inspircd/tools/genssl

#!/usr/bin/env perl
#
# InspIRCd -- Internet Relay Chat Daemon
#
#   Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>
#   Copyright (C) 2007 Craig Edwards <craigedwards@brainbox.cc>
#   Copyright (C) 2013 Peter Powell <petpow@saberuk.com>
#
# This file is part of InspIRCd.  InspIRCd is free software: you can
# redistribute it and/or modify it under the terms of the GNU General Public
# License as published by the Free Software Foundation, version 2.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
# details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#


BEGIN {
	require 5.8.0;
}

use strict;
use warnings FATAL => qw(all);

use File::Temp();

# IMPORTANT: This script has to be able to run by itself so that it can be used
#            by binary distributions where the make/utilities.pm module will not
#            be available!

sub prompt($$) {
	my ($question, $default) = @_;
	print "$question\n";
	print "[$default] => ";
	chomp(my $answer = <STDIN>);
	print "\n";
	return $answer ? $answer : $default;
}

if ($#ARGV != 0 || $ARGV[0] !~ /^(?:auto|gnutls|openssl)$/i) {
	print "Syntax: genssl <auto|gnutls|openssl>\n";
	exit 1;
}

# On OS X the GnuTLS certtool is prefixed to avoid collision with the system certtool.
my $certtool = $^O eq 'darwin' ? 'gnutls-certtool' : 'certtool';

# Check whether the user has the required tools installed.
my $has_gnutls = !system "$certtool --version >/dev/null 2>&1";
my $has_openssl = !system 'openssl version >/dev/null 2>&1';

# The framework the user has specified.
my $tool = lc $ARGV[0];

# If the user has not explicitly specified a framework then detect one.
if ($tool eq 'auto') {
	if ($has_gnutls) {
		$tool = 'gnutls';
	} elsif ($has_openssl) {
		$tool = 'openssl';
	} else {
		print STDERR "SSL generation failed: could not find $certtool or openssl in the PATH!\n";
		exit 1;
	}
} elsif ($tool eq 'gnutls' && !$has_gnutls) {
	print STDERR "SSL generation failed: could not find '$certtool' in the PATH!\n";
	exit 1;
} elsif ($tool eq 'openssl' && !$has_openssl) {
	print STDERR "SSL generation failed: could not find 'openssl' in the PATH!\n";
	exit 1;
}

# Harvest information needed to generate the certificate.
my $common_name = prompt('What is the hostname of your server?', 'irc.example.com');
my $email = prompt('What email address can you be contacted at?', 'example@example.com');
my $unit = prompt('What is the name of your unit?', 'Server Admins');
my $organization = prompt('What is the name of your organization?', 'Example IRC Network');
my $city = prompt('What city are you located in?', 'Example City');
my $state = prompt('What state are you located in?', 'Example State');
my $country = prompt('What is the ISO 3166-1 code for the country you are located in?', 'XZ');
my $days = prompt('How many days do you want your certificate to be valid for?', '365');

# Contains the SSL certificate in DER form.
my $dercert;

# Contains the exit code of openssl/gnutls-certtool.
my $status = 0;

if ($tool eq 'gnutls') {
	my $tmp = new File::Temp();
	print $tmp <<__GNUTLS_END__;
cn              = "$common_name"
email           = "$email"
unit            = "$unit"
organization    = "$organization"
locality        = "$city"
state           = "$state"
country         = "$country"
expiration_days = $days
tls_www_client
tls_www_server
signing_key
encryption_key
cert_signing_key
crl_signing_key
code_signing_key
ocsp_signing_key
time_stamping_key
__GNUTLS_END__
	close($tmp);
	$status ||= system "$certtool --generate-privkey --outfile key.pem";
	$status ||= system "$certtool --generate-self-signed --load-privkey key.pem --outfile cert.pem --template $tmp";
	$status ||= system "$certtool --generate-dh-params --bits 2048 --outfile dhparams.pem";
	$dercert = `$certtool --certificate-info --infile cert.pem --outder` unless $status;
} elsif ($tool eq 'openssl') {
	my $tmp = new File::Temp();
	print $tmp <<__OPENSSL_END__;
$country
$state
$city
$organization
$unit
$common_name
$email
__OPENSSL_END__
	close($tmp);
	$status ||= system "cat $tmp | openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem -days $days 2>/dev/null";
	$status ||= system 'openssl dhparam -out dhparams.pem 2048';
	$dercert = `openssl x509 -in cert.pem -outform DER` unless $status;
}

if ($status) {
	print STDERR "SSL generation failed: $tool exited with a non-zero status!\n";
	exit 1;
}

if (defined $dercert && eval 'use Digest::SHA; 1') {
	my $hash = Digest::SHA->new(256);
	$hash->add($dercert);
	print "\nAdd this TLSA record to your domain for DANE support:\n";
	print "_6697._tcp." . $common_name . " TLSA 3 0 1 " . $hash->hexdigest . "\n";
}
Add support for generating dhparams with GnuTLS to genssl. 2013-04-08 19:22:46 +01:00			`#!/usr/bin/env perl`
Extract SSL generation to a tool which can be shipped by distros. 2013-04-02 16:30:11 +01:00			`#`
			`# InspIRCd -- Internet Relay Chat Daemon`
			`#`
			`# Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>`
			`# Copyright (C) 2007 Craig Edwards <craigedwards@brainbox.cc>`
			`# Copyright (C) 2013 Peter Powell <petpow@saberuk.com>`
			`#`
			`# This file is part of InspIRCd. InspIRCd is free software: you can`
			`# redistribute it and/or modify it under the terms of the GNU General Public`
			`# License as published by the Free Software Foundation, version 2.`
			`#`
			`# This program is distributed in the hope that it will be useful, but WITHOUT`
			`# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS`
			`# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more`
			`# details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`#`


			`BEGIN {`
			`require 5.8.0;`
			`}`

			`use strict;`
			`use warnings FATAL => qw(all);`

			`use File::Temp();`

			`# IMPORTANT: This script has to be able to run by itself so that it can be used`
			`# by binary distributions where the make/utilities.pm module will not`
			`# be available!`

			`sub prompt($$) {`
			`my ($question, $default) = @_;`
			`print "$question\n";`
			`print "[$default] => ";`
			`chomp(my $answer = <STDIN>);`
			`print "\n";`
			`return $answer ? $answer : $default;`
			`}`

Add 'auto' option to genssl to automatically select a generator. 2013-07-27 04:56:35 +01:00			`if ($#ARGV != 0 \|\| $ARGV[0] !~ /^(?:auto\|gnutls\|openssl)$/i) {`
			`print "Syntax: genssl <auto\|gnutls\|openssl>\n";`
Extract SSL generation to a tool which can be shipped by distros. 2013-04-02 16:30:11 +01:00			`exit 1;`
			`}`

Add 'auto' option to genssl to automatically select a generator. 2013-07-27 04:56:35 +01:00			`# On OS X the GnuTLS certtool is prefixed to avoid collision with the system certtool.`
			`my $certtool = $^O eq 'darwin' ? 'gnutls-certtool' : 'certtool';`

			`# Check whether the user has the required tools installed.`
			`my $has_gnutls = !system "$certtool --version >/dev/null 2>&1";`
			`my $has_openssl = !system 'openssl version >/dev/null 2>&1';`

			`# The framework the user has specified.`
			`my $tool = lc $ARGV[0];`

			`# If the user has not explicitly specified a framework then detect one.`
			`if ($tool eq 'auto') {`
			`if ($has_gnutls) {`
			`$tool = 'gnutls';`
			`} elsif ($has_openssl) {`
			`$tool = 'openssl';`
			`} else {`
			`print STDERR "SSL generation failed: could not find $certtool or openssl in the PATH!\n";`
			`exit 1;`
			`}`
			`} elsif ($tool eq 'gnutls' && !$has_gnutls) {`
			`print STDERR "SSL generation failed: could not find '$certtool' in the PATH!\n";`
			`exit 1;`
			`} elsif ($tool eq 'openssl' && !$has_openssl) {`
			`print STDERR "SSL generation failed: could not find 'openssl' in the PATH!\n";`
			`exit 1;`
			`}`

			`# Harvest information needed to generate the certificate.`
Extract SSL generation to a tool which can be shipped by distros. 2013-04-02 16:30:11 +01:00			`my $common_name = prompt('What is the hostname of your server?', 'irc.example.com');`
			`my $email = prompt('What email address can you be contacted at?', 'example@example.com');`
			`my $unit = prompt('What is the name of your unit?', 'Server Admins');`
			`my $organization = prompt('What is the name of your organization?', 'Example IRC Network');`
			`my $city = prompt('What city are you located in?', 'Example City');`
			`my $state = prompt('What state are you located in?', 'Example State');`
			`my $country = prompt('What is the ISO 3166-1 code for the country you are located in?', 'XZ');`
			`my $days = prompt('How many days do you want your certificate to be valid for?', '365');`

Add support for generating DANE TLSA records to genssl. 2014-04-24 13:09:11 +01:00			`# Contains the SSL certificate in DER form.`
			`my $dercert;`

Extract SSL generation to a tool which can be shipped by distros. 2013-04-02 16:30:11 +01:00			`# Contains the exit code of openssl/gnutls-certtool.`
			`my $status = 0;`

Add 'auto' option to genssl to automatically select a generator. 2013-07-27 04:56:35 +01:00			`if ($tool eq 'gnutls') {`
Extract SSL generation to a tool which can be shipped by distros. 2013-04-02 16:30:11 +01:00			`my $tmp = new File::Temp();`
			`print $tmp <<__GNUTLS_END__;`
			`cn = "$common_name"`
			`email = "$email"`
			`unit = "$unit"`
			`organization = "$organization"`
			`locality = "$city"`
			`state = "$state"`
			`country = "$country"`
			`expiration_days = $days`
			`tls_www_client`
			`tls_www_server`
			`signing_key`
			`encryption_key`
			`cert_signing_key`
			`crl_signing_key`
			`code_signing_key`
			`ocsp_signing_key`
			`time_stamping_key`
			`__GNUTLS_END__`
			`close($tmp);`
			`$status \|\|= system "$certtool --generate-privkey --outfile key.pem";`
			`$status \|\|= system "$certtool --generate-self-signed --load-privkey key.pem --outfile cert.pem --template $tmp";`
Add support for generating dhparams with GnuTLS to genssl. 2013-04-08 19:22:46 +01:00			`$status \|\|= system "$certtool --generate-dh-params --bits 2048 --outfile dhparams.pem";`
Add support for generating DANE TLSA records to genssl. 2014-04-24 13:09:11 +01:00			$dercert = `$certtool --certificate-info --infile cert.pem --outder` unless $status;
Add 'auto' option to genssl to automatically select a generator. 2013-07-27 04:56:35 +01:00			`} elsif ($tool eq 'openssl') {`
Extract SSL generation to a tool which can be shipped by distros. 2013-04-02 16:30:11 +01:00			`my $tmp = new File::Temp();`
			`print $tmp <<__OPENSSL_END__;`
			`$country`
			`$state`
			`$city`
			`$organization`
			`$unit`
			`$common_name`
			`$email`
			`__OPENSSL_END__`
			`close($tmp);`
			`$status \|\|= system "cat $tmp \| openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem -days $days 2>/dev/null";`
			`$status \|\|= system 'openssl dhparam -out dhparams.pem 2048';`
Add support for generating DANE TLSA records to genssl. 2014-04-24 13:09:11 +01:00			$dercert = `openssl x509 -in cert.pem -outform DER` unless $status;
Extract SSL generation to a tool which can be shipped by distros. 2013-04-02 16:30:11 +01:00			`}`

			`if ($status) {`
Add 'auto' option to genssl to automatically select a generator. 2013-07-27 04:56:35 +01:00			`print STDERR "SSL generation failed: $tool exited with a non-zero status!\n";`
Extract SSL generation to a tool which can be shipped by distros. 2013-04-02 16:30:11 +01:00			`exit 1;`
			`}`
Add support for generating DANE TLSA records to genssl. 2014-04-24 13:09:11 +01:00
			`if (defined $dercert && eval 'use Digest::SHA; 1') {`
			`my $hash = Digest::SHA->new(256);`
			`$hash->add($dercert);`
			`print "\nAdd this TLSA record to your domain for DANE support:\n";`
			`print "_6697._tcp." . $common_name . " TLSA 3 0 1 " . $hash->hexdigest . "\n";`
			`}`