From 2f9e78d0db73fa953f4f542f3fbc9ddf2c9e260f Mon Sep 17 00:00:00 2001 From: ng0 Date: Tue, 19 Feb 2019 12:40:36 +0000 Subject: [PATCH] gnunet-gns-proxy-setup-ca: conditionally sed openssl and certutil location, use variable for locations, check for openssl and certutil in configure phase. --- configure.ac | 3 +++ src/gns/Makefile.am | 23 +++++++++++++++++++---- src/gns/gnunet-gns-proxy-setup-ca.in | 17 ++++++++++------- 3 files changed, 32 insertions(+), 11 deletions(-) diff --git a/configure.ac b/configure.ac index 40890ad1a..b3caee676 100644 --- a/configure.ac +++ b/configure.ac @@ -377,6 +377,9 @@ AC_ARG_ENABLE(gcc-hardening, LDFLAGS="$LDFLAGS -pie" fi]) +# gnunet-gns-proxy-setup-ca requires openssl and certutil (nss) +AC_CHECK_PROG(have_openssl, [openssl], [yes], [no]) +AC_CHECK_PROG(have_certutil, [certutil], [yes], [no]) # Linker hardening options # Currently these options are ELF specific - you can't use this with MacOSX diff --git a/src/gns/Makefile.am b/src/gns/Makefile.am index 13f6a6e52..7d343e7ff 100644 --- a/src/gns/Makefile.am +++ b/src/gns/Makefile.am @@ -88,21 +88,36 @@ bin_PROGRAMS += gnunet-bcd endif endif -bin_SCRIPTS = gnunet-gns-proxy-setup-ca - plugin_LTLIBRARIES = \ libgnunet_plugin_block_gns.la \ libgnunet_plugin_gnsrecord_gns.la -xPFX=$(pkgdatadir)/openssl.cnf +if HAVE_OPENSSL +xOPENSSL=$(shell which openssl) +do_subst_openssl = $(SED) -e 's,[@]OPENSSLBIN[@],${xOPENSSL},g' +endif + +if HAVE_NSS +xCERTUTIL=$(shell which certutil) +do_subst_certutil = $(SED) -e 's,[@]CERTUTILBIN[@],${xCERTUTIL},g' +endif + +xPFX=$(pkgdatadir)/openssl.cnf do_subst = $(SED) -e 's,[@]PREFIX[@],${xPFX},g' gnunet-gns-proxy-setup-ca: gnunet-gns-proxy-setup-ca.in $(do_subst) < $(top_srcdir)/src/gns/gnunet-gns-proxy-setup-ca.in > gnunet-gns-proxy-setup-ca + ifeq ($(HAVE_OPENSSL), 1) + $(do_subst_openssl) < $(top_srcdir)/src/gns/gnunet-gns-proxy-setup-ca + endif + ifeq ($(HAVE_OPENSSL), 1) + $(do_subst_certutil) < $(top_srcdir)/src/gns/gnunet-gns-proxy-setup-ca + endif chmod +x gnunet-gns-proxy-setup-ca +else: - +bin_SCRIPTS = gnunet-gns-proxy-setup-ca libgnunet_plugin_gnsrecord_gns_la_SOURCES = \ plugin_gnsrecord_gns.c diff --git a/src/gns/gnunet-gns-proxy-setup-ca.in b/src/gns/gnunet-gns-proxy-setup-ca.in index d3753b074..cd3be5cea 100644 --- a/src/gns/gnunet-gns-proxy-setup-ca.in +++ b/src/gns/gnunet-gns-proxy-setup-ca.in @@ -11,6 +11,8 @@ then exit 1 fi +OPENSSLBIN=@OPENSSL@ +CERTUTILBIN=@CERTUTIL@ echo "Generating CA" options='' @@ -36,17 +38,18 @@ GNSCANO=`mktemp /tmp/gnscakeynoencXXXXXX.pem` GNS_CA_CERT_PEM=`gnunet-config -s gns-proxy -o PROXY_CACERT -f $options` mkdir -p `dirname $GNS_CA_CERT_PEM` -openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" +OPENSSLBIN req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" echo "Removing passphrase from key" -openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO +OPENSSLBIN rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO echo "Making private key available to gnunet-gns-proxy" cat $GNSCERT $GNSCANO > $GNS_CA_CERT_PEM if ! which certutil > /dev/null then - echo "'certutil' command not found. Not importing into browsers." + echo "The 'certutil' command was not found. Not importing into browsers." + echo "For 'certutil' install nss." else echo "Importing CA into browsers" for f in ~/.mozilla/firefox/*.*/ @@ -54,18 +57,18 @@ else if [ -d $f ]; then echo "Importing CA info Firefox at $f" # delete old certificate (if any) - certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null + @CERTUTILBIN@ -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null # add new certificate - certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT + @CERTUTILBIN@ -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT fi done if [ -d ~/.pki/nssdb/ ]; then echo "Importing CA into Chrome at ~/.pki/nssdb/" # delete old certificate (if any) - certutil -D -n "GNS Proxy CA" -d ~/.pki/nssdb/ >/dev/null 2>/dev/null + @CERTUTILBIN@ -D -n "GNS Proxy CA" -d ~/.pki/nssdb/ >/dev/null 2>/dev/null # add new certificate - certutil -A -n "GNS Proxy CA" -t CT,, -d ~/.pki/nssdb/ < $GNSCERT + @CERTUTILBIN@ -A -n "GNS Proxy CA" -t CT,, -d ~/.pki/nssdb/ < $GNSCERT fi fi -- 2.25.1