1From bb1cb2ffc7a31c0a2bb2de51ef82d304b0a107c3 Mon Sep 17 00:00:00 2001 2From: Mingli Yu <mingli.yu@windriver.com> 3Date: Wed, 5 Aug 2020 07:23:11 +0000 4Subject: [PATCH] raddb/certs/Makefile: fix the occasional verification failure 5 6Fixes: 7 # cd /etc/raddb/certs 8 # ./bootstrap 9[snip] 10chmod g+r ca.key 11openssl pkcs12 -in server.p12 -out server.pem -passin pass:'whatever' -passout pass:'whatever' 12chmod g+r server.pem 13C = FR, ST = Radius, O = Example Inc., CN = Example Server Certificate, emailAddress = admin@example.org 14error 7 at 0 depth lookup: certificate signature failure 15140066667427072:error:04067084:rsa routines:rsa_ossl_public_decrypt:data too large for modulus:../openssl-1.1.1g/crypto/rsa/rsa_ossl.c:553: 16140066667427072:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:../openssl-1.1.1g/crypto/asn1/a_verify.c:170: 17error server.pem: verification failed 18make: *** [Makefile:107: server.vrfy] Error 2 19 20It seems the ca.pem mismatchs server.pem which results in failing to 21execute "openssl verify -CAfile ca.pem server.pem", so add to check 22the file to avoid inconsistency. 23 24Upstream-Status: Pending 25 26Signed-off-by: Mingli Yu <mingli.yu@windriver.com> 27--- 28 raddb/certs/Makefile | 30 +++++++++++++++--------------- 29 1 file changed, 15 insertions(+), 15 deletions(-) 30 31diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile 32index d064fe252d..86f4547804 100644 33--- a/raddb/certs/Makefile 34+++ b/raddb/certs/Makefile 35@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf 36 # 37 ###################################################################### 38 dh: 39- $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE) 40+ @[ -f dh ] || $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE) 41 42 ###################################################################### 43 # 44@@ -69,17 +69,17 @@ dh: 45 ca.key ca.pem: ca.cnf 46 @[ -f index.txt ] || $(MAKE) index.txt 47 @[ -f serial ] || $(MAKE) serial 48- $(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \ 49+ @[ -f ca.pem ] || $(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \ 50 -days $(CA_DEFAULT_DAYS) -config ./ca.cnf \ 51 -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) 52 chmod g+r ca.key 53 54 ca.der: ca.pem 55- $(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der 56+ @[ -f ca.der ] || $(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der 57 58 ca.crl: ca.pem 59- $(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA) 60- $(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl 61+ @[ -f ca-crl.pem ] || $(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA) 62+ @[ -f ca.crl ] || $(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl 63 rm ca-crl.pem 64 65 ###################################################################### 66@@ -88,18 +88,18 @@ ca.crl: ca.pem 67 # 68 ###################################################################### 69 server.csr server.key: server.cnf 70- $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf 71+ @[ -f server.csr ] || $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf 72 chmod g+r server.key 73 74 server.crt: ca.key ca.pem server.csr 75 @[ -f server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf 76 77 server.p12: server.crt 78- $(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) 79+ @[ -f server.p12 ] || $(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) 80 chmod g+r server.p12 81 82 server.pem: server.p12 83- $(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) 84+ @[ -f server.pem ] || $(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) 85 chmod g+r server.pem 86 87 .PHONY: server.vrfy 88@@ -113,19 +113,19 @@ server.vrfy: ca.pem 89 # 90 ###################################################################### 91 client.csr client.key: client.cnf 92- $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf 93+ @[ -f client.csr ] || $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf 94 chmod g+r client.key 95 96 client.crt: ca.key ca.pem client.csr 97 @[ -f client.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf 98 99 client.p12: client.crt 100- $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) 101+ @[ -f client.p12 ] || $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) 102 chmod g+r client.p12 103 cp client.p12 $(USER_NAME).p12 104 105 client.pem: client.p12 106- $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) 107+ @[ -f client.pem ] || $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) 108 chmod g+r client.pem 109 cp client.pem $(USER_NAME).pem 110 111@@ -140,18 +140,18 @@ client.vrfy: ca.pem client.pem 112 # 113 ###################################################################### 114 inner-server.csr inner-server.key: inner-server.cnf 115- $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf 116+ @[ -f inner-server.csr] || $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf 117 chmod g+r inner-server.key 118 119 inner-server.crt: ca.key ca.pem inner-server.csr 120- $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf 121+ @[ -f inner-server.crt ] || $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in inner-server.csr -key $(PASSWORD_CA) -out inner-server.crt -extensions xpserver_ext -extfile xpextensions -config ./inner-server.cnf 122 123 inner-server.p12: inner-server.crt 124- $(OPENSSL) pkcs12 -export -in inner-server.crt -inkey inner-server.key -out inner-server.p12 -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) 125+ @[ -f inner-server.p12 ] || $(OPENSSL) pkcs12 -export -in inner-server.crt -inkey inner-server.key -out inner-server.p12 -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) 126 chmod g+r inner-server.p12 127 128 inner-server.pem: inner-server.p12 129- $(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) 130+ @[ -f inner-server.pem ] || $(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) 131 chmod g+r inner-server.pem 132 133 .PHONY: inner-server.vrfy 134-- 1352.25.1 136 137