123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327 |
- #!/bin/sh
- #
- # This shell script will generate an X509 certificate for
- # your gnunet-gns-proxy and install it (for both GNUnet
- # and your browser).
- #
- # TODO: Implement support for more browsers
- # TODO: Debug and switch to the new version
- # TODO - The only remaining task is fixing the getopts
- # TODO: Error checks
- #
- # The current version partially reuses and recycles
- # code from build.sh by NetBSD (although not entirely
- # used because it needs debugging):
- #
- # Copyright (c) 2001-2011 The NetBSD Foundation, Inc.
- # All rights reserved.
- #
- # This code is derived from software contributed to
- # The NetBSD Foundation by Todd Vierling and Luke Mewburn.
- #
- # Redistribution and use in source and binary forms, with or
- # without modification, are permitted provided that the following
- # conditions are met:
- # 1. Redistributions of source code must retain the above
- # copyright notice, this list of conditions and the following
- # disclaimer.
- # 2. Redistributions in binary form must reproduce the above
- # copyright notice, this list of conditions and the following
- # disclaimer in the documentation and/or other materials
- # provided with the distribution.
- #
- # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND
- # CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
- # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- # DISCLAIMED.
- # IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR
- # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- # LIABILITY, OR TORT
- # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
- # THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
- # OF SUCH DAMAGE.
- dir=$(dirname "$0")
- if test -e @PKGDATADIRECTORY@/progname.sh
- then
- . @PKGDATADIRECTORY@/progname.sh
- else
- . $dir/../../contrib/build-common/sh/lib.sh/progname.sh
- fi
- if test -e @PKGDATADIRECTORY@/existence.sh
- then
- . @PKGDATADIRECTORY@/existence.sh
- else
- . $dir/../../contrib/build-common/sh/lib.sh/existence.sh
- fi
- if test -e @PKGDATADIRECTORY@/msg.sh
- then
- . @PKGDATADIRECTORY@/msg.sh
- else
- . $dir/../../contrib/build-common/sh/lib.sh/msg.sh
- fi
- if test -e @PKGDATADIRECTORY@/version_gnunet.sh
- then
- . @PKGDATADIRECTORY@/version_gnunet.sh
- else
- . $dir/../../contrib/build-common/sh/lib.sh/version_gnunet.sh
- fi
- # Whitespace normalization without depending on shell features:
- tab=' '
- tab2=' '
- nl='
- '
- setdefaults()
- {
- verbosity=0
- resfile=
- results=/dev/null
- tmpdir=${TMPDIR:-/tmp}
- runcmd=
- }
- usage()
- {
- if [ -n "$*" ]; then
- echo "${nl}${progname}: $*"
- fi
- cat <<_usage_
- Usage: ${progname} [-hvVto] [-c FILE]
- Options:
- ${tab}-c FILE Use the configuration file FILE.
- ${tab}-h${tab2}${tab2}Print this help message.
- ${tab}-o${tab2}${tab2}Display summary of statusmessages
- ${tab}-t${tab2}${tab2}Short developer test on binaries
- ${tab}-v${tab2}${tab2}Print the version and exit.
- ${tab}-V${tab2}${tab2}be verbose
- _usage_
- exit 1
- }
- generate_ca()
- {
- echo ""
- infomsg "Generating CA"
- TMPDIR=${TMPDIR:-/tmp}
- if test -e "$TMPDIR"; then
- GNSCERT=`mktemp -t certXXXXXXXX.pem` || exit 1
- GNSCAKY=`mktemp -t cakyXXXXXXXX.pem` || exit 1
- GNSCANO=`mktemp -t canoXXXXXXXX.pem` || exit 1
- else
- # This warning is mostly pointless.
- warningmsg "You need to export the TMPDIR variable"
- fi
- # # ------------- gnutls
- #
- # if ! which certutil > /dev/null
- # then
- # warningmsg "The 'certutil' command was not found."
- # warningmsg "Not importing into browsers."
- # warningmsg "For 'certutil' install nss."
- # else
- # # Generate CA key
- # # pkcs#8 password-protects key
- # certtool --pkcs8 --generate-privkey --sec-param high --outfile ca-key.pem
- # # self-sign the CA to create public certificate
- # certtool --generate-self-signed --load-privkey ca-key.pem --template ca.cfg --outfile ca.pem
- # ------------- openssl
- GNUTLS_CA_TEMPLATE=@PKGDATADIRECTORY@/gnunet-gns-proxy-ca.template
- OPENSSLCFG=@PKGDATADIRECTORY@/openssl.cnf
- CERTTOOL=""
- OPENSSL=0
- if test -x $(existence gnunet-certtool)
- # if test -z "`gnutls-certtool --version`" > /dev/null
- then
- # We only support gnutls certtool for now. Treat the grep
- # for "gnutls" in the output with extra care, it only matches
- # the email address! It is probably safer to run strings(1)
- # over certtool for a string matching "gnutls"
- if test -z "`certtool --version | grep gnutls`" > /dev/null
- then
- warningmsg "'gnutls-certtool' or 'certtool' command not found. Trying openssl."
- # if test -z "`openssl version`" > /dev/null
- if test -x $(existence openssl)
- then
- OPENSSL=1
- else
- warningmsg "Install either gnutls certtool or openssl for certificate generation!"
- statusmsg "Cleaning up."
- rm -f $GNSCAKY $GNSCERT
- exit 1
- fi
- fi
- CERTTOOL="certtool"
- else
- CERTTOOL="gnutls-certtool"
- fi
- if test -n "${GNUNET_CONFIG_FILE}"; then
- GNUNET_CONFIG="-c ${GNUNET_CONFIG_FILE}"
- else
- GNUNET_CONFIG=""
- fi
- GNS_CA_CERT_PEM=`gnunet-config ${GNUNET_CONFIG} -s gns-proxy -o PROXY_CACERT -f ${options}`
- mkdir -p `dirname $GNS_CA_CERT_PEM`
- if test 1 -eq $OPENSSL
- then
- if test 1 -eq $verbosity; then
- openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System"
- else
- openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" >/dev/null 2>&1
- fi
- infomsg "Removing passphrase from key"
- if test 1 -eq $verbosity; then
- openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO
- else
- openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO >/dev/null 2>&1
- fi
- cat $GNSCERT $GNSCANO > $GNS_CA_CERT_PEM
- else
- if test 1 -eq $verbosity; then
- $CERTTOOL --generate-privkey --outfile $GNSCAKY
- $CERTTOOL --template $GNUTLS_CA_TEMPLATE --generate-self-signed --load-privkey $GNSCAKY --outfile $GNSCERT
- else
- $CERTTOOL --generate-privkey --outfile $GNSCAKY >/dev/null 2>&1
- $CERTTOOL --template $GNUTLS_CA_TEMPLATE --generate-self-signed --load-privkey $GNSCAKY --outfile $GNSCERT >/dev/null 2>&1
- fi
- infomsg "Making private key available to gnunet-gns-proxy"
- cat $GNSCERT $GNSCAKY > $GNS_CA_CERT_PEM
- fi
- }
- importbrowsers()
- {
- # if test -z "`command -v certutil`" > /dev/null 2>&1
- if test -x $(existence gnutls-certutil) || test -x $(existence certutil)
- then
- statusmsg "Importing CA into browsers"
- # TODO: Error handling?
- for f in ~/.mozilla/firefox/*.*/
- do
- if [ -d $f ]; then
- infomsg "Importing CA into Firefox at $f"
- # delete old certificate (if any)
- certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null
- # add new certificate
- certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT
- fi
- done
- for f in ~/.mozilla/icecat/*.*/
- do
- if [ -d $f ]; then
- infomsg "Importing CA into Icecat at $f"
- # delete old certificate (if any)
- certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null
- # add new certificate
- certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT
- fi
- done
- # TODO: Error handling?
- if [ -d ~/.pki/nssdb/ ]; then
- statusmsg "Importing CA into Chrome at ~/.pki/nssdb/"
- # delete old certificate (if any)
- certutil -D -n "GNS Proxy CA" -d ~/.pki/nssdb/ >/dev/null 2>/dev/null
- # add new certificate
- certutil -A -n "GNS Proxy CA" -t CT,, -d ~/.pki/nssdb/ < $GNSCERT
- fi
- else
- warningmsg "The 'certutil' command was not found."
- warningmsg "Not importing into browsers."
- warningmsg "For 'certutil' install nss."
- fi
- }
- clean_up()
- {
- infomsg "Cleaning up."
- rm -f $GNSCAKY $GNSCANO $GNSCERT
- if test -e $SETUP_TMPDIR
- then
- rm -rf $SETUP_TMPDIR
- fi
- linemsg
- statusmsg "You can now start gnunet-gns-proxy."
- statusmsg "Afterwards, configure your browser "
- statusmsg "to use a SOCKS proxy on port 7777. "
- linemsg
- }
- main()
- {
- setdefaults
- while getopts "vhVtoc:" opt; do
- case $opt in
- v)
- print_version
- exit 0
- ;;
- h)
- usage
- ;;
- V)
- verbosity=1
- ;;
- c)
- options="$options -c $OPTARG"
- infomsg "Using configuration file $OPTARG"
- GNUNET_CONFIG_FILE=${OPTARG}
- ;;
- t)
- verbosity=1
- infomsg "Running short developer test"
- if test -x $(existence openssl); then
- openssl version
- fi
- if test -x $(existence certtool); then
- certtool --version
- fi
- if test -x $(existence gnutls-certtool); then
- gnutls-certtool --version
- fi
- exit 0
- ;;
- o)
- resfile=$(mktemp -t ${progname}.results)
- results="${resfile}"
- ;;
- \?)
- echo "Invalid option: -$OPTARG" >&2
- usage
- ;;
- :)
- echo "Option -$OPTARG requires an argument." >&2
- usage
- ;;
- esac
- done
- generate_ca
- importbrowsers
- if [ -s "${results}" ]; then
- echo "===> Summary of results:"
- sed -e 's/^===>//;s/^/ /' "${results}"
- echo "===> ."
- infomsg "Please remove ${results} manually."
- fi
- clean_up
- }
- main "$@"
|