#!/usr/bin/env perl
#
# InspIRCd -- Internet Relay Chat Daemon
#
# Copyright (C) 2025 Sadie Powell <sadie@witchery.services>
#
# This file is part of InspIRCd. InspIRCd is free software: you can
# redistribute it and/or modify it under the terms of the GNU General Public
# License as published by the Free Software Foundation, version 2.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
# details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
use v5.26.0;
use strict;
use warnings FATAL => qw(all);
use Cwd qw(getcwd);
use File::Temp ();
sub prompt($$) {
my ($question, $default) = @_;
say $question;
print "[$default] => ";
chomp(my $answer = <STDIN>);
say '';
return $answer ? $answer : $default;
}
if (scalar @ARGV < 1 || $ARGV[0] !~ /^(?:auto|gnutls|openssl)$/i) {
say STDERR "Usage: $0 <auto|gnutls|openssl> [SSL-DIR]";
exit 1;
}
# On OS X the GnuTLS certtool is prefixed to avoid collision with the system certtool.
my $certtool = $^O eq 'darwin' ? 'gnutls-certtool' : 'certtool';
# Check whether the user has the required tools installed.
my $has_gnutls = !system "$certtool --help 2>/dev/null";
my $has_openssl = !system 'openssl version >/dev/null 2>&1';
# The framework the user has specified.
my $tool = lc $ARGV[0];
# If the user has not explicitly specified a framework then detect one.
if ($tool eq 'auto') {
if ($has_gnutls) {
$tool = 'gnutls';
} elsif ($has_openssl) {
$tool = 'openssl';
} else {
say STDERR "SSL generation failed: could not find $certtool or openssl in the PATH!";
exit 1;
}
} elsif ($tool eq 'gnutls' && !$has_gnutls) {
say STDERR "SSL generation failed: could not find '$certtool' in the PATH!";
exit 1;
} elsif ($tool eq 'openssl' && !$has_openssl) {
say STDERR 'SSL generation failed: could not find \'openssl\' in the PATH!';
exit 1;
}
# Output to the cwd unless an SSL directory is specified.
if (scalar @ARGV > 1 && !chdir $ARGV[1]) {
say STDERR "Unable to change the working directory to $ARGV[1]: $!.";
exit 1;
}
# Harvest information needed to generate the certificate.
my $common_name = prompt('What is the hostname of your server?', 'irc.example.com');
my $email = prompt('What email address can you be contacted at?', 'example@example.com');
my $unit = prompt('What is the name of your unit?', 'Server Admins');
my $organization = prompt('What is the name of your organization?', 'Example IRC Network');
my $city = prompt('What city are you located in?', 'Example City');
my $state = prompt('What state are you located in?', 'Example State');
my $country = prompt('What is the ISO 3166-1 code for the country you are located in?', 'XZ');
my $days = prompt('How many days do you want your certificate to be valid for?', '365');
# Contains the exit code of openssl/gnutls-certtool.
my $status = 0;
if ($tool eq 'gnutls') {
my $tmp = new File::Temp();
print $tmp <<__GNUTLS_END__;
cn = "$common_name"
email = "$email"
unit = "$unit"
organization = "$organization"
locality = "$city"
state = "$state"
country = "$country"
expiration_days = $days
tls_www_client
tls_www_server
__GNUTLS_END__
close($tmp);
$status ||= system "$certtool --generate-privkey --sec-param normal --outfile key.pem";
$status ||= system "$certtool --generate-self-signed --load-privkey key.pem --outfile cert.pem --template $tmp";
} elsif ($tool eq 'openssl') {
my $tmp = new File::Temp();
print $tmp <<__OPENSSL_END__;
$country
$state
$city
$organization
$unit
$common_name
$email
.
$organization
__OPENSSL_END__
close($tmp);
$status ||= system "cat $tmp | openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem -days $days 2>/dev/null";
}
if ($status) {
say STDERR "SSL generation failed: $tool exited with a non-zero status!";
exit 1;
} else {
say <<~"EOM";
An SSL certificate and key have been generated and placed in ${\getcwd()}.
NOTE: It is *NOT SECURE* to use these files for public client connections. They
are intended for server connections where the fingerprint is pinned in the link
config. For public client connections you should obtain a certificate and key
from a trusted authority like Let's Encrypt. This can be automated using a tool
like Certbot. See https://certbot.eff.org/instructions for more details.
EOM
}