Re: [PATCH] tools/certs: Make print-cert-tbs-hash.sh compatible with recent OpenSSL

Re: [PATCH] tools/certs: Make print-cert-tbs-hash.sh compatible with recent OpenSSL

[Mickaël Salaün]

I can take it but I'd like an Acked-by please.

On Mon, Oct 07, 2024 at 08:42:16PM +0200, Mickaël Salaün wrote:
> Could someone please take this patch?
> 
> On Mon, Jul 29, 2024 at 08:02:32PM +0200, Mickaël Salaün wrote:
> > Recent OpenSSL versions (2 or 3) broke the "x509" argument parsing by
> > not handling "-in -" (unlike OpenSSL 1.1):
> >   Could not open file or uri for loading certificate from -: No such
> >   file or directory
> > 
> > Avoid this issue and still make this script work with older versions of
> > OpenSSL by using implicit arguments instead.
> > 
> > To hopefully make it more future-proof, apply the same simplifications
> > for other OpenSSL commands.
> > 
> > Cc: David Howells <dhowells@redhat.com>
> > Cc: David Woodhouse <dwmw2@infradead.org>
> > Cc: Eric Snowberg <eric.snowberg@oracle.com>
> > Cc: Jarkko Sakkinen <jarkko@kernel.org>
> > Reported-by: Daniel Urbonas <t-durbonas@microsoft.com>
> > Fixes: 58d416351e6d ("tools/certs: Add print-cert-tbs-hash.sh")
> > Signed-off-by: Mickaël Salaün <mic@digikod.net>
> > ---
> >  tools/certs/print-cert-tbs-hash.sh | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> > 
> > diff --git a/tools/certs/print-cert-tbs-hash.sh b/tools/certs/print-cert-tbs-hash.sh
> > index c93df5387ec9..22bdeec4d286 100755
> > --- a/tools/certs/print-cert-tbs-hash.sh
> > +++ b/tools/certs/print-cert-tbs-hash.sh
> > @@ -54,7 +54,7 @@ RANGE_AND_DIGEST_RE='
> >  '
> >  
> >  RANGE_AND_DIGEST=($(echo "${PEM}" | \
> > -	openssl asn1parse -in - | \
> > +	openssl asn1parse | \
> >  	sed -n -e "${RANGE_AND_DIGEST_RE}"))
> >  
> >  if [ "${#RANGE_AND_DIGEST[@]}" != 3 ]; then
> > @@ -85,7 +85,7 @@ if [ -z "${DIGEST_MATCH}" ]; then
> >  fi
> >  
> >  echo "${PEM}" | \
> > -	openssl x509 -in - -outform DER | \
> > +	openssl x509 -outform DER | \
> >  	dd "bs=1" "skip=${OFFSET}" "count=${END}" "status=none" | \
> > -	openssl dgst "-${DIGEST_MATCH}" - | \
> > +	openssl dgst "-${DIGEST_MATCH}" | \
> >  	awk '{printf "tbs:" $2}'
> > -- 
> > 2.45.2
> > 

Re: [PATCH] tools/certs: Make print-cert-tbs-hash.sh compatible with recent OpenSSL

[Paul Moore]

On Wed, Jul 9, 2025 at 9:20 AM Mickaël Salaün <mic@digikod.net> wrote:
>
> I can take it but I'd like an Acked-by please.

%  openssl -v
OpenSSL 3.5.1 1 Jul 2025 (Library: OpenSSL 3.5.1 1 Jul 2025)

With Linus' current tree:
% ./print-cert-tbs-hash.sh ./LVFS-CA.pem
Could not open file or uri for loading certificate from -: No such file or direc
tory
tbs:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

With the patch below:
% ./print-cert-tbs-hash.sh ./LVFS-CA.pem
tbs:b11d0663606508a8510b760d68acb599f1911726f7c06c01df4d122fce8b957b

Tested-by: Paul Moore <paul@paul-moore.com>

> On Mon, Oct 07, 2024 at 08:42:16PM +0200, Mickaël Salaün wrote:
> > Could someone please take this patch?
> >
> > On Mon, Jul 29, 2024 at 08:02:32PM +0200, Mickaël Salaün wrote:
> > > Recent OpenSSL versions (2 or 3) broke the "x509" argument parsing by
> > > not handling "-in -" (unlike OpenSSL 1.1):
> > >   Could not open file or uri for loading certificate from -: No such
> > >   file or directory
> > >
> > > Avoid this issue and still make this script work with older versions of
> > > OpenSSL by using implicit arguments instead.
> > >
> > > To hopefully make it more future-proof, apply the same simplifications
> > > for other OpenSSL commands.
> > >
> > > Cc: David Howells <dhowells@redhat.com>
> > > Cc: David Woodhouse <dwmw2@infradead.org>
> > > Cc: Eric Snowberg <eric.snowberg@oracle.com>
> > > Cc: Jarkko Sakkinen <jarkko@kernel.org>
> > > Reported-by: Daniel Urbonas <t-durbonas@microsoft.com>
> > > Fixes: 58d416351e6d ("tools/certs: Add print-cert-tbs-hash.sh")
> > > Signed-off-by: Mickaël Salaün <mic@digikod.net>
> > > ---
> > >  tools/certs/print-cert-tbs-hash.sh | 6 +++---
> > >  1 file changed, 3 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/tools/certs/print-cert-tbs-hash.sh b/tools/certs/print-cert-tbs-hash.sh
> > > index c93df5387ec9..22bdeec4d286 100755
> > > --- a/tools/certs/print-cert-tbs-hash.sh
> > > +++ b/tools/certs/print-cert-tbs-hash.sh
> > > @@ -54,7 +54,7 @@ RANGE_AND_DIGEST_RE='
> > >  '
> > >
> > >  RANGE_AND_DIGEST=($(echo "${PEM}" | \
> > > -   openssl asn1parse -in - | \
> > > +   openssl asn1parse | \
> > >     sed -n -e "${RANGE_AND_DIGEST_RE}"))
> > >
> > >  if [ "${#RANGE_AND_DIGEST[@]}" != 3 ]; then
> > > @@ -85,7 +85,7 @@ if [ -z "${DIGEST_MATCH}" ]; then
> > >  fi
> > >
> > >  echo "${PEM}" | \
> > > -   openssl x509 -in - -outform DER | \
> > > +   openssl x509 -outform DER | \
> > >     dd "bs=1" "skip=${OFFSET}" "count=${END}" "status=none" | \
> > > -   openssl dgst "-${DIGEST_MATCH}" - | \
> > > +   openssl dgst "-${DIGEST_MATCH}" | \
> > >     awk '{printf "tbs:" $2}'
> > > --
> > > 2.45.2

-- 
paul-moore.com