.txt
+
+serial:
+	@echo '01' > serial
+
+print:
+	$(OPENSSL) x509 -text -in server.crt
+
+printca:
+	$(OPENSSL) x509 -text -in ca.pem
+
+clean:
+	@rm -f *~ *old client.csr client.key client.crt client.p12 client.pem
+
+#
+#	Make a target that people won't run too often.
+#
+destroycerts:
+	rm -f *~ *.csr *.crt *.p12 *.der *.pem *.key index.txt* \
+			serial*  *\.0 *\.1 ca-crl.pem ca.crl