diff options
| author | Chih-Hsuan Yen | 2022-02-09 00:25:28 +0800 |
|---|---|---|
| committer | Chih-Hsuan Yen | 2022-02-09 00:25:28 +0800 |
| commit | ca9a2cbe9f4be7d3e11b05e27660cea8319b37f4 (patch) | |
| tree | 2c3f277f9d6c0230aa0d76bbc096debb4d6cd335 | |
| parent | 9ae9503757c664653837b601da85879edc21032c (diff) | |
| download | aur-ca9a2cbe9f4be7d3e11b05e27660cea8319b37f4.tar.gz | |
generate server certificates upon installation
Following upstream ./Install script
| -rw-r--r-- | .SRCINFO | 7 | ||||
| -rw-r--r-- | PKGBUILD | 15 | ||||
| -rw-r--r-- | nhiicc.install | 10 | ||||
| -rw-r--r-- | nhiicc.service | 6 | ||||
| -rw-r--r-- | regen-certs.sh | 43 |
5 files changed, 73 insertions, 8 deletions
@@ -1,7 +1,7 @@ pkgbase = nhiicc pkgdesc = 台灣健保卡網路註冊憑證元件 (National Health Insurance IC Card) pkgver = 20210824.02 - pkgrel = 1 + pkgrel = 2 epoch = 1 url = https://cloudicweb.nhi.gov.tw/cloudic/system/SMC/mEventesting.htm install = nhiicc.install @@ -9,10 +9,13 @@ pkgbase = nhiicc license = custom depends = pcsclite depends = sed + depends = openssl optdepends = lib32-pcsclite: for using card readers with 32-bit driver only source = https://cloudicweb.nhi.gov.tw/cloudic/system/SMC/mLNHIICC_Setup.20210824.02.U64.gz source = nhiicc.service + source = regen-certs.sh md5sums = 05b34bb5df19c0b8270ab37416225d78 - md5sums = 616a69724e3bc4dab688ca4bc5298c41 + md5sums = 82b85491957f25f22b43beffca53b9ab + md5sums = ba0495f8d54384ac95a93f221366049f pkgname = nhiicc @@ -3,28 +3,31 @@ pkgname=nhiicc epoch=1 pkgver=20210824.02 -pkgrel=1 +pkgrel=2 arch=(x86_64) url='https://cloudicweb.nhi.gov.tw/cloudic/system/SMC/mEventesting.htm' license=(custom) pkgdesc='台灣健保卡網路註冊憑證元件 (National Health Insurance IC Card)' -# sed is for commands in nhiicc.install -depends=(pcsclite sed) +# sed and openssl is for commands used in nhiicc.install +depends=(pcsclite sed openssl) optdepends=( 'lib32-pcsclite: for using card readers with 32-bit driver only' ) source=("https://cloudicweb.nhi.gov.tw/cloudic/system/SMC/mLNHIICC_Setup.$pkgver.U64.gz" - nhiicc.service) + nhiicc.service + regen-certs.sh) # See https://cloudicweb.nhi.gov.tw/cloudic/system/SMC/mEventesting.htm for MD5 sums md5sums=('05b34bb5df19c0b8270ab37416225d78' - '616a69724e3bc4dab688ca4bc5298c41') + '82b85491957f25f22b43beffca53b9ab' + 'ba0495f8d54384ac95a93f221366049f') install=nhiicc.install package() { # XXX: upstream binary appears to hard-code /usr/local/share/NHIICC :/ install -Ddm755 "$pkgdir"/usr/{bin,share/NHIICC} install -Dm755 mLNHIICC_Setup/x64/mLNHIICC -t "$pkgdir"/usr/bin - cp -dr --no-preserve=ownership mLNHIICC_Setup/{cert,html} "$pkgdir"/usr/share/NHIICC/ + cp -dr --no-preserve=ownership mLNHIICC_Setup/html "$pkgdir"/usr/share/NHIICC/ + install -Dm755 regen-certs.sh -t "$pkgdir"/usr/share/NHIICC/ find "$pkgdir" \( -name '*~' -or -name '._*' \) -delete install -Ddm755 "$pkgdir"/usr/lib/systemd/system diff --git a/nhiicc.install b/nhiicc.install index 288422cb1ec5..78b6782e868a 100644 --- a/nhiicc.install +++ b/nhiicc.install @@ -1,8 +1,18 @@ post_install() { echo 127.0.0.1 iccert.nhi.gov.tw >> /etc/hosts echo /etc/hosts is modified to make NHIICC work. Please review its contents if you wish. + + post_upgrade +} + +post_upgrade() { + /usr/share/NHIICC/regen-certs.sh } post_remove() { sed -i '/iccert\.nhi\.gov\.tw/d' /etc/hosts + + rm -r /var/lib/nhiicc/cert + rm /etc/ca-certificates/trust-source/anchors/NHIRootCA.crt + /usr/bin/update-ca-trust } diff --git a/nhiicc.service b/nhiicc.service index df618259c407..da118ca07647 100644 --- a/nhiicc.service +++ b/nhiicc.service @@ -8,6 +8,12 @@ PrivateTmp=true DynamicUser=true TemporaryFileSystem=/usr/local/share:ro BindReadOnlyPaths=/usr/share/NHIICC:/usr/local/share/NHIICC +BindReadOnlyPaths=/var/lib/nhiicc/cert:/usr/local/share/NHIICC/cert +# Use undocumented /run/credentials as BindReadOnlyPaths= require +# absolute paths and don't accept environment variables like +# $CREDENTIALS_DIRECTORY +BindReadOnlyPaths=/run/credentials/nhiicc.service/NHIServerCert.key:/usr/local/share/NHIICC/cert/NHIServerCert.key +LoadCredential=NHIServerCert.key:/var/lib/nhiicc/cert/NHIServerCert-real.key [Install] WantedBy=multi-user.target diff --git a/regen-certs.sh b/regen-certs.sh new file mode 100644 index 000000000000..098bf16dd132 --- /dev/null +++ b/regen-certs.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +# Adapted from upstream ./Install script +org=nhi-localhost-ca +domain=localhost +# Upstream script generates 50 year leaf cert and 30 day CA cert. 10 +# years for both sound a better choice +days=3650 + +set -eu + +out_dir=/var/lib/nhiicc/cert +mkdir -p "$out_dir" + +tmp_dir="$(mktemp -d --tmpdir tmp.nhiicc-XXXXXX)" +trap 'rm -rf -- "$tmp_dir"' EXIT + +cd "$tmp_dir" + +openssl genpkey -algorithm RSA -out ca.key +openssl req -x509 -key ca.key -days $days -out ca.crt \ + -subj "/CN=$org/O=$org" + +openssl genpkey -algorithm RSA -out "$domain".key +openssl req -new -key "$domain".key -out "$domain".csr \ + -subj "/CN=$domain/O=$org" + +openssl x509 -req -in "$domain".csr -days $days -out "$domain".crt \ + -CA ca.crt -CAkey ca.key -CAcreateserial \ +-extfile <(cat <<END +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +subjectAltName = DNS:$domain +END +) + +install -Dm644 ca.crt /etc/ca-certificates/trust-source/anchors/NHIRootCA.crt +ln -sf /etc/ca-certificates/trust-source/anchors/NHIRootCA.crt "$out_dir/NHIRootCA.crt" +install -Dm644 localhost.crt "$out_dir/NHIServerCert.crt" +install -Dm600 localhost.key "$out_dir/NHIServerCert-real.key" + +/usr/bin/update-ca-trust |