#!/usr/bin/env perl # # InspIRCd -- Internet Relay Chat Daemon # # Copyright (C) 2025 Sadie Powell # # This file is part of InspIRCd. InspIRCd is free software: you can # redistribute it and/or modify it under the terms of the GNU General Public # License as published by the Free Software Foundation, version 2. # # This program is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU General Public License for more # details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # use v5.26.0; use strict; use warnings FATAL => qw(all); use Cwd qw(getcwd); use File::Temp (); # IMPORTANT: This script has to be able to run by itself so that it can be used # by binary distributions where the make/console.pm module will not # be available! eval { use File::Basename qw(dirname); use FindBin qw($RealDir); use lib dirname $RealDir; require make::console; make::console->import(); }; sub prompt($$) { my ($question, $default) = @_; return prompt_string(1, $question, $default) if defined main->can('prompt_string'); say $question; print "[$default] => "; chomp(my $answer = ); say ''; return $answer ? $answer : $default; } if (scalar @ARGV < 1 || $ARGV[0] !~ /^(?:auto|gnutls|openssl)$/i) { say STDERR "Usage: $0 [SSL-DIR]"; exit 1; } # On OS X the GnuTLS certtool is prefixed to avoid collision with the system certtool. my $certtool = $^O eq 'darwin' ? 'gnutls-certtool' : 'certtool'; # Check whether the user has the required tools installed. my $has_gnutls = !system "$certtool --help 2>/dev/null"; my $has_openssl = !system 'openssl version >/dev/null 2>&1'; # The framework the user has specified. my $tool = lc $ARGV[0]; # If the user has not explicitly specified a framework then detect one. if ($tool eq 'auto') { if ($has_gnutls) { $tool = 'gnutls'; } elsif ($has_openssl) { $tool = 'openssl'; } else { say STDERR "SSL generation failed: could not find $certtool or openssl in the PATH!"; exit 1; } } elsif ($tool eq 'gnutls' && !$has_gnutls) { say STDERR "SSL generation failed: could not find '$certtool' in the PATH!"; exit 1; } elsif ($tool eq 'openssl' && !$has_openssl) { say STDERR 'SSL generation failed: could not find \'openssl\' in the PATH!'; exit 1; } # Output to the cwd unless an SSL directory is specified. if (scalar @ARGV > 1 && !chdir $ARGV[1]) { say STDERR "Unable to change the working directory to $ARGV[1]: $!."; exit 1; } # Harvest information needed to generate the certificate. my $common_name = prompt('What is the hostname of your server?', 'irc.example.com'); my $email = prompt('What email address can you be contacted at?', 'example@example.com'); my $unit = prompt('What is the name of your unit?', 'Server Admins'); my $organization = prompt('What is the name of your organization?', 'Example IRC Network'); my $city = prompt('What city are you located in?', 'Example City'); my $state = prompt('What state are you located in?', 'Example State'); my $country = prompt('What is the ISO 3166-1 code for the country you are located in?', 'XZ'); my $days = prompt('How many days do you want your certificate to be valid for?', '365'); # Contains the exit code of openssl/gnutls-certtool. my $status = 0; if ($tool eq 'gnutls') { my $tmp = new File::Temp(); print $tmp <<__GNUTLS_END__; cn = "$common_name" email = "$email" unit = "$unit" organization = "$organization" locality = "$city" state = "$state" country = "$country" expiration_days = $days tls_www_client tls_www_server __GNUTLS_END__ close($tmp); $status ||= system "$certtool --generate-privkey --sec-param normal --outfile key.pem"; $status ||= system "$certtool --generate-self-signed --load-privkey key.pem --outfile cert.pem --template $tmp"; } elsif ($tool eq 'openssl') { my $tmp = new File::Temp(); print $tmp <<__OPENSSL_END__; $country $state $city $organization $unit $common_name $email . $organization __OPENSSL_END__ close($tmp); $status ||= system "cat $tmp | openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem -days $days 2>/dev/null"; } if ($status) { say STDERR "SSL generation failed: $tool exited with a non-zero status!"; exit 1; } else { say <<~"EOM"; An SSL certificate and key have been generated and placed in ${\getcwd()}. NOTE: It is *NOT SECURE* to use these files for public client connections. They are intended for server connections where the fingerprint is pinned in the link config. For public client connections you should obtain a certificate and key from a trusted authority like Let's Encrypt. This can be automated using a tool like Certbot. See https://certbot.eff.org/instructions for more details. EOM }