diff options
author | Attila Molnar <attilamolnar@hush.com> | 2013-04-02 10:28:04 -0700 |
---|---|---|
committer | Attila Molnar <attilamolnar@hush.com> | 2013-04-02 10:28:04 -0700 |
commit | 39d7c35914268555edc86afd7e68fa30255a30aa (patch) | |
tree | ce7d139c4cd49ede4a4d851bab146be1b5c41a6c | |
parent | 26e7bb0b9a17a595d9935a1cae41b44504ad213e (diff) | |
parent | 448c50fa4d344fb05a6ffdfec9a21d980ea3ab99 (diff) |
Merge pull request #456 from SaberUK/master+genssl
Extract SSL generation to a tool which can be shipped by distros.
-rwxr-xr-x | configure | 10 | ||||
-rw-r--r-- | make/gnutlscert.pm | 147 | ||||
-rw-r--r-- | make/opensslcert.pm | 61 | ||||
-rw-r--r-- | make/template/main.mk | 1 | ||||
-rwxr-xr-x | tools/genssl | 109 |
5 files changed, 114 insertions, 214 deletions
@@ -47,8 +47,6 @@ use Getopt::Long; # Utility functions for our buildsystem use make::utilities; use make::configure; -use make::gnutlscert; -use make::opensslcert; ############################################################################################### # @@ -102,8 +100,8 @@ GetOptions ( 'list-extras' => sub { list_extras; exit 0; }, # This, --enable-extras, and --disable-extras are for non-interactive managing. 'enable-extras=s@' => \@opt_enableextras, # ^ 'disable-extras=s@' => \@opt_disableextras, # ^ - 'generate-openssl-cert' => sub { make_openssl_cert(); exit(0); }, - 'generate-gnutls-cert' => sub { make_gnutls_cert(); exit(0); } + 'generate-openssl-cert' => sub { exec './tools/genssl openssl'; }, + 'generate-gnutls-cert' => sub { exec './tools/genssl gnutls'; } ); if (scalar(@opt_enableextras) + scalar(@opt_disableextras) > 0) { @@ -692,7 +690,7 @@ if ($config{USE_GNUTLS} eq "y") { * few times and get that HD going :) Then answer the * * Questions which follow. If you are unsure, just hit enter * *************************************************************\n\n"; - $failed = make_gnutls_cert(); + $failed = system "./tools/genssl gnutls"; if ($failed) { print "\n\e[1;32mCertificate generation failed!\e[0m\n\n"; } else { @@ -726,7 +724,7 @@ if ($config{USE_OPENSSL} eq "y") { * Generating the certificates may take some time, go grab a * * coffee, or something. * *************************************************************\n\n"; - make_openssl_cert(); + system "./tools/genssl openssl"; print "\nCertificate generation complete, copying to config directory... "; File::Copy::move("key.pem", "$config{CONFIG_DIR}/key.pem") or print STDERR "Could not copy key.pem!\n"; File::Copy::move("cert.pem", "$config{CONFIG_DIR}/cert.pem") or print STDERR "Could not copy cert.pem!\n"; diff --git a/make/gnutlscert.pm b/make/gnutlscert.pm deleted file mode 100644 index a67be0cfd..000000000 --- a/make/gnutlscert.pm +++ /dev/null @@ -1,147 +0,0 @@ -# -# InspIRCd -- Internet Relay Chat Daemon -# -# Copyright (C) 2007 Dennis Friis <peavey@inspircd.org> -# Copyright (C) 2007 Craig Edwards <craigedwards@brainbox.cc> -# -# This file is part of InspIRCd. InspIRCd is free software: you can -# redistribute it and/or modify it under the terms of the GNU General Public -# License as published by the Free Software Foundation, version 2. -# -# This program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more -# details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -# - - -package make::gnutlscert; - -require 5.8.0; - -use strict; -use warnings FATAL => qw(all); - -use Exporter 'import'; -use make::configure; -our @EXPORT = qw(make_gnutls_cert); - - -sub make_gnutls_cert() -{ - open (FH, ">certtool.template"); - my $timestr = time(); - my $org = promptstring_s("Please enter the organization name", "My IRC Network"); - my $unit = promptstring_s("Please enter the unit Name", "Server Admins"); - my $state = promptstring_s("Please enter your state (two letter code)", "CA"); - my $country = promptstring_s("Please enter your country", "Oompa Loompa Land"); - my $commonname = promptstring_s("Please enter the certificate common name (hostname)", "irc.mynetwork.com"); - my $email = promptstring_s("Please enter a contact email address", "oompa\@loompa.com"); - print FH <<__END__; -# X.509 Certificate options -# -# DN options - -# The organization of the subject. -organization = "$org" - -# The organizational unit of the subject. -unit = "$unit" - -# The locality of the subject. -# locality = - -# The state of the certificate owner. -state = "$state" - -# The country of the subject. Two letter code. -country = $country - -# The common name of the certificate owner. -cn = "$commonname" - -# A user id of the certificate owner. -#uid = "clauper" - -# If the supported DN OIDs are not adequate you can set -# any OID here. -# For example set the X.520 Title and the X.520 Pseudonym -# by using OID and string pairs. -#dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal" - -# This is deprecated and should not be used in new -# certificates. -# pkcs9_email = "none\@none.org" - -# The serial number of the certificate -serial = $timestr - -# In how many days, counting from today, this certificate will expire. -expiration_days = 700 - -# X.509 v3 extensions - -# A dnsname in case of a WWW server. -#dns_name = "www.none.org" - -# An IP address in case of a server. -#ip_address = "192.168.1.1" - -# An email in case of a person -email = "$email" - -# An URL that has CRLs (certificate revocation lists) -# available. Needed in CA certificates. -#crl_dist_points = "http://www.getcrl.crl/getcrl/" - -# Whether this is a CA certificate or not -#ca - -# Whether this certificate will be used for a TLS client -tls_www_client - -# Whether this certificate will be used for a TLS server -tls_www_server - -# Whether this certificate will be used to sign data (needed -# in TLS DHE ciphersuites). -signing_key - -# Whether this certificate will be used to encrypt data (needed -# in TLS RSA ciphersuites). Note that it is prefered to use different -# keys for encryption and signing. -encryption_key - -# Whether this key will be used to sign other certificates. -cert_signing_key - -# Whether this key will be used to sign CRLs. -crl_signing_key - -# Whether this key will be used to sign code. -code_signing_key - -# Whether this key will be used to sign OCSP data. -ocsp_signing_key - -# Whether this key will be used for time stamping. -time_stamping_key -__END__ -close(FH); -my $certtool = "certtool"; -if (`uname -s` eq "Darwin\n") { - # On OS X the certtool binary name is different to prevent - # collisions with the system certtool from NSS. - $certtool = "gnutls-certtool"; -} -if ( (my $status = system("$certtool --generate-privkey --outfile key.pem")) ne 0) { return 1; } -if ( (my $status = system("$certtool --generate-self-signed --load-privkey key.pem --outfile cert.pem --template certtool.template")) ne 0) { return 1; } -unlink("certtool.template"); -return 0; -} - -1; - diff --git a/make/opensslcert.pm b/make/opensslcert.pm deleted file mode 100644 index fd7bd6998..000000000 --- a/make/opensslcert.pm +++ /dev/null @@ -1,61 +0,0 @@ -# -# InspIRCd -- Internet Relay Chat Daemon -# -# Copyright (C) 2007 Dennis Friis <peavey@inspircd.org> -# Copyright (C) 2007 Craig Edwards <craigedwards@brainbox.cc> -# -# This file is part of InspIRCd. InspIRCd is free software: you can -# redistribute it and/or modify it under the terms of the GNU General Public -# License as published by the Free Software Foundation, version 2. -# -# This program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS -# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more -# details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -# - - -package make::opensslcert; - -require 5.8.0; - -use strict; -use warnings FATAL => qw(all); - -use Exporter 'import'; -use make::configure; -our @EXPORT = qw(make_openssl_cert); - - -sub make_openssl_cert() -{ - open (FH, ">openssl.template"); - my $org = promptstring_s("Please enter the organization name", "My IRC Network"); - my $unit = promptstring_s("Please enter the unit Name", "Server Admins"); - my $country = promptstring_s("Please enter your country (two letter code)", "US"); - my $state = promptstring_s("Please enter your state or locality name", "Alaska"); - my $city = promptstring_s("Please enter your city", "Factory Town"); - my $email = promptstring_s("Please enter a contact email address", "oompa\@loompa.com"); - my $commonname = promptstring_s("Please enter the common name (domain name) of the irc server", "example.inspircd.org"); - print FH <<__END__; -$country -$state -$city -$org -$unit -$commonname -$email -__END__ -close(FH); - -my $time = promptstring_s("Please enter the number of days that this certificate is valid for","365"); - -system("cat openssl.template | openssl req -x509 -nodes -newkey rsa:1024 -keyout key.pem -out cert.pem -days $time 2>/dev/null"); -system("openssl dhparam -out dhparams.pem 1024"); -unlink("openssl.template"); -} - -1; diff --git a/make/template/main.mk b/make/template/main.mk index 17e15f53a..32b7e4803 100644 --- a/make/template/main.mk +++ b/make/template/main.mk @@ -230,6 +230,7 @@ install: target [ $(BUILDPATH)/modules/ -ef $(MODPATH) ] || $(INSTALL) -m $(INSTMODE_LIB) $(BUILDPATH)/modules/*.so $(MODPATH) @ENDIF -$(INSTALL) -m $(INSTMODE_BIN) @STARTSCRIPT@ $(BASE) 2>/dev/null + -$(INSTALL) -m $(INSTMODE_BIN) tools/genssl $(BINPATH)/inspircd-genssl 2>/dev/null -$(INSTALL) -m $(INSTMODE_LIB) tools/gdbargs $(BASE)/.gdbargs 2>/dev/null -$(INSTALL) -m $(INSTMODE_LIB) docs/conf/*.example $(CONPATH)/examples -$(INSTALL) -m $(INSTMODE_LIB) docs/conf/aliases/*.example $(CONPATH)/examples/aliases diff --git a/tools/genssl b/tools/genssl new file mode 100755 index 000000000..6cd9fa716 --- /dev/null +++ b/tools/genssl @@ -0,0 +1,109 @@ +#!/usr/bin/env perl -w +# +# InspIRCd -- Internet Relay Chat Daemon +# +# Copyright (C) 2007 Dennis Friis <peavey@inspircd.org> +# Copyright (C) 2007 Craig Edwards <craigedwards@brainbox.cc> +# Copyright (C) 2013 Peter Powell <petpow@saberuk.com> +# +# This file is part of InspIRCd. InspIRCd is free software: you can +# redistribute it and/or modify it under the terms of the GNU General Public +# License as published by the Free Software Foundation, version 2. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +# details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + + +BEGIN { + require 5.8.0; +} + +use strict; +use warnings FATAL => qw(all); + +use File::Temp(); + +# IMPORTANT: This script has to be able to run by itself so that it can be used +# by binary distributions where the make/utilities.pm module will not +# be available! + +sub prompt($$) { + my ($question, $default) = @_; + print "$question\n"; + print "[$default] => "; + chomp(my $answer = <STDIN>); + print "\n"; + return $answer ? $answer : $default; +} + +if ($#ARGV != 0 || $ARGV[0] !~ /gnutls|openssl/i) { + print "Syntax: genssl <gnutls|openssl>\n"; + exit 1; +} + +my $common_name = prompt('What is the hostname of your server?', 'irc.example.com'); +my $email = prompt('What email address can you be contacted at?', 'example@example.com'); +my $unit = prompt('What is the name of your unit?', 'Server Admins'); +my $organization = prompt('What is the name of your organization?', 'Example IRC Network'); +my $city = prompt('What city are you located in?', 'Example City'); +my $state = prompt('What state are you located in?', 'Example State'); +my $country = prompt('What is the ISO 3166-1 code for the country you are located in?', 'XZ'); +my $days = prompt('How many days do you want your certificate to be valid for?', '365'); + +# Contains the exit code of openssl/gnutls-certtool. +my $status = 0; + +if (lc $ARGV[0] eq 'gnutls') { + my $tmp = new File::Temp(); + print $tmp <<__GNUTLS_END__; +cn = "$common_name" +email = "$email" +unit = "$unit" +organization = "$organization" +locality = "$city" +state = "$state" +country = "$country" +expiration_days = $days +tls_www_client +tls_www_server +signing_key +encryption_key +cert_signing_key +crl_signing_key +code_signing_key +ocsp_signing_key +time_stamping_key +__GNUTLS_END__ + close($tmp); + my $certtool = `uname -s` eq "Darwin\n" ? 'gnutls-certtool' : 'certtool'; + $status ||= system "$certtool --version >/dev/null 2>1"; + $status ||= system "$certtool --generate-privkey --outfile key.pem"; + $status ||= system "$certtool --generate-self-signed --load-privkey key.pem --outfile cert.pem --template $tmp"; +} elsif (lc $ARGV[0] eq 'openssl') { + my $tmp = new File::Temp(); + print $tmp <<__OPENSSL_END__; +$country +$state +$city +$organization +$unit +$common_name +$email +__OPENSSL_END__ + close($tmp); + $status ||= system 'openssl version >/dev/null 2>1'; + $status ||= system "cat $tmp | openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem -days $days 2>/dev/null"; + $status ||= system 'openssl dhparam -out dhparams.pem 2048'; +} + +if ($status) { + print "SSL generation failed! Are you missing an $ARGV[0] binary package?\n"; + exit 1; +} + |