1*4882a593SmuzhiyunFrom 3eda5d35fbaf66ed6bdc86ada4320a0a18681b7e Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Mingli Yu <mingli.yu@windriver.com> 3*4882a593SmuzhiyunDate: Wed, 5 Aug 2020 07:23:11 +0000 4*4882a593SmuzhiyunSubject: [PATCH] raddb/certs/Makefile: fix the occasional verification failure 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunFixes: 7*4882a593Smuzhiyun # cd /etc/raddb/certs 8*4882a593Smuzhiyun # ./bootstrap 9*4882a593Smuzhiyun[snip] 10*4882a593Smuzhiyunchmod g+r ca.key 11*4882a593Smuzhiyunopenssl pkcs12 -in server.p12 -out server.pem -passin pass:'whatever' -passout pass:'whatever' 12*4882a593Smuzhiyunchmod g+r server.pem 13*4882a593SmuzhiyunC = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org 14*4882a593Smuzhiyunerror 7 at 0 depth lookup: certificate signature failure 15*4882a593Smuzhiyun140066667427072:error:04067084:rsa routines:rsa_ossl_public_decrypt:data too large for modulus:../openssl-1.1.1g/crypto/rsa/rsa_ossl.c:553: 16*4882a593Smuzhiyun140066667427072:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../openssl-1.1.1g/crypto/asn1/a_verify.c:170: 17*4882a593Smuzhiyunerror server.pem: verification failed 18*4882a593Smuzhiyunmake: *** [Makefile:107: server.vrfy] Error 2 19*4882a593Smuzhiyun 20*4882a593SmuzhiyunIt seems the ca.pem mismatchs server.pem which results in failing to 21*4882a593Smuzhiyunexecute "openssl verify -CAfile ca.pem server.pem", so add to check 22*4882a593Smuzhiyunthe file to avoid inconsistency. 23*4882a593Smuzhiyun 24*4882a593SmuzhiyunUpstream-Status: Pending 25*4882a593Smuzhiyun 26*4882a593SmuzhiyunSigned-off-by: Mingli Yu <mingli.yu@windriver.com> 27*4882a593Smuzhiyun--- 28*4882a593Smuzhiyun raddb/certs/Makefile | 30 +++++++++++++++--------------- 29*4882a593Smuzhiyun 1 file changed, 15 insertions(+), 15 deletions(-) 30*4882a593Smuzhiyun 31*4882a593Smuzhiyundiff --git a/raddb/certs/Makefile b/raddb/certs/Makefile 32*4882a593Smuzhiyunindex 77eec9baa1..3dcb63fe71 100644 33*4882a593Smuzhiyun--- a/raddb/certs/Makefile 34*4882a593Smuzhiyun+++ b/raddb/certs/Makefile 35*4882a593Smuzhiyun@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf 36*4882a593Smuzhiyun # 37*4882a593Smuzhiyun ###################################################################### 38*4882a593Smuzhiyun dh: 39*4882a593Smuzhiyun- $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE) 40*4882a593Smuzhiyun+ @[ -f dh ] || $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE) 41*4882a593Smuzhiyun 42*4882a593Smuzhiyun ###################################################################### 43*4882a593Smuzhiyun # 44*4882a593Smuzhiyun@@ -69,17 +69,17 @@ dh: 45*4882a593Smuzhiyun ca.key ca.pem: ca.cnf 46*4882a593Smuzhiyun @[ -f index.txt ] || $(MAKE) index.txt 47*4882a593Smuzhiyun @[ -f serial ] || $(MAKE) serial 48*4882a593Smuzhiyun- $(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \ 49*4882a593Smuzhiyun+ @[ -f ca.pem ] || $(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \ 50*4882a593Smuzhiyun -days $(CA_DEFAULT_DAYS) -config ./ca.cnf \ 51*4882a593Smuzhiyun -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) 52*4882a593Smuzhiyun chmod g+r ca.key 53*4882a593Smuzhiyun 54*4882a593Smuzhiyun ca.der: ca.pem 55*4882a593Smuzhiyun- $(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der 56*4882a593Smuzhiyun+ @[ -f ca.der ] || $(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der 57*4882a593Smuzhiyun 58*4882a593Smuzhiyun ca.crl: ca.pem 59*4882a593Smuzhiyun- $(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA) 60*4882a593Smuzhiyun- $(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl 61*4882a593Smuzhiyun+ @[ -f ca-crl.pem ] || $(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA) 62*4882a593Smuzhiyun+ @[ -f ca.crl ] || $(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl 63*4882a593Smuzhiyun rm ca-crl.pem 64*4882a593Smuzhiyun 65*4882a593Smuzhiyun ###################################################################### 66*4882a593Smuzhiyun@@ -88,18 +88,18 @@ ca.crl: ca.pem 67*4882a593Smuzhiyun # 68*4882a593Smuzhiyun ###################################################################### 69*4882a593Smuzhiyun server.csr server.key: server.cnf 70*4882a593Smuzhiyun- $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf 71*4882a593Smuzhiyun+ @[ -f server.csr ] || $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf 72*4882a593Smuzhiyun chmod g+r server.key 73*4882a593Smuzhiyun 74*4882a593Smuzhiyun server.crt: server.csr ca.key ca.pem 75*4882a593Smuzhiyun @[ -f server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf 76*4882a593Smuzhiyun 77*4882a593Smuzhiyun server.p12: server.crt 78*4882a593Smuzhiyun- $(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) 79*4882a593Smuzhiyun+ @[ -f server.p12 ] || $(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) 80*4882a593Smuzhiyun chmod g+r server.p12 81*4882a593Smuzhiyun 82*4882a593Smuzhiyun server.pem: server.p12 83*4882a593Smuzhiyun- $(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) 84*4882a593Smuzhiyun+ @[ -f server.pem ] || $(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) 85*4882a593Smuzhiyun chmod g+r server.pem 86*4882a593Smuzhiyun 87*4882a593Smuzhiyun .PHONY: server.vrfy 88*4882a593Smuzhiyun@@ -113,18 +113,18 @@ server.vrfy: ca.pem 89*4882a593Smuzhiyun # 90*4882a593Smuzhiyun ###################################################################### 91*4882a593Smuzhiyun client.csr client.key: client.cnf 92*4882a593Smuzhiyun- $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf 93*4882a593Smuzhiyun+ @[ -f client.csr ] || $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf 94*4882a593Smuzhiyun chmod g+r client.key 95*4882a593Smuzhiyun 96*4882a593Smuzhiyun client.crt: client.csr ca.pem ca.key 97*4882a593Smuzhiyun @[ -f client.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf 98*4882a593Smuzhiyun 99*4882a593Smuzhiyun client.p12: client.crt 100*4882a593Smuzhiyun- $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) 101*4882a593Smuzhiyun+ @[ -f client.p12 ] || $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) 102*4882a593Smuzhiyun chmod g+r client.p12 103*4882a593Smuzhiyun 104*4882a593Smuzhiyun client.pem: client.p12 105*4882a593Smuzhiyun- $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) 106*4882a593Smuzhiyun+ @[ -f client.pem ] || $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) 107*4882a593Smuzhiyun chmod g+r client.pem 108*4882a593Smuzhiyun cp client.pem $(USER_NAME).pem 109*4882a593Smuzhiyun 110*4882a593Smuzhiyun@@ -139,18 +139,18 @@ client.vrfy: ca.pem client.pem 111*4882a593Smuzhiyun # 112*4882a593Smuzhiyun ###################################################################### 113*4882a593Smuzhiyun inner-server.csr inner-server.key: inner-server.cnf 114*4882a593Smuzhiyun- $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf 115*4882a593Smuzhiyun+ @[ -f inner-server.csr] || $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf 116*4882a593Smuzhiyun chmod g+r inner-server.key 117*4882a593Smuzhiyun 118*4882a593Smuzhiyun inner-server.crt: inner-server.csr ca.key ca.pem 119*4882a593Smuzhiyun- $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf 120*4882a593Smuzhiyun+ @[ -f inner-server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf 121*4882a593Smuzhiyun 122*4882a593Smuzhiyun inner-server.p12: inner-server.crt 123*4882a593Smuzhiyun- $(OPENSSL) pkcs12 -export -in inner-server.crt -inkey inner-server.key -out inner-server.p12 -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) 124*4882a593Smuzhiyun+ @[ -f inner-server.p12 ] || $(OPENSSL) pkcs12 -export -in inner-server.crt -inkey inner-server.key -out inner-server.p12 -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) 125*4882a593Smuzhiyun chmod g+r inner-server.p12 126*4882a593Smuzhiyun 127*4882a593Smuzhiyun inner-server.pem: inner-server.p12 128*4882a593Smuzhiyun- $(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) 129*4882a593Smuzhiyun+ @[ -f inner-server.pem ] || $(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) 130*4882a593Smuzhiyun chmod g+r inner-server.pem 131*4882a593Smuzhiyun 132*4882a593Smuzhiyun .PHONY: inner-server.vrfy 133*4882a593Smuzhiyun-- 134*4882a593Smuzhiyun2.26.2 135*4882a593Smuzhiyun 136