# skz-pki - PKI management with OpenSSL
# Samuel 'sk4nz' AUBERTIN - 2019
.PHONY: all clean banner epilogue revoke
# Run make, then add more USERS or SERVERS and re-make.
SERVERS = 
USERS = 

include src/pki.mk
include src/root.mk
include src/intermediate.mk
include src/server.mk
include src/user.mk
include src/magic.mk

all: banner dependencies $(addsuffix .cert.pem, $(SERVERS_LIST)) \
	$(addsuffix .cert.pem, $(USERS_LIST)) epilogue

dependencies:
	@which openssl > /dev/null || (echo -e "You need OpenSSL" && exit 1)

banner: 
	@echo -e "\033[1mskz-pki - PKI management with OpenSSL"
	@echo -e "Samuel 'sk4nz' Aubertin - 2019\033[0m\n"

epilogue:
	@echo -e "\033[3m[+] DONE [+]\033[0m"

### CA ###
$(PKI_CERTS_CA_ROOT_DIR):
	@echo -e "\033[3m[+] $@ [+]\033[0m"
	@echo -en "\tCreating CA dirs : "; mkdir $@ $@/certs \
		$@/crl $@/newcerts $@/private && $(output) 
	@chmod ${PKI_PRIVATE_DIR_MODE} $@/private 

$(PKI_CA_PATH)/index.txt $(PKI_INTERMEDIATE_CA_PATH)/index.txt: | \
		$(PKI_CERTS_CA_ROOT_DIR)
	@echo -en "\tCreating $@ : "; touch $@ && $(output)

$(PKI_CA_PATH)/serial $(PKI_INTERMEDIATE_CA_PATH)/serial \
		$(PKI_INTERMEDIATE_CA_PATH)/crlnumber: | $(PKI_CERTS_CA_ROOT_DIR)
	@echo -en "\tCreating $@ : "; cp src/serial $@ && $(output)

$(PKI_CA_CONFIG): export PKI_CA_CONFIG_CONTENT:=${PKI_CA_CONFIG_CONTENT}
$(PKI_CA_CONFIG): 
	@echo -en "\tTemplating $@ : "; echo "$${PKI_CA_CONFIG_CONTENT}" > $@ && \
		$(output)

$(PKI_INTERMEDIATE_CONFIG): export PKI_INTERMEDIATE_CA_CONFIG_CONTENT:=\
	${PKI_INTERMEDIATE_CA_CONFIG_CONTENT}
$(PKI_INTERMEDIATE_CONFIG): 	
	@echo -en "\tTemplating $@ : "; echo \
		"$${PKI_INTERMEDIATE_CA_CONFIG_CONTENT}" > $@ && $(output)

$(PKI_CA_KEY): | $(PKI_CERTS_CA_ROOT_DIR)
	@echo -en "\tGenerating $@ : "; openssl genrsa -out $@ \
		${PKI_CA_KEY_STRENGTH} 2> /dev/null && $(output)
	@chmod ${PKI_CA_KEY_MODE} $@ 

$(PKI_CA_CERT): $(PKI_CA_KEY) | \
		$(PKI_CA_CONFIG) $(PKI_CA_PATH)/index.txt $(PKI_CA_PATH)/serial
	@echo -en "\tSelf-signing $@ : ";openssl req -config ${PKI_CA_CONFIG} \
		-subj "${PKI_CA_FIELDS}" -key ${PKI_CA_KEY} -new -x509 \
		-days ${PKI_CA_DAYS} -${PKI_HASH_TYPE} -extensions v3_ca -out $@ \
		2> /dev/null && $(output)
	@chmod ${PKI_CA_CERT_MODE} $@ 

### INTERMEDIATE CA ###
$(PKI_INTERMEDIATE_CA_ROOT_DIR):
	@echo -e "\033[3m[+] $@ [+]\033[0m"
	@echo -en "\tCreating Intermediate CA dirs : "; mkdir $@ $@/certs $@/crl \
		$@/csr $@/newcerts $@/private && $(output)
	@chmod ${PKI_PRIVATE_DIR_MODE} $@/private 

$(PKI_INTERMEDIATE_KEY): | $(PKI_INTERMEDIATE_CA_ROOT_DIR)
	@echo -en "\tGenerating $@ : "; openssl genrsa -out $@ \
		${PKI_INTERMEDIATE_KEY_STRENGTH} 2> /dev/null && $(output)
	@chmod ${PKI_INTERMEDIATE_KEY_MODE} $@
	
$(PKI_INTERMEDIATE_CSR): $(PKI_INTERMEDIATE_KEY) | $(PKI_INTERMEDIATE_CONFIG) \
		$(PKI_INTERMEDIATE_CA_PATH)/index.txt \
		$(PKI_INTERMEDIATE_CA_PATH)/serial $(PKI_INTERMEDIATE_CA_PATH)/crlnumber
	@echo -en "\tEmitting intermediate CSR $@ : "; openssl req \
		-config ${PKI_INTERMEDIATE_CONFIG} -new -${PKI_HASH_TYPE} \
		-subj "${PKI_INTERMEDIATE_FIELDS}" -key ${PKI_INTERMEDIATE_KEY} -out \
		$@ && $(output)
	@chmod ${PKI_INTERMEDIATE_CERT_MODE} $@

$(PKI_INTERMEDIATE_CERT): $(PKI_CA_CERT) $(PKI_INTERMEDIATE_CSR)
	@echo -en "\tSigning intermediate $@ : "; openssl ca -batch -config \
		${PKI_CA_CONFIG} -extensions v3_intermediate_ca -days \
		${PKI_INTERMEDIATE_CERT_DAYS} -notext -md ${PKI_HASH_TYPE} \
		-in ${PKI_INTERMEDIATE_CSR} -out $@ 2> /dev/null && $(output)
	@chmod ${PKI_INTERMEDIATE_CERT_MODE} $@ 
	@echo -en "\tVerifying $@ : "; openssl verify -CAfile ${PKI_CA_CERT} $@ \
		> /dev/null && $(output)

$(PKI_INTERMEDIATE_CHAIN): $(PKI_INTERMEDIATE_CERT) $(PKI_CA_CERT)
	@echo -en "\tCreating $@ : "; cat ${PKI_INTERMEDIATE_CERT} ${PKI_CA_CERT} \
		> $@ && $(output)
	@chmod ${PKI_INTERMEDIATE_CHAIN_MODE} $@ 

### SERVERS ###
$(PKI_CERTS_MACHINE_ROOT_DIR) $(addprefix ${PKI_SERVER_CA_PATH},${SERVERS}) \
	$(PKI_CERTS_USER_ROOT_DIR) $(addprefix ${PKI_USER_CA_PATH},${USERS}):
	@echo -en "\tCreating dirs $@ : "; mkdir $@ && $(output)

$(PKI_SERVER_CONFIG): export PKI_SERVER_CONFIG_CONTENT:=\
	${PKI_SERVER_CONFIG_CONTENT}
$(PKI_SERVER_CONFIG): | $(PKI_CERTS_MACHINE_ROOT_DIR) 
	@echo -en "\tTemplating $@ : "; echo "$${PKI_SERVER_CONFIG_CONTENT}" > $@ \
		&& $(output)

$(addsuffix .key.pem, $(SERVERS_LIST)): | $(PKI_SERVER_CONFIG) \
		$(addprefix ${PKI_SERVER_CA_PATH},${SERVERS})
	@echo -en "\tGenerating $@ : "; openssl genrsa -out $@ \
		${PKI_SERVER_KEY_STRENGTH} 2> /dev/null && $(output)
	@chmod ${PKI_SERVER_KEY_MODE} $@

$(addsuffix .csr.pem, $(SERVERS_LIST)): | $(addsuffix .key.pem, $(SERVERS_LIST))
	@echo -en "\tEmitting CSR $@ : "; openssl req -config ${PKI_SERVER_CONFIG} \
		-subj "${PKI_COMMON_FIELDS}/CN=$(notdir $(@:.csr.pem=))" \
		-key ${@:.csr.pem=.key.pem} -new -${PKI_HASH_TYPE} -out $@ && $(output)

$(addsuffix .cert.pem, $(SERVERS_LIST)): | \
		$(addsuffix .csr.pem, $(SERVERS_LIST)) $(PKI_INTERMEDIATE_CERT) \
		$(PKI_INTERMEDIATE_CHAIN)
	@echo -en "\tSigning $@ : "; openssl ca -batch -config \
		${PKI_INTERMEDIATE_CONFIG} -extensions server_cert -days \
		${PKI_SERVER_CERT_DAYS} -notext -md ${PKI_HASH_TYPE} \
		-in $(@:.cert.pem=.csr.pem) -out $@ 2> /dev/null && $(output)
	@chmod ${PKI_SERVER_CERT_MODE} $@ 
	@echo -en "\tVerifying $@ : "; openssl verify -CAfile \
		${PKI_INTERMEDIATE_CHAIN} $@ > /dev/null && $(output)

### USERS ###
$(PKI_USER_CONFIG): export PKI_USER_CONFIG_CONTENT:=\
	${PKI_SERVER_CONFIG_CONTENT}
$(PKI_USER_CONFIG): | $(PKI_CERTS_USER_ROOT_DIR)
	@echo -en "\tTemplating $@ : "; echo "$${PKI_USER_CONFIG_CONTENT}" > $@ && \
		$(output)

$(addsuffix .key.pem, $(USERS_LIST)): | $(PKI_USER_CONFIG) \
		$(addprefix ${PKI_USER_CA_PATH},${USERS})
	@echo -en "\tGenerating $@ : "; openssl genrsa -out $@ \
		${PKI_USER_KEY_STRENGTH} 2> /dev/null && $(output)
	@chmod ${PKI_USER_KEY_MODE} $@

$(addsuffix .csr.pem, $(USERS_LIST)): | $(addsuffix .key.pem, $(USERS_LIST)) 
	@echo -en "\tEmitting CSR $@ : "; openssl req -config ${PKI_USER_CONFIG} \
		-subj "${PKI_COMMON_FIELDS}/CN=$(notdir $(@:.csr.pem=))" \
		-key ${@:.csr.pem=.key.pem} -new -${PKI_HASH_TYPE} -out $@ && $(output)

$(addsuffix .cert.pem, $(USERS_LIST)): | $(addsuffix .csr.pem, $(USERS_LIST)) \
		$(PKI_INTERMEDIATE_CERT) $(PKI_INTERMEDIATE_CHAIN)
	@echo -en "\tSigning $@ : "; openssl ca -batch -config \
		${PKI_INTERMEDIATE_CONFIG} -extensions usr_cert \
		-days ${PKI_USER_CERT_DAYS} -notext -md ${PKI_HASH_TYPE} \
		-in $(@:.cert.pem=.csr.pem) -out $@ 2> /dev/null && $(output)
	@chmod ${PKI_USER_CERT_MODE} $@ 
	@echo -en "\tVerifying $@ : "; openssl verify -CAfile \
		${PKI_INTERMEDIATE_CHAIN} $@ > /dev/null && $(output)

revoke:
	@SERIAL=$$(cat ${PKI_INTERMEDIATE_CA_NAME}/index.txt | grep ${TO_REVOKE} | \
		awk '{print $$3}') && echo -en "Press [ENTER] to revoke ${TO_REVOKE} :"\
		&& read; openssl ca -config ${PKI_INTERMEDIATE_CONFIG} \
		-revoke ${PKI_INTERMEDIATE_CA_NAME}/newcerts/$$SERIAL.pem

clean:
	@echo -e "\033[31mWARNING - ALL THE PKI WILL BE DELETED - WARNING\033[0m"
	@echo -en "Press [ENTER] to delete the PKI : "; read
	@rm -rf ${PKI_CERTS_CA_ROOT_DIR} ${PKI_INTERMEDIATE_CA_ROOT_DIR} \
		${PKI_CERTS_MACHINE_ROOT_DIR} ${PKI_CERTS_USER_ROOT_DIR}
	@echo -e "PKI deleted"