diff options
Diffstat (limited to 'tools/genssl')
| -rwxr-xr-x | tools/genssl | 156 |
1 files changed, 156 insertions, 0 deletions
diff --git a/tools/genssl b/tools/genssl new file mode 100755 index 000000000..e4d5bf1f4 --- /dev/null +++ b/tools/genssl @@ -0,0 +1,156 @@ +#!/usr/bin/env perl +# +# InspIRCd -- Internet Relay Chat Daemon +# +# Copyright (C) 2007 Dennis Friis <peavey@inspircd.org> +# Copyright (C) 2007 Craig Edwards <craigedwards@brainbox.cc> +# Copyright (C) 2013 Peter Powell <petpow@saberuk.com> +# +# This file is part of InspIRCd. InspIRCd is free software: you can +# redistribute it and/or modify it under the terms of the GNU General Public +# License as published by the Free Software Foundation, version 2. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +# details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + + +BEGIN { + require 5.10.0; +} + +use feature ':5.10'; +use strict; +use warnings FATAL => qw(all); + +use File::Temp(); + +# IMPORTANT: This script has to be able to run by itself so that it can be used +# by binary distributions where the make/console.pm module will not +# be available! + +sub prompt($$) { + my ($question, $default) = @_; + return prompt_string(1, $question, $default) if eval 'use FindBin;use lib $FindBin::RealDir;use make::console; 1'; + say $question; + print "[$default] => "; + chomp(my $answer = <STDIN>); + say ''; + return $answer ? $answer : $default; +} + +if ($#ARGV != 0 || $ARGV[0] !~ /^(?:auto|gnutls|openssl)$/i) { + say STDERR "Usage: $0 <auto|gnutls|openssl>"; + exit 1; +} + +# On OS X the GnuTLS certtool is prefixed to avoid collision with the system certtool. +my $certtool = $^O eq 'darwin' ? 'gnutls-certtool' : 'certtool'; + +# Check whether the user has the required tools installed. +my $has_gnutls = `$certtool --version v 2>/dev/null`; +my $has_openssl = !system 'openssl version >/dev/null 2>&1'; + +# The framework the user has specified. +my $tool = lc $ARGV[0]; + +# If the user has not explicitly specified a framework then detect one. +if ($tool eq 'auto') { + if ($has_gnutls) { + $tool = 'gnutls'; + } elsif ($has_openssl) { + $tool = 'openssl'; + } else { + say STDERR "SSL generation failed: could not find $certtool or openssl in the PATH!"; + exit 1; + } +} elsif ($tool eq 'gnutls' && !$has_gnutls) { + say STDERR "SSL generation failed: could not find '$certtool' in the PATH!"; + exit 1; +} elsif ($tool eq 'openssl' && !$has_openssl) { + say STDERR 'SSL generation failed: could not find \'openssl\' in the PATH!'; + exit 1; +} + +# Harvest information needed to generate the certificate. +my $common_name = prompt('What is the hostname of your server?', 'irc.example.com'); +my $email = prompt('What email address can you be contacted at?', 'example@example.com'); +my $unit = prompt('What is the name of your unit?', 'Server Admins'); +my $organization = prompt('What is the name of your organization?', 'Example IRC Network'); +my $city = prompt('What city are you located in?', 'Example City'); +my $state = prompt('What state are you located in?', 'Example State'); +my $country = prompt('What is the ISO 3166-1 code for the country you are located in?', 'XZ'); +my $days = prompt('How many days do you want your certificate to be valid for?', '365'); + +# Contains the SSL certificate in DER form. +my $dercert; + +# Contains the exit code of openssl/gnutls-certtool. +my $status = 0; + +if ($tool eq 'gnutls') { + $has_gnutls =~ /certtool.+?(\d+\.\d+)/; + my $sec_param = $1 lt '2.10' ? '--bits 2048' : '--sec-param normal'; + my $tmp = new File::Temp(); + print $tmp <<__GNUTLS_END__; +cn = "$common_name" +email = "$email" +unit = "$unit" +organization = "$organization" +locality = "$city" +state = "$state" +country = "$country" +expiration_days = $days +tls_www_client +tls_www_server +signing_key +encryption_key +cert_signing_key +crl_signing_key +code_signing_key +ocsp_signing_key +time_stamping_key +__GNUTLS_END__ + close($tmp); + $status ||= system "$certtool --generate-privkey $sec_param --outfile key.pem"; + $status ||= system "$certtool --generate-self-signed --load-privkey key.pem --outfile cert.pem --template $tmp"; + $status ||= system "$certtool --generate-request --load-privkey key.pem --outfile csr.pem --template $tmp"; + $status ||= system "$certtool --generate-dh-params $sec_param --outfile dhparams.pem"; + $dercert = `$certtool --certificate-info --infile cert.pem --outder` unless $status; +} elsif ($tool eq 'openssl') { + my $tmp = new File::Temp(); + print $tmp <<__OPENSSL_END__; +$country +$state +$city +$organization +$unit +$common_name +$email +. +$organization +__OPENSSL_END__ + close($tmp); + $status ||= system "cat $tmp | openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem -days $days 2>/dev/null"; + $status ||= system "cat $tmp | openssl req -new -nodes -key key.pem -out csr.pem 2>/dev/null"; + $status ||= system 'openssl dhparam -out dhparams.pem 2048'; + $dercert = `openssl x509 -in cert.pem -outform DER` unless $status; +} + +if ($status) { + say STDERR "SSL generation failed: $tool exited with a non-zero status!"; + exit 1; +} + +if (defined $dercert && eval 'use Digest::SHA; 1') { + my $hash = Digest::SHA->new(256); + $hash->add($dercert); + say ''; + say 'If you are using the self-signed certificate then add this TLSA record to your domain for DANE support:'; + say "_6697._tcp." . $common_name . " TLSA 3 0 1 " . $hash->hexdigest; +} |