在此脚本中如何以及在哪里调用 OpenSSL?
How and Where is OpenSSL called in this script?
centos-6.8
perl,v5.10.1 (*) 为 x86_64-linux-thread-multi
构建
我正在尝试更新名为 CSP 的 Perl 脚本。我对脚本的经验仅限于 运行 在我们需要新服务器证书的极少数情况下使用它。我联系了原剧本的作者 Leif Johansson,但没有收到回复。可以在 https://github.com/byrnejb/rcsp/tree/csp040.
找到我目前正在处理并在下面参考的修改后的项目
这就是背景。我的 Perl 编程经验可以忽略不计。因此,我在这里的问题可能很幼稚。
我在 ./blib/lib/CSP.pm 中有这些代码片段:
. . .
package CSP;
use strict;
use vars qw($VERSION @ISA @EXPORT @EXPORT_OK);
require Exporter;
require AutoLoader;
use IO::File;
use Term::Prompt;
use POSIX qw(strftime);
use Date::Calc qw(Day_of_Week Gmtime Add_Delta_Days Add_Delta_DHMS);
use Sys::Hostname;
@ISA = qw(Exporter AutoLoader);
# Items to export into callers namespace by default. Note: do not export
# names by default without a very good reason. Use EXPORT_OK instead.
# Do not simply export all your public functions/methods/constants.
@EXPORT = qw();
@EXPORT_OK = qw($_openssl);
$VERSION = '0.40';
# Preloaded methods go here.
# Autoload methods go after =cut, and are processed by the autosplit program.
$CSP::_openssl='openssl';
. . .
$CSP::_openssl='openssl';
. . .
sub genkey
{
my $self = shift;
my $args = shift;
$self->die("Required parameter keyfile missing")
unless $args->{keyfile};
$args->{keysize} = 4096 unless $args->{keysize} > 0;
$args->{keypass} = "'" . $self->getPassword("Private key password",1) . "'"
unless $args->{keypass};
$self->warn("# Password argument: $args->{keypass}\n") if $ENV{CSPDEBUG};
my $cmd = "-out $args->{keyfile} $args->{keysize}";
$cmd = "-des3 -passout pass:$args->{keypass} ".$cmd if defined($args->{keypass});
$self->{openssl}->cmd('genrsa',$cmd,$args);
}
## Generate and optionally self-sign the request
my $process;
my $what;
my $common_args = "-$args->{digest} -days $args->{days} ".
" -key $cakey -passin pass:$args->{keypass}";
if ($args->{csrfile})
{
$self->{openssl}->cmd('req',"-new $common_args -out $args->{csrfile}",$args);
$what = "generated CA request for";
}
else
{
$self->{openssl}->cmd('req',"-x509 $common_args -new -out $cacert",$args);
$what = "initialized self-signed";
}
$self->warn("Successfully $what CA $self->{name}")
if $args->{verbose};
}
}
sub checkCA
{
my $self = shift;
my $dir = $self->caDir();
$self->die("Uninitialized CA: missing or unreadable ca certificate in $dir")
unless -r "$dir/ca.crt";
$self->die("Uninitialized CA: missing or unreadable ca private key in $dir")
unless -r "$dir/private/ca.key";
$dir;
}
. . .
在脚本文件末尾:
. . .
$self->{csp} = $csp;
$cmd = '' if $cmd eq 'dummy';
my $engine = "-engine opensc" if $ENV{CSP_OPENSC};
my $redirect = ($args->{verbose} == 0 && $rw ne 'r' ? ">/dev/null 2>&1" : "");
warn "${lp}$self->{openssl} $cmd $cfgcmd $cmdline ${redirect}${rp}"
if $ENV{CSPDEBUG};
if ($rw eq 's')
{
$self->{rc} = system("$self->{openssl} $cmd $engine $cfgcmd $cmdline ${redirect}");
}
else
{
open $self->{fh},"${lp}$self->{openssl} $cmd $engine $cfgcmd $cmdline ${redirect}${rp}" or
$self->{csp}->die("Unable to execute: $!");
}
$self;
}
. . .
当我 运行 使用以下命令行调试时:
csp HLL_ROOT init \
--keysize=4096 \
--days=7318 \
--url=ca.harte-lyne.ca \
--email=certificates@harte-lyne.ca \
--digest=sha512 \
--verbose \
"CN=HLL_ROOT,OU=Networked Data Services,O=Harte & Lyne Limited,L=Hamilton,ST=Ontario,C=CA,DC=harte-lyne,DC=ca"
然后我看到这个:
openssl genrsa -des3 -passout pass:'a test' -out /home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT/private/ca.key 4096
其次是:
openssl genrsa -des3 -passout pass:'a test' -out /home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT/private/ca.key 4096
并以:
结尾
[CSP][HLL_ROOT] Successfully initialized self-signed CA HLL_ROOT
但是,ca.key 和 ca.crt 的预期输出未在上述命令中显示为参数的目录中找到。
$ find /home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT -name ca\.\*
$
然而,如果我将这些确切的命令复制并粘贴到我的 bash 会话中 shell,它们就会起作用。
openssl genrsa -des3 -passout pass:'a test' -out /home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT/private/ca.key 4096
Generating RSA private key, 4096 bit long modulus
.....................................++
........................++
e is 65537 (0x10001)
和
openssl req -config /home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT/tmp/csp-8154.conf -x509 -sha512 -days 7318 -key /home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT/private/ca.key -passin pass:'a test' -new -out /home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT/ca.crt
产量:
$ find /home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT -name ca\.\*
/home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT/private/ca.key
/home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT/ca.crt
在我看来,命令已正确创建,但未调用 openssl 实用程序。由于在生成这些命令的部分中没有分支代码,我得出结论,构造 $self->{openssl}->cmd('req',"-x509 $common_args -new -out $cacert",$args); 是对 openssl 的实际调用,但我不知道这是如何工作的。
这应该如何运作?为什么它不起作用?
不应该检查来自 openssl 的 return 代码吗?
根据@simbabque 的评论,调用 openssl 的位置在这里:
1398 use IPC::Run qw( start pump finish timeout new_appender new_chunker);
. . .
1418 sub cmd
1419 {
1420 my $self = shift;
1421 my $cmd = shift;
1422 my $cmdline = shift;
1423 my $args = shift;
1424
1425 my $conf;
1426 my $cfgcmd;
. . .
1448 $self->{_handle}->pump while length ${$self->{_in}};
. . .
潜在的困难是在密码短语中使用嵌入的白色-space。如所写,代码将参数作为连接字符串传递给 IPC:Run。对于作为字符串传递的参数,IPC:Run 使用 white-space 作为参数定界符。正确的处理方法是重构代码,改为使用数组传递参数。
我是那个包的原作者,我很久以前就放弃了它,原因应该是显而易见的。去看看 https://github.com/leifj/ici 以获得更易于维护的东西(即使它基本上只是 bash-scripts)
centos-6.8 perl,v5.10.1 (*) 为 x86_64-linux-thread-multi
构建我正在尝试更新名为 CSP 的 Perl 脚本。我对脚本的经验仅限于 运行 在我们需要新服务器证书的极少数情况下使用它。我联系了原剧本的作者 Leif Johansson,但没有收到回复。可以在 https://github.com/byrnejb/rcsp/tree/csp040.
找到我目前正在处理并在下面参考的修改后的项目这就是背景。我的 Perl 编程经验可以忽略不计。因此,我在这里的问题可能很幼稚。
我在 ./blib/lib/CSP.pm 中有这些代码片段:
. . .
package CSP;
use strict;
use vars qw($VERSION @ISA @EXPORT @EXPORT_OK);
require Exporter;
require AutoLoader;
use IO::File;
use Term::Prompt;
use POSIX qw(strftime);
use Date::Calc qw(Day_of_Week Gmtime Add_Delta_Days Add_Delta_DHMS);
use Sys::Hostname;
@ISA = qw(Exporter AutoLoader);
# Items to export into callers namespace by default. Note: do not export
# names by default without a very good reason. Use EXPORT_OK instead.
# Do not simply export all your public functions/methods/constants.
@EXPORT = qw();
@EXPORT_OK = qw($_openssl);
$VERSION = '0.40';
# Preloaded methods go here.
# Autoload methods go after =cut, and are processed by the autosplit program.
$CSP::_openssl='openssl';
. . .
$CSP::_openssl='openssl';
. . .
sub genkey
{
my $self = shift;
my $args = shift;
$self->die("Required parameter keyfile missing")
unless $args->{keyfile};
$args->{keysize} = 4096 unless $args->{keysize} > 0;
$args->{keypass} = "'" . $self->getPassword("Private key password",1) . "'"
unless $args->{keypass};
$self->warn("# Password argument: $args->{keypass}\n") if $ENV{CSPDEBUG};
my $cmd = "-out $args->{keyfile} $args->{keysize}";
$cmd = "-des3 -passout pass:$args->{keypass} ".$cmd if defined($args->{keypass});
$self->{openssl}->cmd('genrsa',$cmd,$args);
}
## Generate and optionally self-sign the request
my $process;
my $what;
my $common_args = "-$args->{digest} -days $args->{days} ".
" -key $cakey -passin pass:$args->{keypass}";
if ($args->{csrfile})
{
$self->{openssl}->cmd('req',"-new $common_args -out $args->{csrfile}",$args);
$what = "generated CA request for";
}
else
{
$self->{openssl}->cmd('req',"-x509 $common_args -new -out $cacert",$args);
$what = "initialized self-signed";
}
$self->warn("Successfully $what CA $self->{name}")
if $args->{verbose};
}
}
sub checkCA
{
my $self = shift;
my $dir = $self->caDir();
$self->die("Uninitialized CA: missing or unreadable ca certificate in $dir")
unless -r "$dir/ca.crt";
$self->die("Uninitialized CA: missing or unreadable ca private key in $dir")
unless -r "$dir/private/ca.key";
$dir;
}
. . .
在脚本文件末尾:
. . .
$self->{csp} = $csp;
$cmd = '' if $cmd eq 'dummy';
my $engine = "-engine opensc" if $ENV{CSP_OPENSC};
my $redirect = ($args->{verbose} == 0 && $rw ne 'r' ? ">/dev/null 2>&1" : "");
warn "${lp}$self->{openssl} $cmd $cfgcmd $cmdline ${redirect}${rp}"
if $ENV{CSPDEBUG};
if ($rw eq 's')
{
$self->{rc} = system("$self->{openssl} $cmd $engine $cfgcmd $cmdline ${redirect}");
}
else
{
open $self->{fh},"${lp}$self->{openssl} $cmd $engine $cfgcmd $cmdline ${redirect}${rp}" or
$self->{csp}->die("Unable to execute: $!");
}
$self;
}
. . .
当我 运行 使用以下命令行调试时:
csp HLL_ROOT init \
--keysize=4096 \
--days=7318 \
--url=ca.harte-lyne.ca \
--email=certificates@harte-lyne.ca \
--digest=sha512 \
--verbose \
"CN=HLL_ROOT,OU=Networked Data Services,O=Harte & Lyne Limited,L=Hamilton,ST=Ontario,C=CA,DC=harte-lyne,DC=ca"
然后我看到这个:
openssl genrsa -des3 -passout pass:'a test' -out /home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT/private/ca.key 4096
其次是:
openssl genrsa -des3 -passout pass:'a test' -out /home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT/private/ca.key 4096
并以:
结尾[CSP][HLL_ROOT] Successfully initialized self-signed CA HLL_ROOT
但是,ca.key 和 ca.crt 的预期输出未在上述命令中显示为参数的目录中找到。
$ find /home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT -name ca\.\*
$
然而,如果我将这些确切的命令复制并粘贴到我的 bash 会话中 shell,它们就会起作用。
openssl genrsa -des3 -passout pass:'a test' -out /home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT/private/ca.key 4096
Generating RSA private key, 4096 bit long modulus
.....................................++
........................++
e is 65537 (0x10001)
和
openssl req -config /home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT/tmp/csp-8154.conf -x509 -sha512 -days 7318 -key /home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT/private/ca.key -passin pass:'a test' -new -out /home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT/ca.crt
产量:
$ find /home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT -name ca\.\*
/home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT/private/ca.key
/home/byrnejb/Projects/Software/rcsp/ca_test_a/csp/HLL_ROOT/ca.crt
在我看来,命令已正确创建,但未调用 openssl 实用程序。由于在生成这些命令的部分中没有分支代码,我得出结论,构造 $self->{openssl}->cmd('req',"-x509 $common_args -new -out $cacert",$args); 是对 openssl 的实际调用,但我不知道这是如何工作的。
这应该如何运作?为什么它不起作用?
不应该检查来自 openssl 的 return 代码吗?
根据@simbabque 的评论,调用 openssl 的位置在这里:
1398 use IPC::Run qw( start pump finish timeout new_appender new_chunker);
. . .
1418 sub cmd
1419 {
1420 my $self = shift;
1421 my $cmd = shift;
1422 my $cmdline = shift;
1423 my $args = shift;
1424
1425 my $conf;
1426 my $cfgcmd;
. . .
1448 $self->{_handle}->pump while length ${$self->{_in}};
. . .
潜在的困难是在密码短语中使用嵌入的白色-space。如所写,代码将参数作为连接字符串传递给 IPC:Run。对于作为字符串传递的参数,IPC:Run 使用 white-space 作为参数定界符。正确的处理方法是重构代码,改为使用数组传递参数。
我是那个包的原作者,我很久以前就放弃了它,原因应该是显而易见的。去看看 https://github.com/leifj/ici 以获得更易于维护的东西(即使它基本上只是 bash-scripts)