3 # This shell script will generate an X509 certificate for
4 # your gnunet-gns-proxy and install it (for both GNUnet
7 # TODO: Implement support for more browsers
8 # TODO: Debug and switch to the new version
9 # TODO - The only remaining task is fixing the getopts
12 # The current version partially reuses and recycles
13 # code from build.sh by NetBSD (although not entirely
14 # used because it needs debugging):
16 # Copyright (c) 2001-2011 The NetBSD Foundation, Inc.
17 # All rights reserved.
19 # This code is derived from software contributed to
20 # The NetBSD Foundation by Todd Vierling and Luke Mewburn.
22 # Redistribution and use in source and binary forms, with or
23 # without modification, are permitted provided that the following
25 # 1. Redistributions of source code must retain the above
26 # copyright notice, this list of conditions and the following
28 # 2. Redistributions in binary form must reproduce the above
29 # copyright notice, this list of conditions and the following
30 # disclaimer in the documentation and/or other materials
31 # provided with the distribution.
33 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND
34 # CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
35 # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
36 # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
38 # IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR
39 # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
40 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
41 # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
42 # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
43 # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
45 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
46 # THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
51 if test -e @PKGDATADIRECTORY@/progname.sh
53 . @PKGDATADIRECTORY@/progname.sh
55 . $dir/../../contrib/build-common/sh/lib.sh/progname.sh
58 if test -e @PKGDATADIRECTORY@/existence.sh
60 . @PKGDATADIRECTORY@/existence.sh
62 . $dir/../../contrib/build-common/sh/lib.sh/existence.sh
65 if test -e @PKGDATADIRECTORY@/msg.sh
67 . @PKGDATADIRECTORY@/msg.sh
69 . $dir/../../contrib/build-common/sh/lib.sh/msg.sh
72 if test -e @PKGDATADIRECTORY@/version_gnunet.sh
74 . @PKGDATADIRECTORY@/version_gnunet.sh
76 . $dir/../../contrib/build-common/sh/lib.sh/version_gnunet.sh
79 # Whitespace normalization without depending on shell features:
90 tmpdir=${TMPDIR:-/tmp}
97 echo "${nl}${progname}: $*"
101 Usage: ${progname} [-hvVto] [-c FILE]
104 ${tab}-c FILE Use the configuration file FILE.
105 ${tab}-h${tab2}${tab2}Print this help message.
106 ${tab}-o${tab2}${tab2}Display summary of statusmessages
107 ${tab}-t${tab2}${tab2}Short developer test on binaries
108 ${tab}-v${tab2}${tab2}Print the version and exit.
109 ${tab}-V${tab2}${tab2}be verbose
119 infomsg "Generating CA"
120 TMPDIR=${TMPDIR:-/tmp}
121 if test -e "$TMPDIR"; then
122 GNSCERT=`mktemp -t certXXXXXXXX.pem` || exit 1
123 GNSCAKY=`mktemp -t cakyXXXXXXXX.pem` || exit 1
124 GNSCANO=`mktemp -t canoXXXXXXXX.pem` || exit 1
126 # This warning is mostly pointless.
127 warningmsg "You need to export the TMPDIR variable"
130 # # ------------- gnutls
132 # if ! which certutil > /dev/null
134 # warningmsg "The 'certutil' command was not found."
135 # warningmsg "Not importing into browsers."
136 # warningmsg "For 'certutil' install nss."
139 # # pkcs#8 password-protects key
140 # certtool --pkcs8 --generate-privkey --sec-param high --outfile ca-key.pem
141 # # self-sign the CA to create public certificate
142 # certtool --generate-self-signed --load-privkey ca-key.pem --template ca.cfg --outfile ca.pem
144 # ------------- openssl
146 GNUTLS_CA_TEMPLATE=@PKGDATADIRECTORY@/gnunet-gns-proxy-ca.template
147 OPENSSLCFG=@PKGDATADIRECTORY@/openssl.cnf
150 if test -x $(existence gnunet-certtool)
151 # if test -z "`gnutls-certtool --version`" > /dev/null
153 # We only support gnutls certtool for now. Treat the grep
154 # for "gnutls" in the output with extra care, it only matches
155 # the email address! It is probably safer to run strings(1)
156 # over certtool for a string matching "gnutls"
157 if test -z "`certtool --version | grep gnutls`" > /dev/null
159 warningmsg "'gnutls-certtool' or 'certtool' command not found. Trying openssl."
160 # if test -z "`openssl version`" > /dev/null
161 if test -x $(existence openssl)
165 warningmsg "Install either gnutls certtool or openssl for certificate generation!"
166 statusmsg "Cleaning up."
167 rm -f $GNSCAKY $GNSCERT
173 CERTTOOL="gnutls-certtool"
175 if test -n "${GNUNET_CONFIG_FILE}"; then
176 GNUNET_CONFIG="-c ${GNUNET_CONFIG_FILE}"
180 GNS_CA_CERT_PEM=`gnunet-config ${GNUNET_CONFIG} -s gns-proxy -o PROXY_CACERT -f ${options}`
181 mkdir -p `dirname $GNS_CA_CERT_PEM`
183 if test 1 -eq $OPENSSL
185 if test 1 -eq $verbosity; then
186 openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System"
188 openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" >/dev/null 2>&1
190 infomsg "Removing passphrase from key"
191 if test 1 -eq $verbosity; then
192 openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO
194 openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO >/dev/null 2>&1
196 cat $GNSCERT $GNSCANO > $GNS_CA_CERT_PEM
198 if test 1 -eq $verbosity; then
199 $CERTTOOL --generate-privkey --outfile $GNSCAKY
200 $CERTTOOL --template $GNUTLS_CA_TEMPLATE --generate-self-signed --load-privkey $GNSCAKY --outfile $GNSCERT
202 $CERTTOOL --generate-privkey --outfile $GNSCAKY >/dev/null 2>&1
203 $CERTTOOL --template $GNUTLS_CA_TEMPLATE --generate-self-signed --load-privkey $GNSCAKY --outfile $GNSCERT >/dev/null 2>&1
205 infomsg "Making private key available to gnunet-gns-proxy"
206 cat $GNSCERT $GNSCAKY > $GNS_CA_CERT_PEM
212 # if test -z "`command -v certutil`" > /dev/null 2>&1
213 if test -x $(existence gnutls-certutil) || test -x $(existence certutil)
215 statusmsg "Importing CA into browsers"
216 # TODO: Error handling?
217 for f in ~/.mozilla/firefox/*.*/
220 infomsg "Importing CA into Firefox at $f"
221 # delete old certificate (if any)
222 certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null
223 # add new certificate
224 certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT
227 for f in ~/.mozilla/icecat/*.*/
230 infomsg "Importing CA into Icecat at $f"
231 # delete old certificate (if any)
232 certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null
233 # add new certificate
234 certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT
237 # TODO: Error handling?
238 if [ -d ~/.pki/nssdb/ ]; then
239 statusmsg "Importing CA into Chrome at ~/.pki/nssdb/"
240 # delete old certificate (if any)
241 certutil -D -n "GNS Proxy CA" -d ~/.pki/nssdb/ >/dev/null 2>/dev/null
242 # add new certificate
243 certutil -A -n "GNS Proxy CA" -t CT,, -d ~/.pki/nssdb/ < $GNSCERT
246 warningmsg "The 'certutil' command was not found."
247 warningmsg "Not importing into browsers."
248 warningmsg "For 'certutil' install nss."
254 infomsg "Cleaning up."
255 rm -f $GNSCAKY $GNSCANO $GNSCERT
256 if test -e $SETUP_TMPDIR
262 statusmsg "You can now start gnunet-gns-proxy."
263 statusmsg "Afterwards, configure your browser "
264 statusmsg "to use a SOCKS proxy on port 7777. "
271 while getopts "vhVtoc:" opt; do
284 options="$options -c $OPTARG"
285 infomsg "Using configuration file $OPTARG"
286 GNUNET_CONFIG_FILE=${OPTARG}
290 infomsg "Running short developer test"
291 if test -x $(existence openssl); then
294 if test -x $(existence certtool); then
297 if test -x $(existence gnutls-certtool); then
298 gnutls-certtool --version
303 resfile=$(mktemp -t ${progname}.results)
307 echo "Invalid option: -$OPTARG" >&2
311 echo "Option -$OPTARG requires an argument." >&2
318 if [ -s "${results}" ]; then
319 echo "===> Summary of results:"
320 sed -e 's/^===>//;s/^/ /' "${results}"
322 infomsg "Please remove ${results} manually."