From bf4d2d13ffcd894c6e7765dbd366f1163c69c9e1 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 13 Jun 2024 03:33:20 +0200
Subject: Pass `-in /dev/stdin` option to openssl(1) to avoid warning with
 recent versions.

OpenSSL 3.2 from Debian sid spews

    Warning: Reading certificate from stdin since no -in or -new option is given

without an explicit `-in /dev/stdin`.
---
 lacme                           | 14 +++++++-------
 tests/account-encrypted-openssl |  2 +-
 tests/cert-extensions           |  2 +-
 tests/cert-install              |  4 ++--
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/lacme b/lacme
index 6284c66..19d78a9 100755
--- a/lacme
+++ b/lacme
@@ -184,7 +184,7 @@ sub gen_csr(%) {
     push @args, "-$args{hash}" if defined $args{hash};
     push @args, '-subj', $args{subject}, '-config', $config->filename(), qw/-reqexts v3_req/;
 
-    open my $fh, '-|', qw/openssl req -outform DER/, @args or die "fork: $!";
+    open my $fh, '-|', qw{openssl req -outform DER}, @args or die "fork: $!";
     my $csr = do { local $/ = undef; <$fh> };
     close $fh or $! ? die "close: $!" : return;
 
@@ -195,7 +195,7 @@ sub gen_csr(%) {
         unless ($pid) {
             open STDIN,  '<&', $rd      or die "dup: $!";
             open STDOUT, '>&', \*STDERR or die "dup: $!";
-            exec qw/openssl req -noout -text -inform DER/ or die;
+            exec qw{openssl req -in /dev/stdin -inform DER -noout -text} or die;
         }
         $rd->close() or die "close: $!";
         $wd->print($csr);
@@ -842,8 +842,8 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {
         # XXX would be nice to use X509_get_X509_PUBKEY and X509_REQ_get_X509_PUBKEY here,
         # or EVP_PKEY_cmp(), but unfortunately Net::SSLeay 1.88 doesn't support these
         my ($cert_pubkey, $csr_pubkey);
-        spawn({in => $cert, out => \$cert_pubkey}, qw/openssl x509 -inform PEM -noout -pubkey/);
-        spawn({in => $csr,  out => \$csr_pubkey }, qw/openssl req  -inform DER -noout -pubkey/);
+        spawn({in => $cert, out => \$cert_pubkey}, qw{openssl x509 -in /dev/stdin -inform PEM -noout -pubkey});
+        spawn({in => $csr,  out => \$csr_pubkey }, qw{openssl req  -in /dev/stdin -inform DER -noout -pubkey});
         unless (defined $cert_pubkey and defined $csr_pubkey and $cert_pubkey eq $csr_pubkey) {
             print STDERR "[$s] Error: Received bogus X.509 certificate from ACME server!\n";
             $rv = 1;
@@ -878,7 +878,7 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {
         }
 
         my @certopts = join ',', qw/no_header no_version no_pubkey no_sigdump/;
-        open my $fh, '|-', qw/openssl x509 -noout -fingerprint -sha256 -text -certopt/, @certopts
+        open my $fh, '|-', qw{openssl x509 -in /dev/stdin -noout -fingerprint -sha256 -text -certopt}, @certopts
             or die "fork: $!";
         print $fh $cert;
         close $fh or die $! ?
@@ -909,14 +909,14 @@ elsif ($COMMAND eq 'revokeCert' or $COMMAND eq 'revoke-cert') {
         print STDERR "Revoking $filename\n";
 
         # conversion PEM -> DER
-        open my $fh, '-|', qw/openssl x509 -outform DER -in/, $filename or die "fork: $!";
+        open my $fh, '-|', qw{openssl x509 -in}, $filename, qw{-outform DER} or die "fork: $!";
         my $der = do { local $/ = undef; <$fh> };
         close $fh or die $! ?
             "close: $!" :
             "Error: x509(1ssl) exited with value ".($? >> 8)."\n";
 
         my @certopts = join ',', qw/no_header no_version no_pubkey no_sigdump no_extensions/;
-        open my $fh2, '|-', qw/openssl x509 -inform DER -noout -fingerprint -sha256 -text -certopt/, @certopts
+        open my $fh2, '|-', qw{openssl x509 -in /dev/stdin -inform DER -noout -fingerprint -sha256 -text -certopt}, @certopts
             or die "fork: $!";
         print $fh2 $der;
         close $fh2 or die $! ?
diff --git a/tests/account-encrypted-openssl b/tests/account-encrypted-openssl
index a3ad707..1f97fd0 100644
--- a/tests/account-encrypted-openssl
+++ b/tests/account-encrypted-openssl
@@ -2,7 +2,7 @@
 
 PASSPHRASE="test"
 
-openssl rsa -aes128 -passout pass:"$PASSPHRASE" </etc/lacme/account.key >/etc/lacme/account.enc.key
+openssl rsa -in /etc/lacme/account.key -out /etc/lacme/account.enc.key -aes128 -passout pass:"$PASSPHRASE"
 sed -ri '0,\|^#?privkey\s*=.*| {s||privkey = file:/etc/lacme/account.enc.key|}' /etc/lacme/lacme-accountd.conf
 
 export TERM="linux"
diff --git a/tests/cert-extensions b/tests/cert-extensions
index bc40298..d7e7855 100644
--- a/tests/cert-extensions
+++ b/tests/cert-extensions
@@ -4,7 +4,7 @@ x509_check() {
     local cert="$1" ext out
     out="$(mktemp --tmpdir)"
     ext="basicConstraints,subjectAltName,keyUsage,extendedKeyUsage,tlsfeature"
-    openssl x509 -noout -subject -ext "$ext" -nameopt compat <"$cert" >"$out"
+    openssl x509 -in "$cert" -noout -subject -ext "$ext" -nameopt compat >"$out"
     diff --unified --color=auto -b --label="a/${cert#/}" --label="b/${cert#/}" -- - "$out"
 }
 
diff --git a/tests/cert-install b/tests/cert-install
index 4182790..e24fe34 100644
--- a/tests/cert-install
+++ b/tests/cert-install
@@ -46,9 +46,9 @@ diff --unified /etc/lacme/test1.crt /etc/lacme/test1.pem
 
 check_hash() {
     local p1="$1" p2 s1 s2
-    s1="$(openssl x509 -noout -hash <"$p1")"
+    s1="$(openssl x509 -in "$p1" -noout -hash)"
     for p2 in /usr/share/lacme/ca-certificates.pem.*; do
-        s2="$(openssl x509 -noout -hash <"$p2")"
+        s2="$(openssl x509 -in "$p2" -noout -hash)"
         if [ "$s1" = "$s2" ]; then
             return 0
         fi
-- 
cgit v1.2.3