Tool util functions in tool_util.cc (#2778)

### Description of changes: 
Begin some refactoring.  Move tool utility functions into tool_util.cc.
* Set umask when creating private keys.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

---------

Co-authored-by: Will Childs-Klein <[email protected]>

Author: justsmth

tool-openssl/CMakeLists.txt

@@ -6,7 +6,7 @@ add_executable(
     ../tool/fd.cc
     ../tool/client.cc
     ../tool/transport_common.cc
-    
+
     crl.cc
     dgst.cc
     ecparam.cc
@@ -22,6 +22,7 @@ add_executable(
     rsa.cc
     s_client.cc
     tool.cc
+    tool_util.cc
     verify.cc
     version.cc
     x509.cc
@@ -87,17 +88,17 @@ if(BUILD_TESTING)
         ../tool/client.cc
         ../tool/transport_common.cc
 
-        test_util.cc
         crl.cc
         crl_test.cc
         dgst.cc
         dgst_test.cc
-        ecparam.cc
-        ecparam_test.cc
         ec.cc
         ec_test.cc
+        ecparam.cc
+        ecparam_test.cc
         genrsa.cc
         genrsa_test.cc
+        ordered_args.cc
         pass_util.cc
         pass_util_test.cc
         pkcs8.cc
@@ -113,7 +114,8 @@ if(BUILD_TESTING)
         rsa.cc
         rsa_test.cc
         s_client.cc
-        ordered_args.cc
+        test_util.cc
+        tool_util.cc
         verify.cc
         verify_test.cc
         x509.cc

tool-openssl/ecparam.cc

@@ -144,16 +144,17 @@ bool ecparamTool(const args_list_t &args) {
       fprintf(stderr, "Failed to create EC key for curve\n");
       goto err;
     }
-    
+
     if (!EC_KEY_generate_key(eckey.get())) {
       fprintf(stderr, "Failed to generate EC key\n");
       goto err;
     }
-    
+
     // Set point conversion form on the key
     EC_KEY_set_conv_form(eckey.get(), point_form);
-    
+
     if (!noout) {
+      SetUmaskForPrivateKey();
       if (output_format == FORMAT_PEM) {
         if (!PEM_write_bio_ECPrivateKey(out_bio.get(), eckey.get(), nullptr, nullptr, 0, nullptr, nullptr)) {
           fprintf(stderr, "Failed to write private key in PEM format\n");

tool-openssl/genrsa.cc

@@ -96,6 +96,7 @@ static bssl::UniquePtr<BIO> CreateOutputBIO(const std::string &out_path) {
       return nullptr;
     }
   } else {
+    SetUmaskForPrivateKey();
     bio.reset(BIO_new_file(out_path.c_str(), "wb"));
     if (!bio) {
       fprintf(stderr, "Error: Could not open output file '%s'\n",
@@ -203,7 +204,7 @@ bool genrsaTool(const args_list_t &args) {
   // Write the key with optional encryption
   password = (!passout_arg->empty()) ? passout_arg->c_str() : NULL;
   password_len = (!passout_arg->empty()) ? static_cast<int>(passout_arg->length()) : 0;
-  
+
   if (!PEM_write_bio_PrivateKey(bio.get(), pkey.get(), cipher,
                                 (unsigned char*)password, password_len,
                                 NULL, NULL)) {

tool-openssl/internal.h

@@ -6,7 +6,6 @@
 
 #include <openssl/digest.h>
 #include <algorithm>
-#include <memory>
 #include <string>
 #include <utility>
 #include <vector>
@@ -196,4 +195,6 @@ bool GetExclusiveBoolArgument(std::string *out_arg, const argument_t *templates,
                               const ordered_args_map_t &args);
 }  // namespace ordered_args
 
+void SetUmaskForPrivateKey();
+
 #endif  // TOOL_OPENSSL_INTERNAL_H

tool-openssl/req.cc

@@ -511,6 +511,7 @@ bool reqTool(const args_list_t &args) {
   }
 
   bssl::UniquePtr<BIO> out_bio;
+  SetUmaskForPrivateKey();
   if (!keyout.empty()) {
     fprintf(stderr, "Writing private key to %s\n", keyout.c_str());
     out_bio.reset(BIO_new_file(keyout.c_str(), "w"));

tool-openssl/tool.cc

@@ -14,7 +14,6 @@
 #endif
 
 #include "./internal.h"
-    
 
 static const std::array<Tool, 16> kTools = {{
     {"crl", CRLTool},

tool-openssl/tool_util.cc

@@ -0,0 +1,25 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0 OR ISC
+
+#include "internal.h"
+#include <string>
+#if !defined(OPENSSL_WINDOWS)
+  #include <sys/stat.h>
+#endif
+
+static bool isCharUpperCaseEqual(char a, char b) {
+  return ::toupper(a) == ::toupper(b);
+}
+
+bool isStringUpperCaseEqual(const std::string &a, const std::string &b) {
+  return a.size() == b.size() &&
+         std::equal(a.begin(), a.end(), b.begin(), isCharUpperCaseEqual);
+}
+
+void SetUmaskForPrivateKey() {
+// On Windows, the default behavior for new files is to inherit ACLs from the parent directory,
+// and there's no process-wide "mask" to subtract permissions like in POSIX systems.
+#if !defined(OPENSSL_WINDOWS)
+  umask(0077);
+#endif
+}

tool-openssl/x509.cc

@@ -91,15 +91,6 @@ static bool WriteSignedCertificate(X509 *x509, bssl::UniquePtr<BIO> &output_bio,
   return true;
 }
 
-static bool isCharUpperCaseEqual(char a, char b) {
-  return ::toupper(a) == ::toupper(b);
-}
-
-bool isStringUpperCaseEqual(const std::string &a, const std::string &b) {
-  return a.size() == b.size() &&
-         std::equal(a.begin(), a.end(), b.begin(), isCharUpperCaseEqual);
-}
-
 static int AdaptKeyIDExtension(X509 *cert, X509V3_CTX *ext_ctx,
                                const char *name, const char *value,
                                int add_if_missing) {