diff options
-rw-r--r-- | doc/man/gnunet-gns-proxy-setup-ca.1 | 24 | ||||
-rw-r--r-- | src/gns/gnunet-gns-proxy-setup-ca.in | 133 |
2 files changed, 112 insertions, 45 deletions
diff --git a/doc/man/gnunet-gns-proxy-setup-ca.1 b/doc/man/gnunet-gns-proxy-setup-ca.1 index 6c7658bee..44b89abd0 100644 --- a/doc/man/gnunet-gns-proxy-setup-ca.1 +++ b/doc/man/gnunet-gns-proxy-setup-ca.1 | |||
@@ -29,15 +29,17 @@ | |||
29 | .Nd generate an X509 certificate for gnunet-gns-proxy and install it | 29 | .Nd generate an X509 certificate for gnunet-gns-proxy and install it |
30 | .Sh SYNOPSIS | 30 | .Sh SYNOPSIS |
31 | .Nm | 31 | .Nm |
32 | .Op Fl hvtoV | ||
32 | .Op Fl c Ar FILE | 33 | .Op Fl c Ar FILE |
33 | .\".Op Fl f Ar FILE | 34 | .\".Op Fl f Ar FILE |
34 | .Op Fl h | ||
35 | .Op Fl v | ||
36 | .Op Fl V | ||
37 | .Sh DESCRIPTION | 35 | .Sh DESCRIPTION |
38 | .Nm | 36 | .Nm |
39 | is a shell script to generate X509 certificates for your gnunet-gns-proxy and to install it for both GNUnet and your web browser. | 37 | is a |
40 | It currently supports Firefox and Chrome based browsers through the help of external helpers: certutil (nss) is used for the import into webbrowsers, openssl is used to generated the CA. | 38 | .Xr sh 1 |
39 | script to generate X509 certificates for your | ||
40 | .Xr gnunet-gns-proxy 1 | ||
41 | and to install it for both GNUnet and your web browser. | ||
42 | It currently supports Firefox and Chrome based browsers through the help of external helpers: certutil (nss) is used for the import into webbrowsers, OpenSSL or GnuTLS are used to generated the CA. | ||
41 | .Bl -tag -width indent | 43 | .Bl -tag -width indent |
42 | .It Fl c Ar FILE | 44 | .It Fl c Ar FILE |
43 | Use the configuration file FILE. | 45 | Use the configuration file FILE. |
@@ -45,12 +47,18 @@ Use the configuration file FILE. | |||
45 | .\" Perform expansions of the variables used in the config value of gns-proxy. | 47 | .\" Perform expansions of the variables used in the config value of gns-proxy. |
46 | .\" This will usually expand $GNUNET_DATA_HOME to represents its path. | 48 | .\" This will usually expand $GNUNET_DATA_HOME to represents its path. |
47 | .It Fl h | 49 | .It Fl h |
48 | Print short help on options | 50 | Print short help on options. |
49 | .It Fl v | 51 | .It Fl v |
50 | Print the version | 52 | Print the version. |
51 | .It Fl V | 53 | .It Fl V |
52 | be verbose | 54 | Be verbose. |
55 | .It Fl t | ||
56 | Run a small test on binaries (only interesting for developers of this tool). | ||
57 | .It Fl o | ||
58 | Show output of results. | ||
53 | .El | 59 | .El |
60 | .Sh RETURN VALUES | ||
61 | .Ex -std | ||
54 | .Sh FILES | 62 | .Sh FILES |
55 | .Pa gnunet.conf | 63 | .Pa gnunet.conf |
56 | .Sh SEE ALSO | 64 | .Sh SEE ALSO |
diff --git a/src/gns/gnunet-gns-proxy-setup-ca.in b/src/gns/gnunet-gns-proxy-setup-ca.in index 885fc069a..256bb882b 100644 --- a/src/gns/gnunet-gns-proxy-setup-ca.in +++ b/src/gns/gnunet-gns-proxy-setup-ca.in | |||
@@ -18,7 +18,7 @@ | |||
18 | # | 18 | # |
19 | # This code is derived from software contributed to | 19 | # This code is derived from software contributed to |
20 | # The NetBSD Foundation by Todd Vierling and Luke Mewburn. | 20 | # The NetBSD Foundation by Todd Vierling and Luke Mewburn. |
21 | 21 | # | |
22 | # Redistribution and use in source and binary forms, with or | 22 | # Redistribution and use in source and binary forms, with or |
23 | # without modification, are permitted provided that the following | 23 | # without modification, are permitted provided that the following |
24 | # conditions are met: | 24 | # conditions are met: |
@@ -29,7 +29,7 @@ | |||
29 | # copyright notice, this list of conditions and the following | 29 | # copyright notice, this list of conditions and the following |
30 | # disclaimer in the documentation and/or other materials | 30 | # disclaimer in the documentation and/or other materials |
31 | # provided with the distribution. | 31 | # provided with the distribution. |
32 | 32 | # | |
33 | # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND | 33 | # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND |
34 | # CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, | 34 | # CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, |
35 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF | 35 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF |
@@ -48,32 +48,42 @@ | |||
48 | 48 | ||
49 | progname=${0##*/} | 49 | progname=${0##*/} |
50 | 50 | ||
51 | # Whitespace normalization without depending on shell features: | ||
52 | tab=' ' | ||
53 | tab2=' ' | ||
54 | nl=' | ||
55 | ' | ||
56 | # trap "exit 1" 1 2 3 15 | ||
57 | |||
51 | setdefaults() | 58 | setdefaults() |
52 | { | 59 | { |
53 | verbosity=0 | 60 | verbosity=0 |
61 | resfile= | ||
62 | results=/dev/null | ||
63 | tmpdir=${TMPDIR:-/tmp} | ||
54 | runcmd= | 64 | runcmd= |
55 | } | 65 | } |
56 | 66 | ||
57 | statusmsg() | 67 | statusmsg() |
58 | { | 68 | { |
59 | ${runcmd} echo " $@" | 69 | ${runcmd} echo "${tab}$@" | tee -a "${results}" |
60 | } | 70 | } |
61 | 71 | ||
62 | infomsg() | 72 | infomsg() |
63 | { | 73 | { |
64 | if [ x$verbosity = x1 ]; then | 74 | if [ x$verbosity = x1 ]; then |
65 | statusmsg "INFO: $@" | 75 | statusmsg "INFO:${tab}$@" |
66 | fi | 76 | fi |
67 | } | 77 | } |
68 | 78 | ||
69 | warningmsg() | 79 | warningmsg() |
70 | { | 80 | { |
71 | statusmsg "WARNING: $@" | 81 | statusmsg "WARNING:${tab}$@" |
72 | } | 82 | } |
73 | 83 | ||
74 | errormsg() | 84 | errormsg() |
75 | { | 85 | { |
76 | statusmsg "ERROR: $@" | 86 | statusmsg "ERROR:${tab}$@" |
77 | } | 87 | } |
78 | 88 | ||
79 | linemsg() | 89 | linemsg() |
@@ -81,22 +91,27 @@ linemsg() | |||
81 | statusmsg "=========================================" | 91 | statusmsg "=========================================" |
82 | } | 92 | } |
83 | 93 | ||
94 | existence() | ||
95 | { | ||
96 | command -v "$1" >/dev/null 2>&1 | ||
97 | } | ||
84 | 98 | ||
85 | usage() | 99 | usage() |
86 | { | 100 | { |
87 | if [ -n "$*" ]; then | 101 | if [ -n "$*" ]; then |
88 | echo "" | 102 | echo "${nl}${progname}: $*" |
89 | echo "${progname}: $*" | ||
90 | fi | 103 | fi |
91 | cat <<_usage_ | 104 | cat <<_usage_ |
92 | 105 | ||
93 | Usage: ${progname} [-hv] [-c FILE] [...] | 106 | Usage: ${progname} [-hvVto] [-c FILE] |
94 | 107 | ||
95 | Options: | 108 | Options: |
96 | -c FILE Use the configuration file FILE. | 109 | ${tab}-c FILE Use the configuration file FILE. |
97 | -h Print this help message. | 110 | ${tab}-h${tab2}${tab2}Print this help message. |
98 | -v Print the version and exit. | 111 | ${tab}-o${tab2}${tab2}Display summary of statusmessages |
99 | -V be verbose | 112 | ${tab}-t${tab2}${tab2}Short developer test on binaries |
113 | ${tab}-v${tab2}${tab2}Print the version and exit. | ||
114 | ${tab}-V${tab2}${tab2}be verbose | ||
100 | 115 | ||
101 | _usage_ | 116 | _usage_ |
102 | exit 1 | 117 | exit 1 |
@@ -108,13 +123,13 @@ generate_ca() | |||
108 | echo "" | 123 | echo "" |
109 | infomsg "Generating CA" | 124 | infomsg "Generating CA" |
110 | TMPDIR=${TMPDIR:-/tmp} | 125 | TMPDIR=${TMPDIR:-/tmp} |
111 | if [ -e "$TMPDIR" ]; then | 126 | if test -e "$TMPDIR"; then |
112 | GNSCERT=`mktemp -t certXXXXXXXX.pem` || exit 1 | 127 | GNSCERT=`mktemp -t certXXXXXXXX.pem` || exit 1 |
113 | GNSCAKY=`mktemp -t cakyXXXXXXXX.pem` || exit 1 | 128 | GNSCAKY=`mktemp -t cakyXXXXXXXX.pem` || exit 1 |
114 | GNSCANO=`mktemp -t canoXXXXXXXX.pem` || exit 1 | 129 | GNSCANO=`mktemp -t canoXXXXXXXX.pem` || exit 1 |
115 | else | 130 | else |
116 | # This warning is mostly pointless. | 131 | # This warning is mostly pointless. |
117 | warning "You need to export the TMPDIR variable" | 132 | warningmsg "You need to export the TMPDIR variable" |
118 | fi | 133 | fi |
119 | 134 | ||
120 | # # ------------- gnutls | 135 | # # ------------- gnutls |
@@ -137,18 +152,23 @@ generate_ca() | |||
137 | OPENSSLCFG=@pkgdatadir@/openssl.cnf | 152 | OPENSSLCFG=@pkgdatadir@/openssl.cnf |
138 | CERTTOOL="" | 153 | CERTTOOL="" |
139 | OPENSSL=0 | 154 | OPENSSL=0 |
140 | if test -z "`gnutls-certtool --version`" > /dev/null | 155 | if test -x $(existence gnunet-certtool) |
156 | # if test -z "`gnutls-certtool --version`" > /dev/null | ||
141 | then | 157 | then |
142 | # We only support gnutls certtool for now | 158 | # We only support gnutls certtool for now. Treat the grep |
159 | # for "gnutls" in the output with extra care, it only matches | ||
160 | # the email address! It is probably safer to run strings(1) | ||
161 | # over certtool for a string matching "gnutls" | ||
143 | if test -z "`certtool --version | grep gnutls`" > /dev/null | 162 | if test -z "`certtool --version | grep gnutls`" > /dev/null |
144 | then | 163 | then |
145 | warningmsg "'gnutls-certtool' or 'certtool' command not found. Trying openssl." | 164 | warningmsg "'gnutls-certtool' or 'certtool' command not found. Trying openssl." |
146 | if test -z "`openssl version`" > /dev/null | 165 | # if test -z "`openssl version`" > /dev/null |
166 | if test -x $(existence openssl) | ||
147 | then | 167 | then |
148 | OPENSSL=1 | 168 | OPENSSL=1 |
149 | else | 169 | else |
150 | warningmsg "Install either gnutls certtool or openssl for certificate generation!" | 170 | warningmsg "Install either gnutls certtool or openssl for certificate generation!" |
151 | infomsg "Cleaning up." | 171 | statusmsg "Cleaning up." |
152 | rm -f $GNSCAKY $GNSCERT | 172 | rm -f $GNSCAKY $GNSCERT |
153 | exit 1 | 173 | exit 1 |
154 | fi | 174 | fi |
@@ -157,7 +177,7 @@ generate_ca() | |||
157 | else | 177 | else |
158 | CERTTOOL="gnutls-certtool" | 178 | CERTTOOL="gnutls-certtool" |
159 | fi | 179 | fi |
160 | if [ -n "${GNUNET_CONFIG_FILE}" ]; then | 180 | if test -n "${GNUNET_CONFIG_FILE}"; then |
161 | GNUNET_CONFIG="-c ${GNUNET_CONFIG_FILE}" | 181 | GNUNET_CONFIG="-c ${GNUNET_CONFIG_FILE}" |
162 | else | 182 | else |
163 | GNUNET_CONFIG="" | 183 | GNUNET_CONFIG="" |
@@ -167,13 +187,26 @@ generate_ca() | |||
167 | 187 | ||
168 | if test 1 -eq $OPENSSL | 188 | if test 1 -eq $OPENSSL |
169 | then | 189 | then |
170 | openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" | 190 | if test 1 -eq $verbosity; then |
171 | infomsg "Removing passphrase from key" | 191 | openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" |
172 | openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO | 192 | else |
193 | openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" >/dev/null 2>&1 | ||
194 | fi | ||
195 | infomsg "Removing passphrase from key" | ||
196 | if test 1 -eq $verbosity; then | ||
197 | openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO | ||
198 | else | ||
199 | openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO >/dev/null 2>&1 | ||
200 | fi | ||
173 | cat $GNSCERT $GNSCANO > $GNS_CA_CERT_PEM | 201 | cat $GNSCERT $GNSCANO > $GNS_CA_CERT_PEM |
174 | else | 202 | else |
175 | $CERTTOOL --generate-privkey --outfile $GNSCAKY | 203 | if test 1 -eq $verbosity; then |
176 | $CERTTOOL --template $GNUTLS_CA_TEMPLATE --generate-self-signed --load-privkey $GNSCAKY --outfile $GNSCERT | 204 | $CERTTOOL --generate-privkey --outfile $GNSCAKY |
205 | $CERTTOOL --template $GNUTLS_CA_TEMPLATE --generate-self-signed --load-privkey $GNSCAKY --outfile $GNSCERT | ||
206 | else | ||
207 | $CERTTOOL --generate-privkey --outfile $GNSCAKY >/dev/null 2>&1 | ||
208 | $CERTTOOL --template $GNUTLS_CA_TEMPLATE --generate-self-signed --load-privkey $GNSCAKY --outfile $GNSCERT >/dev/null 2>&1 | ||
209 | fi | ||
177 | infomsg "Making private key available to gnunet-gns-proxy" | 210 | infomsg "Making private key available to gnunet-gns-proxy" |
178 | cat $GNSCERT $GNSCAKY > $GNS_CA_CERT_PEM | 211 | cat $GNSCERT $GNSCAKY > $GNS_CA_CERT_PEM |
179 | fi | 212 | fi |
@@ -181,13 +214,10 @@ generate_ca() | |||
181 | 214 | ||
182 | importbrowsers() | 215 | importbrowsers() |
183 | { | 216 | { |
184 | if test -z "`command -v certutil`" > /dev/null 2>&1 | 217 | # if test -z "`command -v certutil`" > /dev/null 2>&1 |
218 | if test -x $(existence gnutls-certutil) || test -x $(existence certutil) | ||
185 | then | 219 | then |
186 | warningmsg "The 'certutil' command was not found." | 220 | statusmsg "Importing CA into browsers" |
187 | warningmsg "Not importing into browsers." | ||
188 | warningmsg "For 'certutil' install nss." | ||
189 | else | ||
190 | infomsg "Importing CA into browsers" | ||
191 | # TODO: Error handling? | 221 | # TODO: Error handling? |
192 | for f in ~/.mozilla/firefox/*.*/ | 222 | for f in ~/.mozilla/firefox/*.*/ |
193 | do | 223 | do |
@@ -201,26 +231,31 @@ importbrowsers() | |||
201 | done | 231 | done |
202 | # TODO: Error handling? | 232 | # TODO: Error handling? |
203 | if [ -d ~/.pki/nssdb/ ]; then | 233 | if [ -d ~/.pki/nssdb/ ]; then |
204 | infomsg "Importing CA into Chrome at ~/.pki/nssdb/" | 234 | statusmsg "Importing CA into Chrome at ~/.pki/nssdb/" |
205 | # delete old certificate (if any) | 235 | # delete old certificate (if any) |
206 | certutil -D -n "GNS Proxy CA" -d ~/.pki/nssdb/ >/dev/null 2>/dev/null | 236 | certutil -D -n "GNS Proxy CA" -d ~/.pki/nssdb/ >/dev/null 2>/dev/null |
207 | # add new certificate | 237 | # add new certificate |
208 | certutil -A -n "GNS Proxy CA" -t CT,, -d ~/.pki/nssdb/ < $GNSCERT | 238 | certutil -A -n "GNS Proxy CA" -t CT,, -d ~/.pki/nssdb/ < $GNSCERT |
209 | fi | 239 | fi |
240 | else | ||
241 | warningmsg "The 'certutil' command was not found." | ||
242 | warningmsg "Not importing into browsers." | ||
243 | warningmsg "For 'certutil' install nss." | ||
210 | fi | 244 | fi |
211 | } | 245 | } |
212 | 246 | ||
213 | print_version() | 247 | print_version() |
214 | { | 248 | { |
215 | GNUNET_ARM_VERSION=`gnunet-arm -v` | 249 | GNUNET_ARM_VERSION=`gnunet-arm -v | awk '{print $2 " " $3}'` |
216 | echo $GNUNET_ARM_VERSION | 250 | echo ${progname} $GNUNET_ARM_VERSION |
217 | } | 251 | } |
218 | 252 | ||
219 | clean_up() | 253 | clean_up() |
220 | { | 254 | { |
221 | infomsg "Cleaning up." | 255 | infomsg "Cleaning up." |
222 | rm -f $GNSCAKY $GNSCANO $GNSCERT | 256 | rm -f $GNSCAKY $GNSCANO $GNSCERT |
223 | if [ -e $SETUP_TMPDIR ]; then | 257 | if test -e $SETUP_TMPDIR |
258 | then | ||
224 | rm -rf $SETUP_TMPDIR | 259 | rm -rf $SETUP_TMPDIR |
225 | fi | 260 | fi |
226 | 261 | ||
@@ -233,7 +268,8 @@ clean_up() | |||
233 | 268 | ||
234 | main() | 269 | main() |
235 | { | 270 | { |
236 | while getopts "vhVc:" opt; do | 271 | setdefaults |
272 | while getopts "vhVtoc:" opt; do | ||
237 | case $opt in | 273 | case $opt in |
238 | v) | 274 | v) |
239 | print_version | 275 | print_version |
@@ -250,6 +286,24 @@ main() | |||
250 | infomsg "Using configuration file $OPTARG" | 286 | infomsg "Using configuration file $OPTARG" |
251 | GNUNET_CONFIG_FILE=${OPTARG} | 287 | GNUNET_CONFIG_FILE=${OPTARG} |
252 | ;; | 288 | ;; |
289 | t) | ||
290 | verbosity=1 | ||
291 | infomsg "Running short developer test" | ||
292 | if test -x $(existence openssl); then | ||
293 | openssl version | ||
294 | fi | ||
295 | if test -x $(existence certtool); then | ||
296 | certtool --version | ||
297 | fi | ||
298 | if test -x $(existence gnutls-certtool); then | ||
299 | gnutls-certtool --version | ||
300 | fi | ||
301 | exit 0 | ||
302 | ;; | ||
303 | o) | ||
304 | resfile=$(mktemp -t ${progname}.results) | ||
305 | results="${resfile}" | ||
306 | ;; | ||
253 | \?) | 307 | \?) |
254 | echo "Invalid option: -$OPTARG" >&2 | 308 | echo "Invalid option: -$OPTARG" >&2 |
255 | usage | 309 | usage |
@@ -260,9 +314,14 @@ main() | |||
260 | ;; | 314 | ;; |
261 | esac | 315 | esac |
262 | done | 316 | done |
263 | setdefaults | ||
264 | generate_ca | 317 | generate_ca |
265 | importbrowsers | 318 | importbrowsers |
319 | if [ -s "${results}" ]; then | ||
320 | echo "===> Summary of results:" | ||
321 | sed -e 's/^===>//;s/^/ /' "${results}" | ||
322 | echo "===> ." | ||
323 | infomsg "Please remove ${results} manually." | ||
324 | fi | ||
266 | clean_up | 325 | clean_up |
267 | } | 326 | } |
268 | 327 | ||