aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2024-06-13 03:33:20 +0200
committerGuilhem Moulin <guilhem@fripost.org>2024-06-13 15:41:12 +0200
commitbf4d2d13ffcd894c6e7765dbd366f1163c69c9e1 (patch)
treed234196cc004dec3482716d2b3a6b5425d8386ed
parent568656b1fcb60d451b4a5313876ef0b96ae8bbfd (diff)
Pass `-in /dev/stdin` option to openssl(1) to avoid warning with recent versions.
OpenSSL 3.2 from Debian sid spews Warning: Reading certificate from stdin since no -in or -new option is given without an explicit `-in /dev/stdin`.
-rwxr-xr-xlacme14
-rw-r--r--tests/account-encrypted-openssl2
-rw-r--r--tests/cert-extensions2
-rw-r--r--tests/cert-install4
4 files changed, 11 insertions, 11 deletions
diff --git a/lacme b/lacme
index 6284c66..19d78a9 100755
--- a/lacme
+++ b/lacme
@@ -184,7 +184,7 @@ sub gen_csr(%) {
push @args, "-$args{hash}" if defined $args{hash};
push @args, '-subj', $args{subject}, '-config', $config->filename(), qw/-reqexts v3_req/;
- open my $fh, '-|', qw/openssl req -outform DER/, @args or die "fork: $!";
+ open my $fh, '-|', qw{openssl req -outform DER}, @args or die "fork: $!";
my $csr = do { local $/ = undef; <$fh> };
close $fh or $! ? die "close: $!" : return;
@@ -195,7 +195,7 @@ sub gen_csr(%) {
unless ($pid) {
open STDIN, '<&', $rd or die "dup: $!";
open STDOUT, '>&', \*STDERR or die "dup: $!";
- exec qw/openssl req -noout -text -inform DER/ or die;
+ exec qw{openssl req -in /dev/stdin -inform DER -noout -text} or die;
}
$rd->close() or die "close: $!";
$wd->print($csr);
@@ -842,8 +842,8 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {
# XXX would be nice to use X509_get_X509_PUBKEY and X509_REQ_get_X509_PUBKEY here,
# or EVP_PKEY_cmp(), but unfortunately Net::SSLeay 1.88 doesn't support these
my ($cert_pubkey, $csr_pubkey);
- spawn({in => $cert, out => \$cert_pubkey}, qw/openssl x509 -inform PEM -noout -pubkey/);
- spawn({in => $csr, out => \$csr_pubkey }, qw/openssl req -inform DER -noout -pubkey/);
+ spawn({in => $cert, out => \$cert_pubkey}, qw{openssl x509 -in /dev/stdin -inform PEM -noout -pubkey});
+ spawn({in => $csr, out => \$csr_pubkey }, qw{openssl req -in /dev/stdin -inform DER -noout -pubkey});
unless (defined $cert_pubkey and defined $csr_pubkey and $cert_pubkey eq $csr_pubkey) {
print STDERR "[$s] Error: Received bogus X.509 certificate from ACME server!\n";
$rv = 1;
@@ -878,7 +878,7 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {
}
my @certopts = join ',', qw/no_header no_version no_pubkey no_sigdump/;
- open my $fh, '|-', qw/openssl x509 -noout -fingerprint -sha256 -text -certopt/, @certopts
+ open my $fh, '|-', qw{openssl x509 -in /dev/stdin -noout -fingerprint -sha256 -text -certopt}, @certopts
or die "fork: $!";
print $fh $cert;
close $fh or die $! ?
@@ -909,14 +909,14 @@ elsif ($COMMAND eq 'revokeCert' or $COMMAND eq 'revoke-cert') {
print STDERR "Revoking $filename\n";
# conversion PEM -> DER
- open my $fh, '-|', qw/openssl x509 -outform DER -in/, $filename or die "fork: $!";
+ open my $fh, '-|', qw{openssl x509 -in}, $filename, qw{-outform DER} or die "fork: $!";
my $der = do { local $/ = undef; <$fh> };
close $fh or die $! ?
"close: $!" :
"Error: x509(1ssl) exited with value ".($? >> 8)."\n";
my @certopts = join ',', qw/no_header no_version no_pubkey no_sigdump no_extensions/;
- open my $fh2, '|-', qw/openssl x509 -inform DER -noout -fingerprint -sha256 -text -certopt/, @certopts
+ open my $fh2, '|-', qw{openssl x509 -in /dev/stdin -inform DER -noout -fingerprint -sha256 -text -certopt}, @certopts
or die "fork: $!";
print $fh2 $der;
close $fh2 or die $! ?
diff --git a/tests/account-encrypted-openssl b/tests/account-encrypted-openssl
index a3ad707..1f97fd0 100644
--- a/tests/account-encrypted-openssl
+++ b/tests/account-encrypted-openssl
@@ -2,7 +2,7 @@
PASSPHRASE="test"
-openssl rsa -aes128 -passout pass:"$PASSPHRASE" </etc/lacme/account.key >/etc/lacme/account.enc.key
+openssl rsa -in /etc/lacme/account.key -out /etc/lacme/account.enc.key -aes128 -passout pass:"$PASSPHRASE"
sed -ri '0,\|^#?privkey\s*=.*| {s||privkey = file:/etc/lacme/account.enc.key|}' /etc/lacme/lacme-accountd.conf
export TERM="linux"
diff --git a/tests/cert-extensions b/tests/cert-extensions
index bc40298..d7e7855 100644
--- a/tests/cert-extensions
+++ b/tests/cert-extensions
@@ -4,7 +4,7 @@ x509_check() {
local cert="$1" ext out
out="$(mktemp --tmpdir)"
ext="basicConstraints,subjectAltName,keyUsage,extendedKeyUsage,tlsfeature"
- openssl x509 -noout -subject -ext "$ext" -nameopt compat <"$cert" >"$out"
+ openssl x509 -in "$cert" -noout -subject -ext "$ext" -nameopt compat >"$out"
diff --unified --color=auto -b --label="a/${cert#/}" --label="b/${cert#/}" -- - "$out"
}
diff --git a/tests/cert-install b/tests/cert-install
index 4182790..e24fe34 100644
--- a/tests/cert-install
+++ b/tests/cert-install
@@ -46,9 +46,9 @@ diff --unified /etc/lacme/test1.crt /etc/lacme/test1.pem
check_hash() {
local p1="$1" p2 s1 s2
- s1="$(openssl x509 -noout -hash <"$p1")"
+ s1="$(openssl x509 -in "$p1" -noout -hash)"
for p2 in /usr/share/lacme/ca-certificates.pem.*; do
- s2="$(openssl x509 -noout -hash <"$p2")"
+ s2="$(openssl x509 -in "$p2" -noout -hash)"
if [ "$s1" = "$s2" ]; then
return 0
fi