diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2024-06-13 03:33:20 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2024-06-13 15:41:12 +0200 |
| commit | bf4d2d13ffcd894c6e7765dbd366f1163c69c9e1 (patch) | |
| tree | d234196cc004dec3482716d2b3a6b5425d8386ed | |
| parent | 568656b1fcb60d451b4a5313876ef0b96ae8bbfd (diff) | |
Pass `-in /dev/stdin` option to openssl(1) to avoid warning with recent versions.
OpenSSL 3.2 from Debian sid spews
Warning: Reading certificate from stdin since no -in or -new option is given
without an explicit `-in /dev/stdin`.
| -rwxr-xr-x | lacme | 14 | ||||
| -rw-r--r-- | tests/account-encrypted-openssl | 2 | ||||
| -rw-r--r-- | tests/cert-extensions | 2 | ||||
| -rw-r--r-- | tests/cert-install | 4 |
4 files changed, 11 insertions, 11 deletions
@@ -184,7 +184,7 @@ sub gen_csr(%) { push @args, "-$args{hash}" if defined $args{hash}; push @args, '-subj', $args{subject}, '-config', $config->filename(), qw/-reqexts v3_req/; - open my $fh, '-|', qw/openssl req -outform DER/, @args or die "fork: $!"; + open my $fh, '-|', qw{openssl req -outform DER}, @args or die "fork: $!"; my $csr = do { local $/ = undef; <$fh> }; close $fh or $! ? die "close: $!" : return; @@ -195,7 +195,7 @@ sub gen_csr(%) { unless ($pid) { open STDIN, '<&', $rd or die "dup: $!"; open STDOUT, '>&', \*STDERR or die "dup: $!"; - exec qw/openssl req -noout -text -inform DER/ or die; + exec qw{openssl req -in /dev/stdin -inform DER -noout -text} or die; } $rd->close() or die "close: $!"; $wd->print($csr); @@ -842,8 +842,8 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') { # XXX would be nice to use X509_get_X509_PUBKEY and X509_REQ_get_X509_PUBKEY here, # or EVP_PKEY_cmp(), but unfortunately Net::SSLeay 1.88 doesn't support these my ($cert_pubkey, $csr_pubkey); - spawn({in => $cert, out => \$cert_pubkey}, qw/openssl x509 -inform PEM -noout -pubkey/); - spawn({in => $csr, out => \$csr_pubkey }, qw/openssl req -inform DER -noout -pubkey/); + spawn({in => $cert, out => \$cert_pubkey}, qw{openssl x509 -in /dev/stdin -inform PEM -noout -pubkey}); + spawn({in => $csr, out => \$csr_pubkey }, qw{openssl req -in /dev/stdin -inform DER -noout -pubkey}); unless (defined $cert_pubkey and defined $csr_pubkey and $cert_pubkey eq $csr_pubkey) { print STDERR "[$s] Error: Received bogus X.509 certificate from ACME server!\n"; $rv = 1; @@ -878,7 +878,7 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') { } my @certopts = join ',', qw/no_header no_version no_pubkey no_sigdump/; - open my $fh, '|-', qw/openssl x509 -noout -fingerprint -sha256 -text -certopt/, @certopts + open my $fh, '|-', qw{openssl x509 -in /dev/stdin -noout -fingerprint -sha256 -text -certopt}, @certopts or die "fork: $!"; print $fh $cert; close $fh or die $! ? @@ -909,14 +909,14 @@ elsif ($COMMAND eq 'revokeCert' or $COMMAND eq 'revoke-cert') { print STDERR "Revoking $filename\n"; # conversion PEM -> DER - open my $fh, '-|', qw/openssl x509 -outform DER -in/, $filename or die "fork: $!"; + open my $fh, '-|', qw{openssl x509 -in}, $filename, qw{-outform DER} or die "fork: $!"; my $der = do { local $/ = undef; <$fh> }; close $fh or die $! ? "close: $!" : "Error: x509(1ssl) exited with value ".($? >> 8)."\n"; my @certopts = join ',', qw/no_header no_version no_pubkey no_sigdump no_extensions/; - open my $fh2, '|-', qw/openssl x509 -inform DER -noout -fingerprint -sha256 -text -certopt/, @certopts + open my $fh2, '|-', qw{openssl x509 -in /dev/stdin -inform DER -noout -fingerprint -sha256 -text -certopt}, @certopts or die "fork: $!"; print $fh2 $der; close $fh2 or die $! ? diff --git a/tests/account-encrypted-openssl b/tests/account-encrypted-openssl index a3ad707..1f97fd0 100644 --- a/tests/account-encrypted-openssl +++ b/tests/account-encrypted-openssl @@ -2,7 +2,7 @@ PASSPHRASE="test" -openssl rsa -aes128 -passout pass:"$PASSPHRASE" </etc/lacme/account.key >/etc/lacme/account.enc.key +openssl rsa -in /etc/lacme/account.key -out /etc/lacme/account.enc.key -aes128 -passout pass:"$PASSPHRASE" sed -ri '0,\|^#?privkey\s*=.*| {s||privkey = file:/etc/lacme/account.enc.key|}' /etc/lacme/lacme-accountd.conf export TERM="linux" diff --git a/tests/cert-extensions b/tests/cert-extensions index bc40298..d7e7855 100644 --- a/tests/cert-extensions +++ b/tests/cert-extensions @@ -4,7 +4,7 @@ x509_check() { local cert="$1" ext out out="$(mktemp --tmpdir)" ext="basicConstraints,subjectAltName,keyUsage,extendedKeyUsage,tlsfeature" - openssl x509 -noout -subject -ext "$ext" -nameopt compat <"$cert" >"$out" + openssl x509 -in "$cert" -noout -subject -ext "$ext" -nameopt compat >"$out" diff --unified --color=auto -b --label="a/${cert#/}" --label="b/${cert#/}" -- - "$out" } diff --git a/tests/cert-install b/tests/cert-install index 4182790..e24fe34 100644 --- a/tests/cert-install +++ b/tests/cert-install @@ -46,9 +46,9 @@ diff --unified /etc/lacme/test1.crt /etc/lacme/test1.pem check_hash() { local p1="$1" p2 s1 s2 - s1="$(openssl x509 -noout -hash <"$p1")" + s1="$(openssl x509 -in "$p1" -noout -hash)" for p2 in /usr/share/lacme/ca-certificates.pem.*; do - s2="$(openssl x509 -noout -hash <"$p2")" + s2="$(openssl x509 -in "$p2" -noout -hash)" if [ "$s1" = "$s2" ]; then return 0 fi |