diff options
Diffstat (limited to 'src/cli/gns/gnunet-gns-proxy-setup-ca.in')
-rw-r--r-- | src/cli/gns/gnunet-gns-proxy-setup-ca.in | 339 |
1 files changed, 339 insertions, 0 deletions
diff --git a/src/cli/gns/gnunet-gns-proxy-setup-ca.in b/src/cli/gns/gnunet-gns-proxy-setup-ca.in new file mode 100644 index 000000000..b3ebfd11d --- /dev/null +++ b/src/cli/gns/gnunet-gns-proxy-setup-ca.in | |||
@@ -0,0 +1,339 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | # This shell script will generate an X509 certificate for | ||
4 | # your gnunet-gns-proxy and install it (for both GNUnet | ||
5 | # and your browser). | ||
6 | # | ||
7 | # TODO: Implement support for more browsers | ||
8 | # TODO: Debug and switch to the new version | ||
9 | # TODO - The only remaining task is fixing the getopts | ||
10 | # TODO: Error checks | ||
11 | # | ||
12 | # The current version partially reuses and recycles | ||
13 | # code from build.sh by NetBSD (although not entirely | ||
14 | # used because it needs debugging): | ||
15 | # | ||
16 | # Copyright (c) 2001-2011 The NetBSD Foundation, Inc. | ||
17 | # All rights reserved. | ||
18 | # | ||
19 | # This code is derived from software contributed to | ||
20 | # The NetBSD Foundation by Todd Vierling and Luke Mewburn. | ||
21 | # | ||
22 | # Redistribution and use in source and binary forms, with or | ||
23 | # without modification, are permitted provided that the following | ||
24 | # conditions are met: | ||
25 | # 1. Redistributions of source code must retain the above | ||
26 | # copyright notice, this list of conditions and the following | ||
27 | # disclaimer. | ||
28 | # 2. Redistributions in binary form must reproduce the above | ||
29 | # copyright notice, this list of conditions and the following | ||
30 | # disclaimer in the documentation and/or other materials | ||
31 | # provided with the distribution. | ||
32 | # | ||
33 | # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND | ||
34 | # CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, | ||
35 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF | ||
36 | # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | ||
37 | # DISCLAIMED. | ||
38 | # IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR | ||
39 | # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | ||
40 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, | ||
41 | # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
42 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND | ||
43 | # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||
44 | # LIABILITY, OR TORT | ||
45 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF | ||
46 | # THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY | ||
47 | # OF SUCH DAMAGE. | ||
48 | |||
49 | dir=$(dirname "$0") | ||
50 | |||
51 | progname=${0##*/} | ||
52 | |||
53 | existence() { | ||
54 | command -v "$1" >/dev/null 2>&1 | ||
55 | } | ||
56 | |||
57 | statusmsg() | ||
58 | { | ||
59 | ${runcmd} echo "${tab}$@" | tee -a "${results}" | ||
60 | } | ||
61 | |||
62 | infomsg() | ||
63 | { | ||
64 | if [ x$verbosity = x1 ]; then | ||
65 | statusmsg "INFO:${tab}$@" | ||
66 | fi | ||
67 | } | ||
68 | |||
69 | warningmsg() | ||
70 | { | ||
71 | statusmsg "WARNING:${tab}$@" | ||
72 | } | ||
73 | |||
74 | errormsg() | ||
75 | { | ||
76 | statusmsg "ERROR:${tab}$@" | ||
77 | } | ||
78 | |||
79 | linemsg() | ||
80 | { | ||
81 | statusmsg "=========================================" | ||
82 | } | ||
83 | |||
84 | |||
85 | print_version() | ||
86 | { | ||
87 | GNUNET_ARM_VERSION=`gnunet-arm -v | awk '{print $2 " " $3}'` | ||
88 | echo ${progname} $GNUNET_ARM_VERSION | ||
89 | } | ||
90 | |||
91 | # Whitespace normalization without depending on shell features: | ||
92 | tab=' ' | ||
93 | tab2=' ' | ||
94 | nl=' | ||
95 | ' | ||
96 | |||
97 | setdefaults() | ||
98 | { | ||
99 | verbosity=0 | ||
100 | resfile= | ||
101 | results=/dev/null | ||
102 | tmpdir=${TMPDIR:-/tmp} | ||
103 | runcmd= | ||
104 | } | ||
105 | |||
106 | usage() | ||
107 | { | ||
108 | if [ -n "$*" ]; then | ||
109 | echo "${nl}${progname}: $*" | ||
110 | fi | ||
111 | cat <<_usage_ | ||
112 | |||
113 | Usage: ${progname} [-hvVto] [-c FILE] | ||
114 | |||
115 | Options: | ||
116 | ${tab}-c FILE Use the configuration file FILE. | ||
117 | ${tab}-h${tab2}${tab2}Print this help message. | ||
118 | ${tab}-o${tab2}${tab2}Display summary of statusmessages | ||
119 | ${tab}-t${tab2}${tab2}Short developer test on binaries | ||
120 | ${tab}-v${tab2}${tab2}Print the version and exit. | ||
121 | ${tab}-V${tab2}${tab2}be verbose | ||
122 | |||
123 | _usage_ | ||
124 | exit 1 | ||
125 | } | ||
126 | |||
127 | |||
128 | generate_ca() | ||
129 | { | ||
130 | echo "" | ||
131 | infomsg "Generating CA" | ||
132 | TMPDIR=${TMPDIR:-/tmp} | ||
133 | if test -e "$TMPDIR"; then | ||
134 | GNSCERT=`mktemp -t cert.pem.XXXXXXXX` || exit 1 | ||
135 | GNSCAKY=`mktemp -t caky.pem.XXXXXXXX` || exit 1 | ||
136 | GNSCANO=`mktemp -t cano.pem.XXXXXXXX` || exit 1 | ||
137 | else | ||
138 | # This warning is mostly pointless. | ||
139 | warningmsg "You need to export the TMPDIR variable" | ||
140 | fi | ||
141 | |||
142 | # # ------------- gnutls | ||
143 | # | ||
144 | # if ! which certutil > /dev/null | ||
145 | # then | ||
146 | # warningmsg "The 'certutil' command was not found." | ||
147 | # warningmsg "Not importing into browsers." | ||
148 | # warningmsg "For 'certutil' install nss." | ||
149 | # else | ||
150 | # # Generate CA key | ||
151 | # # pkcs#8 password-protects key | ||
152 | # certtool --pkcs8 --generate-privkey --sec-param high --outfile ca-key.pem | ||
153 | # # self-sign the CA to create public certificate | ||
154 | # certtool --generate-self-signed --load-privkey ca-key.pem --template ca.cfg --outfile ca.pem | ||
155 | |||
156 | # ------------- openssl | ||
157 | |||
158 | GNUTLS_CA_TEMPLATE=@PKGDATADIRECTORY@/gnunet-gns-proxy-ca.template | ||
159 | OPENSSLCFG=@PKGDATADIRECTORY@/openssl.cnf | ||
160 | CERTTOOL="" | ||
161 | OPENSSL=0 | ||
162 | if test -x $(existence gnunet-certtool) | ||
163 | # if test -z "`gnutls-certtool --version`" > /dev/null | ||
164 | then | ||
165 | # We only support gnutls certtool for now. Treat the grep | ||
166 | # for "gnutls" in the output with extra care, it only matches | ||
167 | # the email address! It is probably safer to run strings(1) | ||
168 | # over certtool for a string matching "gnutls" | ||
169 | if test -z "`certtool --version | grep gnutls`" > /dev/null | ||
170 | then | ||
171 | warningmsg "'gnutls-certtool' or 'certtool' command not found. Trying openssl." | ||
172 | # if test -z "`openssl version`" > /dev/null | ||
173 | if test -x $(existence openssl) | ||
174 | then | ||
175 | OPENSSL=1 | ||
176 | else | ||
177 | warningmsg "Install either gnutls certtool or openssl for certificate generation!" | ||
178 | statusmsg "Cleaning up." | ||
179 | rm -f $GNSCAKY $GNSCERT | ||
180 | exit 1 | ||
181 | fi | ||
182 | fi | ||
183 | CERTTOOL="certtool" | ||
184 | else | ||
185 | CERTTOOL="gnutls-certtool" | ||
186 | fi | ||
187 | if test -n "${GNUNET_CONFIG_FILE}"; then | ||
188 | GNUNET_CONFIG="-c ${GNUNET_CONFIG_FILE}" | ||
189 | else | ||
190 | GNUNET_CONFIG="" | ||
191 | fi | ||
192 | GNS_CA_CERT_PEM=`gnunet-config ${GNUNET_CONFIG} -s gns-proxy -o PROXY_CACERT -f ${options}` | ||
193 | mkdir -p `dirname $GNS_CA_CERT_PEM` | ||
194 | |||
195 | if test 1 -eq $OPENSSL | ||
196 | then | ||
197 | if test 1 -eq $verbosity; then | ||
198 | openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" | ||
199 | else | ||
200 | openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" >/dev/null 2>&1 | ||
201 | fi | ||
202 | infomsg "Removing passphrase from key" | ||
203 | if test 1 -eq $verbosity; then | ||
204 | openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO | ||
205 | else | ||
206 | openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO >/dev/null 2>&1 | ||
207 | fi | ||
208 | cat $GNSCERT $GNSCANO > $GNS_CA_CERT_PEM | ||
209 | else | ||
210 | if test 1 -eq $verbosity; then | ||
211 | $CERTTOOL --generate-privkey --outfile $GNSCAKY | ||
212 | $CERTTOOL --template $GNUTLS_CA_TEMPLATE --generate-self-signed --load-privkey $GNSCAKY --outfile $GNSCERT | ||
213 | else | ||
214 | $CERTTOOL --generate-privkey --outfile $GNSCAKY >/dev/null 2>&1 | ||
215 | $CERTTOOL --template $GNUTLS_CA_TEMPLATE --generate-self-signed --load-privkey $GNSCAKY --outfile $GNSCERT >/dev/null 2>&1 | ||
216 | fi | ||
217 | infomsg "Making private key available to gnunet-gns-proxy" | ||
218 | cat $GNSCERT $GNSCAKY > $GNS_CA_CERT_PEM | ||
219 | fi | ||
220 | } | ||
221 | |||
222 | importbrowsers() | ||
223 | { | ||
224 | # if test -z "`command -v certutil`" > /dev/null 2>&1 | ||
225 | if test -x $(existence gnutls-certutil) || test -x $(existence certutil) | ||
226 | then | ||
227 | statusmsg "Importing CA into browsers" | ||
228 | # TODO: Error handling? | ||
229 | for f in ~/.mozilla/firefox/*.*/ | ||
230 | do | ||
231 | if [ -d $f ]; then | ||
232 | infomsg "Importing CA into Firefox at $f" | ||
233 | # delete old certificate (if any) | ||
234 | certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null | ||
235 | # add new certificate | ||
236 | certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT | ||
237 | fi | ||
238 | done | ||
239 | for f in ~/.mozilla/icecat/*.*/ | ||
240 | do | ||
241 | if [ -d $f ]; then | ||
242 | infomsg "Importing CA into Icecat at $f" | ||
243 | # delete old certificate (if any) | ||
244 | certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null | ||
245 | # add new certificate | ||
246 | certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT | ||
247 | fi | ||
248 | done | ||
249 | # TODO: Error handling? | ||
250 | if [ -d ~/.pki/nssdb/ ]; then | ||
251 | statusmsg "Importing CA into Chrome at ~/.pki/nssdb/" | ||
252 | # delete old certificate (if any) | ||
253 | certutil -D -n "GNS Proxy CA" -d ~/.pki/nssdb/ >/dev/null 2>/dev/null | ||
254 | # add new certificate | ||
255 | certutil -A -n "GNS Proxy CA" -t CT,, -d ~/.pki/nssdb/ < $GNSCERT | ||
256 | fi | ||
257 | else | ||
258 | warningmsg "The 'certutil' command was not found." | ||
259 | warningmsg "Not importing into browsers." | ||
260 | warningmsg "For 'certutil' install nss." | ||
261 | fi | ||
262 | } | ||
263 | |||
264 | clean_up() | ||
265 | { | ||
266 | infomsg "Cleaning up." | ||
267 | rm -f $GNSCAKY $GNSCANO $GNSCERT | ||
268 | if test -e $SETUP_TMPDIR | ||
269 | then | ||
270 | rm -rf $SETUP_TMPDIR | ||
271 | fi | ||
272 | |||
273 | linemsg | ||
274 | statusmsg "You can now start gnunet-gns-proxy." | ||
275 | statusmsg "Afterwards, configure your browser " | ||
276 | statusmsg "to use a SOCKS proxy on port 7777. " | ||
277 | linemsg | ||
278 | } | ||
279 | |||
280 | main() | ||
281 | { | ||
282 | setdefaults | ||
283 | while getopts "vhVtoc:" opt; do | ||
284 | case $opt in | ||
285 | v) | ||
286 | print_version | ||
287 | exit 0 | ||
288 | ;; | ||
289 | h) | ||
290 | usage | ||
291 | ;; | ||
292 | V) | ||
293 | verbosity=1 | ||
294 | ;; | ||
295 | c) | ||
296 | options="$options -c $OPTARG" | ||
297 | infomsg "Using configuration file $OPTARG" | ||
298 | GNUNET_CONFIG_FILE=${OPTARG} | ||
299 | ;; | ||
300 | t) | ||
301 | verbosity=1 | ||
302 | infomsg "Running short developer test" | ||
303 | if test -x $(existence openssl); then | ||
304 | openssl version | ||
305 | fi | ||
306 | if test -x $(existence certtool); then | ||
307 | certtool --version | ||
308 | fi | ||
309 | if test -x $(existence gnutls-certtool); then | ||
310 | gnutls-certtool --version | ||
311 | fi | ||
312 | exit 0 | ||
313 | ;; | ||
314 | o) | ||
315 | resfile=$(mktemp -t ${progname}.results) | ||
316 | results="${resfile}" | ||
317 | ;; | ||
318 | \?) | ||
319 | echo "Invalid option: -$OPTARG" >&2 | ||
320 | usage | ||
321 | ;; | ||
322 | :) | ||
323 | echo "Option -$OPTARG requires an argument." >&2 | ||
324 | usage | ||
325 | ;; | ||
326 | esac | ||
327 | done | ||
328 | generate_ca | ||
329 | importbrowsers | ||
330 | if [ -s "${results}" ]; then | ||
331 | echo "===> Summary of results:" | ||
332 | sed -e 's/^===>//;s/^/ /' "${results}" | ||
333 | echo "===> ." | ||
334 | infomsg "Please remove ${results} manually." | ||
335 | fi | ||
336 | clean_up | ||
337 | } | ||
338 | |||
339 | main "$@" | ||