signing SSL certs with openssl using Expect

seanovision has asked for the wisdom of the Perl Monks concerning the following question:

Hi,

I've been wrestling with this for a couple of weeks and I'm not sure what I'm doing wrong. I'm writing a script that will eventually sign several certificate signing requests (CSRs) using openssl. But for now, I can't get it to sign a single one.

Here are the beginning and the signing portions of the script as they are now. Instead of using an argument to input the passphrase, I'm defining it in a variable and have it printed out to prove that perl is getting the passphrase OK.

************************************************** ***

#!/usr/bin/perl
 
use Expect;
use IO::Socket;
use strict;
use warnings;

$Expect::Exp_Internal = 1; # for debugging...

my $pass = "pa\$\$sphrase\n";
print "$pass";
 
############################
# on to the signing portion...
############################
 
print "\nAttempting to sign $csr to $crt...\n\n";
 
my $sign_command = system ("openssl x509 -CA CA.crt -CAkey CA.key -req
+ -CAserial CA.srl -req -in $csr -out $crt -days 1825");
 
my $enter = ("Enter pass phrase for CA.key:");
 
my $exp = new Expect;
$exp->exp_internal(1); 
$exp->debug(3);
$exp->raw_pty(0);
$exp->spawn($sign_command)
    or die "Cannot spawn sign_command.\n";
 
$exp->match("$enter");
$exp->send ("$pass\r");
$exp->soft_close();
 
print "\n$csr successfully signed into $crt\n";
[download]

********************************************

But this is as far as the script goes when run:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

pa$$phrase
 
Attempting to sign good.csr to good.crt...
 
Signature ok
subject=/C=US/ST=State/O=MyCompany LLC/CN=internal.domain.company.com
Getting CA Private Key
Enter pass phrase for CA_NSO.key:
[download]

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

...and that's as far as it gets. Either the $exp->match isn't right or $exp->send isn't really sending. Debug isn't telling me anything and sticking in print statements between the $exp statements doesn't print anything because it's in the middle of an openssl session (at least that's what I think). Is there a way that I can narrow down if expect is even looking for a match or not sending the passphrase?

Thanks,

-Sean

Comment on signing SSL certs with openssl using Expect Select or Download Code

Replies are listed 'Best First'.
Re: signing SSL certs with openssl using Expect by merlyn (Sage) on Dec 11, 2007 at 20:25 UTC
Is there really a mismatch between: `my $enter = ("Enter pass phrase for CA.key:");` [download] and `Enter pass phrase for CA_NSO.key:` [download] I mean, it can't be that obvious, can it? :) -- Randal L. Schwartz, Perl hacker	[reply] [d/l] [select]
Re^2: signing SSL certs with openssl using Expect by seanovision (Initiate) on Dec 12, 2007 at 17:45 UTC
Randal, Good catch, but it was a pasting mistake on my part, trying to obfuscate company information. In the actual code I'm running, the "my $enter" statement precisely matches the output of openssl.	[reply]