From e298128e273a984beb3094e9d380a54a0f65b4ce Mon Sep 17 00:00:00 2001 From: ng0 Date: Fri, 8 Mar 2019 22:47:17 +0000 Subject: [PATCH] gnunet-gns-proxy-setup-ca: Here is a new version of gnunet-gns-proxy-setup-ca. Most of it still needs debugging, but it works. This ought to be extended in the future. Man page created. --- doc/man/Makefile.am | 1 + doc/man/gnunet-gns-proxy-setup-ca.1 | 64 ++++ src/gns/gnunet-gns-proxy-setup-ca.in | 473 ++++++++++++++++++++++----- 3 files changed, 464 insertions(+), 74 deletions(-) create mode 100644 doc/man/gnunet-gns-proxy-setup-ca.1 diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am index 3808afb1f..d274a35bc 100644 --- a/doc/man/Makefile.am +++ b/doc/man/Makefile.am @@ -26,6 +26,7 @@ man_MANS = \ gnunet-fs.1 \ gnunet-gns.1 \ gnunet-gns-proxy.1 \ + gnunet-gns-proxy-setup-ca.1 \ gnunet-identity.1 \ gnunet-cadet.1 \ gnunet-namecache.1 \ diff --git a/doc/man/gnunet-gns-proxy-setup-ca.1 b/doc/man/gnunet-gns-proxy-setup-ca.1 new file mode 100644 index 000000000..4e70f357e --- /dev/null +++ b/doc/man/gnunet-gns-proxy-setup-ca.1 @@ -0,0 +1,64 @@ +.Dd March 6, 2019 +.Dt GNUNET-GNS-PROXY-SETUP-CA 1 +.Os +.Sh NAME +.Nm gnunet-gns-proxy-setup-ca +.Nd generate an X509 certificate for gnunet-gns-proxy and install it +.Sh SYNOPSIS +.Nm +.Op Fl c Ar FILE +.\".Op Fl f Ar FILE +.Op Fl h +.Op Fl v +.Op Fl V +.Sh DESCRIPTION +.Nm +is a shell script to generate X509 certificates for your gnunet-gns-proxy and to install it for both GNUnet and your web browser. +It currently supports Firefox and Chrome based browsers through the help of external helpers: certutil (nss) is used for the import into webbrowsers, openssl is used to generated the CA. +.Bl -tag -width Ds +.It Fl c Ar FILE +Use the configuration file FILE. +\" .It Fl f +\" Perform expansions of the variables used in the config value of gns-proxy. +\" This will usually expand $GNUNET_DATA_HOME to represents its path. +.It Fl h +Print short help on options +.It Fl v +Print the version +.It Fl V +be verbose +.El +.Sh FILES +.Pa gnunet.conf +.Sh SEE ALSO +.Xr gnunet-gns 1 , +.Xr gnunet-gns-proxy 1 , +.Xr gnunet.conf 5 +.sp +The full documentation for gnunet is maintained as a Texinfo manual. +If the +.Xr info 1 +and gnunet programs are properly installed at your site, the command +.Bd -literal -offset indent -compact + info gnunet +.Ed +should give you access to the complete handbook, +.Bd -literal -offset indent -compact + info gnunet-c-tutorial +.Ed +will give you access to a tutorial for developers. +.sp +Depending on your installation, this information is also +available in +.Xr gnunet 7 and +.Xr gnunet-c-tutorial 7 . +.Sh HISTORY +This man page first appeared in GNUnet 0.11.1. +.Sh AUTHORS +This page was was written by +.An ng0 Aq Mt ng0@gnunet.org . +.Sh BUGS +Report bugs by using +.Lk https://bugs.gnunet.org +or by sending electronic mail to +.Aq Mt bug-gnunet@gnu.org . diff --git a/src/gns/gnunet-gns-proxy-setup-ca.in b/src/gns/gnunet-gns-proxy-setup-ca.in index 0a6fab18a..f3a1f58e1 100644 --- a/src/gns/gnunet-gns-proxy-setup-ca.in +++ b/src/gns/gnunet-gns-proxy-setup-ca.in @@ -1,78 +1,403 @@ #!/bin/sh -# This shell script will generate an X509 certificate for your gnunet-gns-proxy -# and install it (for both GNUnet and your browser). # +# This shell script will generate an X509 certificate for +# your gnunet-gns-proxy and install it (for both GNUnet +# and your browser). +# +# TODO: Implement support for more browsers +# TODO: Debug and switch to the new version +# TODO - The only remaining task is fixing the getopts +# TODO: Error checks +# +# The current version partially reuses and recycles +# code from build.sh by NetBSD (although not entirely +# used because it needs debugging): +# +# Copyright (c) 2001-2011 The NetBSD Foundation, Inc. +# All rights reserved. +# +# This code is derived from software contributed to +# The NetBSD Foundation by Todd Vierling and Luke Mewburn. + +# Redistribution and use in source and binary forms, with or +# without modification, are permitted provided that the following +# conditions are met: +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. + +# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND +# CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. +# IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR +# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY +# OF SUCH DAMAGE. + +progname=${0##*/} + +setdefaults() +{ + runcmd= + #TOP=$( (exec pwd -P 2>/dev/null) || (exec pwd 2>/dev/null) ) +} + +statusmsg() +{ + ${runcmd} echo " $@" +} + +infomsg() +{ + statusmsg "INFO: $@" +} + +warningmsg() +{ + statusmsg "WARNING: $@" +} + +errormsg() +{ + statusmsg "ERROR: $@" +} + +linemsg() +{ + statusmsg "=========================================" +} + +# Given a variable name in $1, modify the variable in place +# as follows: +# Convert possibly-relative path to absolute path by prepending +# ${TOP} if necessary. Also delete trailing "/", if any. +resolvepath() +{ + local var="$1" + local val + eval val=\"\${${var}}\" + case "${val}" in + /) + ;; + /*) + val="${val%/}" + ;; + *) + val="${TOP}/${val%/}" + ;; + esac + eval ${var}=\"\${val}\" +} + +# usage() +# { +# if [ -n "$*" ]; then +# echo "" +# echo "${progname}: $*" +# fi +# cat <<_usage_ + +# Usage: ${progname} [-fhv] [-c FILE] operation [...] + +# Operations: +# cert Create the GNS certificate and only insert +# it in GNS. +# browser Create the GNS certificate, insert it in +# GNS and install it in webbrowsers found. +# all Create the GNS certificate, insert it in +# GNS and install it in webbrowsers found. +# help Print this help message. + +# Options: +# -c FILE Use the configuration file FILE. +# -f Perform expansions of the variables used in the config +# value of gns-proxy. This will usually expand +# $GNUNET_DATA_HOME to represent its path. +# -h Print this help message. +# -v Print the version. + +# _usage_ +# exit 1 +# } + +usage() +{ + if [ -n "$*" ]; then + echo "" + echo "${progname}: $*" + fi + cat <<_usage_ + +Usage: ${progname} [-hv] [-c FILE] [...] + +Options: + -c FILE Use the configuration file FILE. + -h Print this help message. + -v Print the version and exit. + -V be verbose -OPENSSLCFG=@pkgdatadir@/openssl.cnf -if ! which openssl > /dev/null -then - echo "'openssl' command not found. Please install it." - exit 1 -fi - -echo "Generating CA" -options='' -while getopts "c:" opt; do - case $opt in - c) - options="$options -c $OPTARG" - ;; - \?) - echo "Invalid option: -$OPTARG" >&2 - exit 1 - ;; - :) - echo "Option -$OPTARG requires an argument." >&2 - exit 1 - ;; - esac -done - -GNSCERT=`mktemp /tmp/gnscertXXXXXX.pem` -GNSCAKY=`mktemp /tmp/gnscakeyXXXXXX.pem` -GNSCANO=`mktemp /tmp/gnscakeynoencXXXXXX.pem` -GNS_CA_CERT_PEM=`gnunet-config -s gns-proxy -o PROXY_CACERT -f $options` -mkdir -p `dirname $GNS_CA_CERT_PEM` - -openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" - -echo "Removing passphrase from key" -openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO - -echo "Making private key available to gnunet-gns-proxy" -cat $GNSCERT $GNSCANO > $GNS_CA_CERT_PEM - -if ! which certutil > /dev/null -then - echo "The 'certutil' command was not found. Not importing into browsers." - echo "For 'certutil' install nss." -else - echo "Importing CA into browsers" - for f in ~/.mozilla/firefox/*.*/ - do - if [ -d $f ]; then - echo "Importing CA info Firefox at $f" - # delete old certificate (if any) - certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null - # add new certificate - certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT +_usage_ + exit 1 +} + + +# parseoptions() +# { +# opts=':cfhv' +# # For now use POSIX getopts. For the future, refer to +# # the shell capabilities check build.sh has? +# if type getopts >/dev/null 2>&1; then +# # we are a posix shell, we can use the builtin getopts +# getoptcmd='getopts ${opts} opt && opt=-${opt}' +# optargcmd=':' +# optremcmd='shift $((${OPTIND} -1))' +# fi + +# # parse command line options. +# while eval ${getoptcmd}; do +# case ${opt} in + +# -c) +# eval ${optargcmd}; resolvepath OPTARG +# GNUNET_CONFIG_FILE="${OPTARG}" +# export GNUNET_CONFIG_FILE +# ;; +# -f) +# GNUNET_PASS_FILENAME=1 +# export GNUNET_PASS_FILENAME +# ;; +# -v) +# print_version +# ;; +# --) +# break +# ;; +# -'?'|-h) +# usage +# ;; +# esac +# done + +# # operations +# eval ${optremcmd} +# while [ $# -gt 0 ]; do +# op=$1; shift +# operations="${operations} ${op}" +# case "${op}" in +# help) +# usage +# ;; +# all|\ +# browser|\ +# cert) +# ;; +# *) +# usage "Unknown operation \`${op}'" +# ;; +# esac +# op="$( echo "$op" | tr -s '.-' '__')" +# eval do_${op}=true +# done +# } + #[ -n "${operations}" ] || usage "Missing operation to perform." + # old code: + # while getopts "c:" opt; do + # case $opt in + # c) + # options="$options -c $OPTARG" + # ;; + # \?) + # echo "Invalid option: -$OPTARG" >&2 + # exit 1 + # ;; + # :) + # echo "Option -$OPTARG requires an argument." >&2 + # exit 1 + # ;; + # esac + # done + +generate_ca() +{ + echo "" + infomsg "Generating CA" + TMPDIR=${TMPDIR:-/tmp} + if [ -e "$TMPDIR" ]; then + GNSCERT=`mktemp -t ${00##*/}.pem` || exit 1 + GNSCAKY=`mktemp -t ${00##*/}.pem` || exit 1 + GNSCANO=`mktemp -t ${00##*/}.pem` || exit 1 + else + # This warning is mostly pointless. + warning "You need to export the TMPDIR variable" + fi + # else + # # SETUP_TMPDIR="$HOME/gns_setup" + # # if [ ! -e "$SETUP_TMPDIR" ]; then + # # mkdir -p $SETUP_TMPDIR + # # fi + # GNSCERT=`mktemp ${00##*/}.pem` || exit 1 + # GNSCAKY=`mktemp ${00##*/}.pem` || exit 1 + # GNSCANO=`mktemp ${00##*/}.pem` || exit 1 + # fi + + OPENSSLCFG=@pkgdatadir@/openssl.cnf + if ! which openssl > /dev/null + then + warningmsg "'openssl' command not found. Please install it." + infomsg "Cleaning up." + rm -f $GNSCAKY $GNSCANO $GNSCERT + exit 1 + fi + if [ -n "${GNUNET_CONFIG}" ]; then + GNUNET_CONFIG="-c ${GNUNET_CONFIG_FILE}" + else + GNUNET_CONFIG="" + fi + if [ GNUNET_PASS_FILENAME ]; then + GNUNET_OPT_F="" + else + GNUNET_OPT_F=" -f " + fi + GNS_CA_CERT_PEM=`gnunet-config ${GNUNET_CONFIG} -s gns-proxy -o PROXY_CACERT ${GNUNET_OPT_F} -f ${options}` + mkdir -p `dirname $GNS_CA_CERT_PEM` + + # Bad names etc. + if [ verbosity ]; then + VERBOSE_OUTPUT="" + else + VERBOSE_OUTPUT="2>/dev/null" fi - done - - if [ -d ~/.pki/nssdb/ ]; then - echo "Importing CA into Chrome at ~/.pki/nssdb/" - # delete old certificate (if any) - certutil -D -n "GNS Proxy CA" -d ~/.pki/nssdb/ >/dev/null 2>/dev/null - # add new certificate - certutil -A -n "GNS Proxy CA" -t CT,, -d ~/.pki/nssdb/ < $GNSCERT - fi -fi - -echo "Cleaning up." -rm -f $GNSCAKY $GNSCANO $GNSCERT - -echo "===================================" -echo "You can now start gnunet-gns-proxy." -echo "Afterwards, configure your browser " -echo " to use a SOCKS proxy on port 7777." -echo "===================================" + openssl req -config $OPENSSLCFG -new -x509 -days 3650 -extensions v3_ca -keyout $GNSCAKY -out $GNSCERT -subj "/C=ZZ/L=World/O=GNU/OU=GNUnet/CN=GNS Proxy CA/emailAddress=bounce@gnunet.org" -passout pass:"GNU Name System" ${VERBOSE_OUTPUT} + + statusmsg "Removing passphrase from key" + openssl rsa -passin pass:"GNU Name System" -in $GNSCAKY -out $GNSCANO ${VERBOSE_OUTPUT} + + statusmsg "Making private key available to gnunet-gns-proxy" + cat $GNSCERT $GNSCANO > $GNS_CA_CERT_PEM +} + +importbrowsers() +{ + if ! which certutil > /dev/null + then + warningmsg "The 'certutil' command was not found." + warningmsg "Not importing into browsers." + warningmsg "For 'certutil' install nss." + else + statusmsg "Importing CA into browsers" + # TODO: Error handling? + for f in ~/.mozilla/firefox/*.*/ + do + if [ -d $f ]; then + statusmsg "Importing CA into Firefox at $f" + # delete old certificate (if any) + certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null + # add new certificate + certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT + fi + done + # TODO: Error handling? + if [ -d ~/.pki/nssdb/ ]; then + statusmsg "Importing CA into Chrome at ~/.pki/nssdb/" + # delete old certificate (if any) + certutil -D -n "GNS Proxy CA" -d ~/.pki/nssdb/ >/dev/null 2>/dev/null + # add new certificate + certutil -A -n "GNS Proxy CA" -t CT,, -d ~/.pki/nssdb/ < $GNSCERT + fi + fi +} + +print_version() +{ + GNUNET_ARM_VERSION=`gnunet-arm -v` + echo $GNUNET_ARM_VERSION +} + +clean_up() +{ + infomsg "Cleaning up." + rm -f $GNSCAKY $GNSCANO $GNSCERT + if [ -e $SETUP_TMPDIR ]; then + rm -rf $SETUP_TMPDIR + fi + + linemsg + infomsg "You can now start gnunet-gns-proxy." + infomsg "Afterwards, configure your browser " + infomsg "to use a SOCKS proxy on port 7777. " + linemsg +} + +main() +{ + while getopts "vhVc:" opt; do + case $opt in + v) + print_version + exit 0 + ;; + h) + usage + ;; + V) + verbosity=1 + ;; + c) + options="$options -c $OPTARG" + infomsg "Using configuration file $OPTARG" + ;; + \?) + echo "Invalid option: -$OPTARG" >&2 + usage + ;; + :) + echo "Option -$OPTARG requires an argument." >&2 + usage + ;; + esac + done + setdefaults + generate_ca + importbrowsers + clean_up + +# Needs debugging... +# setdefaults +# _args=$@ +# parseoptions "$@" +# for op in ${operations}; do +# case "${op}" in +# cert) +# ${runcmd} "${generate_ca}" +# ${runcmd} "${clean_up}" +# ;; +# browser) +# ${runcmd} "${generate_ca}" +# ${runcmd} "${importbrowsers}" +# ${runcmd} "${clean_up}" +# ;; +# all) +# ${runcmd} "${generate_ca}" +# ${runcmd} "${importbrowsers}" +# ${runcmd} "${clean_up}" +# ;; +# *) +# infomsg "Unknown operation \`${op}'" +# ;; +# esac +# done +} + +main "$@" -- 2.25.1