1From bb1cb2ffc7a31c0a2bb2de51ef82d304b0a107c3 Mon Sep 17 00:00:00 2001
2From: Mingli Yu <mingli.yu@windriver.com>
3Date: Wed, 5 Aug 2020 07:23:11 +0000
4Subject: [PATCH] raddb/certs/Makefile: fix the occasional verification failure
5
6Fixes:
7  # cd /etc/raddb/certs
8  # ./bootstrap
9[snip]
10chmod g+r ca.key
11openssl pkcs12 -in server.p12 -out server.pem -passin pass:'whatever' -passout pass:'whatever'
12chmod g+r server.pem
13C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org
14error 7 at 0 depth lookup: certificate signature failure
15140066667427072:error:04067084:rsa routines:rsa_ossl_public_decrypt:data too large for modulus:../openssl-1.1.1g/crypto/rsa/rsa_ossl.c:553:
16140066667427072:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../openssl-1.1.1g/crypto/asn1/a_verify.c:170:
17error server.pem: verification failed
18make: *** [Makefile:107: server.vrfy] Error 2
19
20It seems the ca.pem mismatchs server.pem which results in failing to
21execute "openssl verify -CAfile ca.pem server.pem", so add to check
22the file to avoid inconsistency.
23
24Upstream-Status: Pending
25
26Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
27---
28 raddb/certs/Makefile | 30 +++++++++++++++---------------
29 1 file changed, 15 insertions(+), 15 deletions(-)
30
31diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
32index d064fe252d..86f4547804 100644
33--- a/raddb/certs/Makefile
34+++ b/raddb/certs/Makefile
35@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
36 #
37 ######################################################################
38 dh:
39-	$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
40+	@[ -f dh ] || $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
41
42 ######################################################################
43 #
44@@ -69,17 +69,17 @@ dh:
45 ca.key ca.pem: ca.cnf
46 	@[ -f index.txt ] || $(MAKE) index.txt
47 	@[ -f serial ] || $(MAKE) serial
48-	$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
49+	@[ -f ca.pem ] || $(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
50 		-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
51 		-passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
52 	chmod g+r ca.key
53
54 ca.der: ca.pem
55-	$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
56+	@[ -f ca.der ] || $(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
57
58 ca.crl: ca.pem
59-	$(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
60-	$(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
61+	@[ -f ca-crl.pem ] || $(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
62+	@[ -f ca.crl ] || $(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
63 	rm ca-crl.pem
64
65 ######################################################################
66@@ -88,18 +88,18 @@ ca.crl: ca.pem
67 #
68 ######################################################################
69 server.csr server.key: server.cnf
70-	$(OPENSSL) req -new  -out server.csr -keyout server.key -config ./server.cnf
71+	@[ -f server.csr ] || $(OPENSSL) req -new  -out server.csr -keyout server.key -config ./server.cnf
72 	chmod g+r server.key
73
74 server.crt: ca.key ca.pem server.csr
75 	@[ -f server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
76
77 server.p12: server.crt
78-	$(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
79+	@[ -f server.p12 ] || $(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
80 	chmod g+r server.p12
81
82 server.pem: server.p12
83-	$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
84+	@[ -f server.pem ] || $(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
85 	chmod g+r server.pem
86
87 .PHONY: server.vrfy
88@@ -113,19 +113,19 @@ server.vrfy: ca.pem
89 #
90 ######################################################################
91 client.csr client.key: client.cnf
92-	$(OPENSSL) req -new  -out client.csr -keyout client.key -config ./client.cnf
93+	@[ -f client.csr ] || $(OPENSSL) req -new  -out client.csr -keyout client.key -config ./client.cnf
94 	chmod g+r client.key
95
96 client.crt: ca.key ca.pem client.csr
97 	@[ -f client.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
98
99 client.p12: client.crt
100-	$(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
101+	@[ -f client.p12 ] || $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
102 	chmod g+r client.p12
103 	cp client.p12 $(USER_NAME).p12
104
105 client.pem: client.p12
106-	$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
107+	@[ -f client.pem ] || $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
108 	chmod g+r client.pem
109 	cp client.pem $(USER_NAME).pem
110
111@@ -140,18 +140,18 @@ client.vrfy: ca.pem client.pem
112 #
113 ######################################################################
114 inner-server.csr inner-server.key: inner-server.cnf
115-	$(OPENSSL) req -new  -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
116+	@[ -f inner-server.csr] || $(OPENSSL) req -new  -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
117 	chmod g+r inner-server.key
118
119 inner-server.crt: ca.key ca.pem inner-server.csr
120-	$(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr  -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf
121+	@[ -f inner-server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr  -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf
122
123 inner-server.p12: inner-server.crt
124-	$(OPENSSL) pkcs12 -export -in inner-server.crt -inkey inner-server.key -out inner-server.p12  -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
125+	@[ -f inner-server.p12 ] || $(OPENSSL) pkcs12 -export -in inner-server.crt -inkey inner-server.key -out inner-server.p12  -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
126 	chmod g+r inner-server.p12
127
128 inner-server.pem: inner-server.p12
129-	$(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
130+	@[ -f inner-server.pem ] || $(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
131 	chmod g+r inner-server.pem
132
133 .PHONY: inner-server.vrfy
134--
1352.25.1
136
137