X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=tools%2Fgenssl;h=e4d5bf1f40b11190cb4351963b0829bd528d3ceb;hb=02497bfa999da26c19a92d8620c35bb97f1da711;hp=26f4f76c5d0df0f1cf9cb6c1160c9c5e030d0eed;hpb=e244cb2c63b1ac1d85bdbb4691f7b1bd940ae804;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/tools/genssl b/tools/genssl index 26f4f76c5..e4d5bf1f4 100755 --- a/tools/genssl +++ b/tools/genssl @@ -21,29 +21,31 @@ BEGIN { - require 5.8.0; + require 5.10.0; } +use feature ':5.10'; use strict; use warnings FATAL => qw(all); use File::Temp(); # IMPORTANT: This script has to be able to run by itself so that it can be used -# by binary distributions where the make/utilities.pm module will not +# by binary distributions where the make/console.pm module will not # be available! sub prompt($$) { my ($question, $default) = @_; - print "$question\n"; + return prompt_string(1, $question, $default) if eval 'use FindBin;use lib $FindBin::RealDir;use make::console; 1'; + say $question; print "[$default] => "; chomp(my $answer = ); - print "\n"; + say ''; return $answer ? $answer : $default; } if ($#ARGV != 0 || $ARGV[0] !~ /^(?:auto|gnutls|openssl)$/i) { - print "Syntax: genssl \n"; + say STDERR "Usage: $0 "; exit 1; } @@ -51,7 +53,7 @@ if ($#ARGV != 0 || $ARGV[0] !~ /^(?:auto|gnutls|openssl)$/i) { my $certtool = $^O eq 'darwin' ? 'gnutls-certtool' : 'certtool'; # Check whether the user has the required tools installed. -my $has_gnutls = !system "$certtool --version >/dev/null 2>&1"; +my $has_gnutls = `$certtool --version v 2>/dev/null`; my $has_openssl = !system 'openssl version >/dev/null 2>&1'; # The framework the user has specified. @@ -64,14 +66,14 @@ if ($tool eq 'auto') { } elsif ($has_openssl) { $tool = 'openssl'; } else { - print STDERR "SSL generation failed: could not find $certtool or openssl in the PATH!\n"; + say STDERR "SSL generation failed: could not find $certtool or openssl in the PATH!"; exit 1; } } elsif ($tool eq 'gnutls' && !$has_gnutls) { - print STDERR "SSL generation failed: could not find '$certtool' in the PATH!\n"; + say STDERR "SSL generation failed: could not find '$certtool' in the PATH!"; exit 1; } elsif ($tool eq 'openssl' && !$has_openssl) { - print STDERR "SSL generation failed: could not find 'openssl' in the PATH!\n"; + say STDERR 'SSL generation failed: could not find \'openssl\' in the PATH!'; exit 1; } @@ -85,10 +87,15 @@ my $state = prompt('What state are you located in?', 'Example State'); my $country = prompt('What is the ISO 3166-1 code for the country you are located in?', 'XZ'); my $days = prompt('How many days do you want your certificate to be valid for?', '365'); +# Contains the SSL certificate in DER form. +my $dercert; + # Contains the exit code of openssl/gnutls-certtool. my $status = 0; if ($tool eq 'gnutls') { + $has_gnutls =~ /certtool.+?(\d+\.\d+)/; + my $sec_param = $1 lt '2.10' ? '--bits 2048' : '--sec-param normal'; my $tmp = new File::Temp(); print $tmp <<__GNUTLS_END__; cn = "$common_name" @@ -110,9 +117,11 @@ ocsp_signing_key time_stamping_key __GNUTLS_END__ close($tmp); - $status ||= system "$certtool --generate-privkey --outfile key.pem"; + $status ||= system "$certtool --generate-privkey $sec_param --outfile key.pem"; $status ||= system "$certtool --generate-self-signed --load-privkey key.pem --outfile cert.pem --template $tmp"; - $status ||= system "$certtool --generate-dh-params --bits 2048 --outfile dhparams.pem"; + $status ||= system "$certtool --generate-request --load-privkey key.pem --outfile csr.pem --template $tmp"; + $status ||= system "$certtool --generate-dh-params $sec_param --outfile dhparams.pem"; + $dercert = `$certtool --certificate-info --infile cert.pem --outder` unless $status; } elsif ($tool eq 'openssl') { my $tmp = new File::Temp(); print $tmp <<__OPENSSL_END__; @@ -123,13 +132,25 @@ $organization $unit $common_name $email +. +$organization __OPENSSL_END__ close($tmp); $status ||= system "cat $tmp | openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem -days $days 2>/dev/null"; + $status ||= system "cat $tmp | openssl req -new -nodes -key key.pem -out csr.pem 2>/dev/null"; $status ||= system 'openssl dhparam -out dhparams.pem 2048'; + $dercert = `openssl x509 -in cert.pem -outform DER` unless $status; } if ($status) { - print STDERR "SSL generation failed: $tool exited with a non-zero status!\n"; + say STDERR "SSL generation failed: $tool exited with a non-zero status!"; exit 1; } + +if (defined $dercert && eval 'use Digest::SHA; 1') { + my $hash = Digest::SHA->new(256); + $hash->add($dercert); + say ''; + say 'If you are using the self-signed certificate then add this TLSA record to your domain for DANE support:'; + say "_6697._tcp." . $common_name . " TLSA 3 0 1 " . $hash->hexdigest; +}