diff options
Diffstat (limited to 'src/gns/gnunet-gns-proxy-setup-ca.in')
-rw-r--r-- | src/gns/gnunet-gns-proxy-setup-ca.in | 322 |
1 files changed, 248 insertions, 74 deletions
diff --git a/src/gns/gnunet-gns-proxy-setup-ca.in b/src/gns/gnunet-gns-proxy-setup-ca.in index 0a6fab18a..184da4853 100644 --- a/src/gns/gnunet-gns-proxy-setup-ca.in +++ b/src/gns/gnunet-gns-proxy-setup-ca.in | |||
@@ -1,78 +1,252 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | # This shell script will generate an X509 certificate for your gnunet-gns-proxy | ||
3 | # and install it (for both GNUnet and your browser). | ||
4 | # | 2 | # |
3 | # This shell script will generate an X509 certificate for | ||
4 | # your gnunet-gns-proxy and install it (for both GNUnet | ||
5 | # and your browser). | ||
6 | # | ||
7 | # TODO: Implement support for more browsers | ||
8 | # TODO: Debug and switch to the new version | ||
9 | # TODO - The only remaining task is fixing the getopts | ||
10 | # TODO: Error checks | ||
11 | # | ||
12 | # The current version partially reuses and recycles | ||
13 | # code from build.sh by NetBSD (although not entirely | ||
14 | # used because it needs debugging): | ||
15 | # | ||
16 | # Copyright (c) 2001-2011 The NetBSD Foundation, Inc. | ||
17 | # All rights reserved. | ||
18 | # | ||
19 | # This code is derived from software contributed to | ||
20 | # The NetBSD Foundation by Todd Vierling and Luke Mewburn. | ||
21 | |||
22 | # Redistribution and use in source and binary forms, with or | ||
23 | # without modification, are permitted provided that the following | ||
24 | # conditions are met: | ||
25 | # 1. Redistributions of source code must retain the above | ||
26 | # copyright notice, this list of conditions and the following | ||
27 | # disclaimer. | ||
28 | # 2. Redistributions in binary form must reproduce the above | ||
29 | # copyright notice, this list of conditions and the following | ||
30 | # disclaimer in the documentation and/or other materials | ||
31 | # provided with the distribution. | ||
5 | 32 | ||
6 | OPENSSLCFG=@pkgdatadir@/openssl.cnf | 33 | # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND |
7 | if ! which openssl > /dev/null | 34 | # CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, |
8 | then | 35 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF |
9 | echo "'openssl' command not found. Please install it." | 36 | # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
10 | exit 1 | 37 | # DISCLAIMED. |
11 | fi | 38 | # IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR |
12 | 39 | # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
13 | echo "Generating CA" | 40 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, |
14 | options='' | 41 | # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
15 | while getopts "c:" opt; do | 42 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND |
16 | case $opt in | 43 | # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
17 | c) | 44 | # LIABILITY, OR TORT |
18 | options="$options -c $OPTARG" | 45 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF |
19 | ;; | 46 | # THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY |
20 | \?) | 47 | # OF SUCH DAMAGE. |
21 | echo "Invalid option: -$OPTARG" >&2 | 48 | |
22 | exit 1 | 49 | progname=${0##*/} |
23 | ;; | 50 | |
24 | :) | 51 | setdefaults() |
25 | echo "Option -$OPTARG requires an argument." >&2 | 52 | { |
26 | exit 1 | 53 | verbosity=0 |
27 | ;; | 54 | runcmd= |
28 | esac | 55 | } |
29 | done | 56 | |
30 | 57 | statusmsg() | |
31 | GNSCERT=`mktemp /tmp/gnscertXXXXXX.pem` | 58 | { |
32 | GNSCAKY=`mktemp /tmp/gnscakeyXXXXXX.pem` | 59 | ${runcmd} echo " $@" |
33 | GNSCANO=`mktemp /tmp/gnscakeynoencXXXXXX.pem` | 60 | } |
34 | GNS_CA_CERT_PEM=`gnunet-config -s gns-proxy -o PROXY_CACERT -f $options` | 61 | |
35 | mkdir -p `dirname $GNS_CA_CERT_PEM` | 62 | infomsg() |
36 | 63 | { | |
37 | openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" | 64 | if [ $verbosity = 1 ]; then |
38 | 65 | statusmsg "INFO: $@" | |
39 | echo "Removing passphrase from key" | ||
40 | openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO | ||
41 | |||
42 | echo "Making private key available to gnunet-gns-proxy" | ||
43 | cat $GNSCERT $GNSCANO > $GNS_CA_CERT_PEM | ||
44 | |||
45 | if ! which certutil > /dev/null | ||
46 | then | ||
47 | echo "The 'certutil' command was not found. Not importing into browsers." | ||
48 | echo "For 'certutil' install nss." | ||
49 | else | ||
50 | echo "Importing CA into browsers" | ||
51 | for f in ~/.mozilla/firefox/*.*/ | ||
52 | do | ||
53 | if [ -d $f ]; then | ||
54 | echo "Importing CA info Firefox at $f" | ||
55 | # delete old certificate (if any) | ||
56 | certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null | ||
57 | # add new certificate | ||
58 | certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT | ||
59 | fi | 66 | fi |
60 | done | 67 | } |
61 | 68 | ||
62 | if [ -d ~/.pki/nssdb/ ]; then | 69 | warningmsg() |
63 | echo "Importing CA into Chrome at ~/.pki/nssdb/" | 70 | { |
64 | # delete old certificate (if any) | 71 | statusmsg "WARNING: $@" |
65 | certutil -D -n "GNS Proxy CA" -d ~/.pki/nssdb/ >/dev/null 2>/dev/null | 72 | } |
66 | # add new certificate | 73 | |
67 | certutil -A -n "GNS Proxy CA" -t CT,, -d ~/.pki/nssdb/ < $GNSCERT | 74 | errormsg() |
68 | fi | 75 | { |
69 | fi | 76 | statusmsg "ERROR: $@" |
70 | 77 | } | |
71 | echo "Cleaning up." | 78 | |
72 | rm -f $GNSCAKY $GNSCANO $GNSCERT | 79 | linemsg() |
73 | 80 | { | |
74 | echo "===================================" | 81 | statusmsg "=========================================" |
75 | echo "You can now start gnunet-gns-proxy." | 82 | } |
76 | echo "Afterwards, configure your browser " | 83 | |
77 | echo " to use a SOCKS proxy on port 7777." | 84 | |
78 | echo "===================================" | 85 | usage() |
86 | { | ||
87 | if [ -n "$*" ]; then | ||
88 | echo "" | ||
89 | echo "${progname}: $*" | ||
90 | fi | ||
91 | cat <<_usage_ | ||
92 | |||
93 | Usage: ${progname} [-hv] [-c FILE] [...] | ||
94 | |||
95 | Options: | ||
96 | -c FILE Use the configuration file FILE. | ||
97 | -h Print this help message. | ||
98 | -v Print the version and exit. | ||
99 | -V be verbose | ||
100 | |||
101 | _usage_ | ||
102 | exit 1 | ||
103 | } | ||
104 | |||
105 | |||
106 | generate_ca() | ||
107 | { | ||
108 | echo "" | ||
109 | infomsg "Generating CA" | ||
110 | TMPDIR=${TMPDIR:-/tmp} | ||
111 | if [ -e "$TMPDIR" ]; then | ||
112 | GNSCERT=`mktemp -t certXXXXXXXX.pem` || exit 1 | ||
113 | GNSCAKY=`mktemp -t cakyXXXXXXXX.pem` || exit 1 | ||
114 | GNSCANO=`mktemp -t canoXXXXXXXX.pem` || exit 1 | ||
115 | else | ||
116 | # This warning is mostly pointless. | ||
117 | warning "You need to export the TMPDIR variable" | ||
118 | fi | ||
119 | |||
120 | # # ------------- gnutls | ||
121 | # | ||
122 | # if ! which certutil > /dev/null | ||
123 | # then | ||
124 | # warningmsg "The 'certutil' command was not found." | ||
125 | # warningmsg "Not importing into browsers." | ||
126 | # warningmsg "For 'certutil' install nss." | ||
127 | # else | ||
128 | # # Generate CA key | ||
129 | # # pkcs#8 password-protects key | ||
130 | # certtool --pkcs8 --generate-privkey --sec-param high --outfile ca-key.pem | ||
131 | # # self-sign the CA to create public certificate | ||
132 | # certtool --generate-self-signed --load-privkey ca-key.pem --template ca.cfg --outfile ca.pem | ||
133 | |||
134 | # ------------- openssl | ||
135 | |||
136 | OPENSSLCFG=@pkgdatadir@/openssl.cnf | ||
137 | if test -z "`openssl version`" > /dev/null | ||
138 | then | ||
139 | warningmsg "'openssl' command not found. Please install it." | ||
140 | infomsg "Cleaning up." | ||
141 | rm -f $GNSCAKY $GNSCANO $GNSCERT | ||
142 | exit 1 | ||
143 | fi | ||
144 | if [ -n "${GNUNET_CONFIG_FILE}" ]; then | ||
145 | GNUNET_CONFIG="-c ${GNUNET_CONFIG_FILE}" | ||
146 | else | ||
147 | GNUNET_CONFIG="" | ||
148 | fi | ||
149 | GNS_CA_CERT_PEM=`gnunet-config ${GNUNET_CONFIG} -s gns-proxy -o PROXY_CACERT -f ${options}` | ||
150 | mkdir -p `dirname $GNS_CA_CERT_PEM` | ||
151 | |||
152 | openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" | ||
153 | |||
154 | infomsg "Removing passphrase from key" | ||
155 | openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO | ||
156 | |||
157 | infomsg "Making private key available to gnunet-gns-proxy" | ||
158 | cat $GNSCERT $GNSCANO > $GNS_CA_CERT_PEM | ||
159 | } | ||
160 | |||
161 | importbrowsers() | ||
162 | { | ||
163 | # Don't check with -H, -H defies any method to not | ||
164 | # print the output on screen! Let's hope that every | ||
165 | # certutil gets build with some kind of build flags | ||
166 | # which end up being printed here: | ||
167 | if test -z "`certutil --build-flags`" > /dev/null 2>&1 | ||
168 | then | ||
169 | warningmsg "The 'certutil' command was not found." | ||
170 | warningmsg "Not importing into browsers." | ||
171 | warningmsg "For 'certutil' install nss." | ||
172 | else | ||
173 | infomsg "Importing CA into browsers" | ||
174 | # TODO: Error handling? | ||
175 | for f in ~/.mozilla/firefox/*.*/ | ||
176 | do | ||
177 | if [ -d $f ]; then | ||
178 | infomsg "Importing CA into Firefox at $f" | ||
179 | # delete old certificate (if any) | ||
180 | certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null | ||
181 | # add new certificate | ||
182 | certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT | ||
183 | fi | ||
184 | done | ||
185 | # TODO: Error handling? | ||
186 | if [ -d ~/.pki/nssdb/ ]; then | ||
187 | infomsg "Importing CA into Chrome at ~/.pki/nssdb/" | ||
188 | # delete old certificate (if any) | ||
189 | certutil -D -n "GNS Proxy CA" -d ~/.pki/nssdb/ >/dev/null 2>/dev/null | ||
190 | # add new certificate | ||
191 | certutil -A -n "GNS Proxy CA" -t CT,, -d ~/.pki/nssdb/ < $GNSCERT | ||
192 | fi | ||
193 | fi | ||
194 | } | ||
195 | |||
196 | print_version() | ||
197 | { | ||
198 | GNUNET_ARM_VERSION=`gnunet-arm -v` | ||
199 | echo $GNUNET_ARM_VERSION | ||
200 | } | ||
201 | |||
202 | clean_up() | ||
203 | { | ||
204 | infomsg "Cleaning up." | ||
205 | rm -f $GNSCAKY $GNSCANO $GNSCERT | ||
206 | if [ -e $SETUP_TMPDIR ]; then | ||
207 | rm -rf $SETUP_TMPDIR | ||
208 | fi | ||
209 | |||
210 | linemsg | ||
211 | statusmsg "You can now start gnunet-gns-proxy." | ||
212 | statusmsg "Afterwards, configure your browser " | ||
213 | statusmsg "to use a SOCKS proxy on port 7777. " | ||
214 | linemsg | ||
215 | } | ||
216 | |||
217 | main() | ||
218 | { | ||
219 | while getopts "vhVc:" opt; do | ||
220 | case $opt in | ||
221 | v) | ||
222 | print_version | ||
223 | exit 0 | ||
224 | ;; | ||
225 | h) | ||
226 | usage | ||
227 | ;; | ||
228 | V) | ||
229 | verbosity=1 | ||
230 | ;; | ||
231 | c) | ||
232 | options="$options -c $OPTARG" | ||
233 | infomsg "Using configuration file $OPTARG" | ||
234 | GNUNET_CONFIG_FILE=${OPTARG} | ||
235 | ;; | ||
236 | \?) | ||
237 | echo "Invalid option: -$OPTARG" >&2 | ||
238 | usage | ||
239 | ;; | ||
240 | :) | ||
241 | echo "Option -$OPTARG requires an argument." >&2 | ||
242 | usage | ||
243 | ;; | ||
244 | esac | ||
245 | done | ||
246 | setdefaults | ||
247 | generate_ca | ||
248 | importbrowsers | ||
249 | clean_up | ||
250 | } | ||
251 | |||
252 | main "$@" | ||