diff options
author | Óscar García Amor | 2021-04-15 13:29:58 +0200 |
---|---|---|
committer | Óscar García Amor | 2021-04-15 13:29:58 +0200 |
commit | 5934c26993c831730443f068febb9ab40aad9833 (patch) | |
tree | fc47720294dbc8b680b6bda73d97ea409c197b56 | |
parent | c715f1b54eb7a6c00225e50f5bf71053c1318546 (diff) | |
download | aur-5934c26993c831730443f068febb9ab40aad9833.tar.gz |
upgpkg: autofirma-bin 1.6.5-2
Better certificate and key generation
-rw-r--r-- | .SRCINFO | 5 | ||||
-rw-r--r-- | PKGBUILD | 13 | ||||
-rw-r--r-- | autofirma | 119 |
3 files changed, 124 insertions, 13 deletions
@@ -1,12 +1,13 @@ pkgbase = autofirma-bin pkgdesc = Cliente de firma electrónica ofrecido por la Administración Pública pkgver = 1.6.5 - pkgrel = 1 + pkgrel = 2 url = https://firmaelectronica.gob.es/ arch = any license = GPL license = EUPL depends = java-runtime + depends = nss conflicts = autofirma source = autofirma-bin-1.6.5.zip::https://sede.xunta.gal/ficheiros/autofirma/AutoFirma_Linux.zip source = autofirma @@ -14,7 +15,7 @@ pkgbase = autofirma-bin source = autofirma.js source = autofirma.svg sha256sums = 28da745ea3084ba87b56eba31bc994e60872384c893c91f3e4aad3db4967d939 - sha256sums = 17bb396857addaf763090b148301e05f70c20079182f7792aa60a038b7b5c635 + sha256sums = bca7e3fb81a14296aa1b3585bf9921d2aeec4bb0fcb796c76a39ef466ac1af00 sha256sums = 062cf72219e592e06218e47ea2a212d6517be66f0d4c58dcd03ef18d5c39300b sha256sums = 428c5b7300dde7158a1a0918c8d2e8188f042dbc143d991c03f51d1c8a40efa4 sha256sums = f7e525586103db08a2a38ccefdef93cc02407728de8b214e53ae3dc0631bab75 @@ -2,12 +2,12 @@ pkgname=autofirma-bin pkgver=1.6.5 -pkgrel=1 +pkgrel=2 pkgdesc='Cliente de firma electrónica ofrecido por la Administración Pública' arch=('any') url='https://firmaelectronica.gob.es/' license=('GPL' 'EUPL') -depends=('java-runtime') +depends=('java-runtime' 'nss') conflicts=('autofirma') source=("${pkgname}-${pkgver}.zip::https://sede.xunta.gal/ficheiros/autofirma/AutoFirma_Linux.zip" "autofirma" @@ -15,7 +15,7 @@ source=("${pkgname}-${pkgver}.zip::https://sede.xunta.gal/ficheiros/autofirma/Au "autofirma.js" "autofirma.svg") sha256sums=('28da745ea3084ba87b56eba31bc994e60872384c893c91f3e4aad3db4967d939' - '17bb396857addaf763090b148301e05f70c20079182f7792aa60a038b7b5c635' + 'bca7e3fb81a14296aa1b3585bf9921d2aeec4bb0fcb796c76a39ef466ac1af00' '062cf72219e592e06218e47ea2a212d6517be66f0d4c58dcd03ef18d5c39300b' '428c5b7300dde7158a1a0918c8d2e8188f042dbc143d991c03f51d1c8a40efa4' 'f7e525586103db08a2a38ccefdef93cc02407728de8b214e53ae3dc0631bab75') @@ -23,9 +23,6 @@ sha256sums=('28da745ea3084ba87b56eba31bc994e60872384c893c91f3e4aad3db4967d939' prepare() { # Extract debian package bsdtar -O -xf AutoFirma*/*.deb data.tar.xz | bsdtar -C "${srcdir}" -xJf - - - # Generate certificates - java -jar "usr/lib/AutoFirma/AutoFirmaConfigurador.jar" } package() { @@ -35,14 +32,10 @@ package() { "${pkgdir}/usr/lib/firefox/defaults/pref/autofirma.js" install -Dm644 "usr/lib/AutoFirma/AutoFirma.jar" \ "${pkgdir}/usr/share/java/autofirma/autofirma.jar" - install -Dm644 "usr/lib/AutoFirma/autofirma.pfx" \ - "${pkgdir}/usr/share/java/autofirma/autofirma.pfx" install -Dm644 "autofirma.svg" \ "${pkgdir}/usr/share/pixmaps/autofirma.svg" install -Dm644 "autofirma.desktop" \ "${pkgdir}/usr/share/applications/autofirma.desktop" install -Dm644 "usr/share/common-licenses/eupl-1.1.txt" \ "${pkgdir}/usr/share/licenses/autofirma/EUPL" - install -Dm644 "usr/lib/AutoFirma/AutoFirma_ROOT.cer" \ - "${pkgdir}/usr/share/ca-certificates/trust-source/anchors/AutoFirma_ROOT.cer" } diff --git a/autofirma b/autofirma index 131d04bb4a29..1bec678fa2e3 100644 --- a/autofirma +++ b/autofirma @@ -1,2 +1,119 @@ -#! /bin/sh +#! /bin/bash +_autofirma_dir="${HOME}/.afirma/AutoFirma" +_autofirma_ca="${_autofirma_dir}/AutoFirma_ROOT.cer" +_autofirma_pfx="${_autofirma_dir}/autofirma.pfx" +_cert_days="3650" +_cert_cn="AutoFirma ROOT LOCAL" +_firefox_profiles_ini="${HOME}/.mozilla/firefox/profiles.ini" +_nssdb="sql:${HOME}/.pki/nssdb" + +function _make_ca_config { + cat << EOF > "${_temp_dir}/openssl.cnf" +[ ca ] +default_ca=CA_autofirma +[ CA_autofirma ] +dir=${_temp_dir} +new_certs_dir=\$dir +database=\$dir/index.txt +serial=\$dir/serial.txt +default_days=${_cert_days} +default_crl_days=30 +default_md=sha256 +preserve=no +x509_extensions=ca_extensions +email_in_dn=no +copy_extensions=copy +[ ca_extensions ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always, issuer +basicConstraints=critical, CA:true +keyUsage=keyCertSign, cRLSign +[ signing_policy ] +countryName=optional +stateOrProvinceName=optional +localityName=optional +organizationName=optional +organizationalUnitName=optional +commonName=supplied +emailAddress=optional +[ signing_req ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage=digitalSignature,keyEncipherment +EOF +touch "${_temp_dir}/index.txt" +echo "01" > "${_temp_dir}/serial.txt" +} + +function trust_ca { + # Add in shared user database + certutil -d "${_nssdb}" -D -n "${_cert_cn}" && \ + certutil -d "${_nssdb}" -A -i "${_autofirma_ca}" -n "${_cert_cn}" -t C,, + # Add in default firefox profile (if exists) + if [ -r "${_firefox_profiles_ini}" ]; then + _firefox_default_profile="$(grep Default ${_firefox_profiles_ini})" + _firefox_default_profile_dir="${HOME}/.mozilla/firefox/${_firefox_default_profile##*=}" + [ -d "${_firefox_default_profile_dir}" ] && \ + certutil -d "${_firefox_default_profile_dir}" -D -n "${_cert_cn}" && \ + certutil -d "${_firefox_default_profile_dir}" -A -i "${_autofirma_ca}" -n "${_cert_cn}" -t C,, + unset _autofirma_ca _autofirma_pfx _cert_cn _nssdb \ + _firefox_profiles_ini _firefox_default_profile _firefox_default_profile_dir +fi +} + +function do_init { + _temp_dir="$(mktemp -d)" + mkdir -p "${_autofirma_dir}" + rm -f "${_autofirma_ca}" "${_autofirma_pfx}" + openssl rand -base64 48 > "${_temp_dir}/randomkey.txt" + # Make local CA + openssl genrsa -aes128 -passout file:"${_temp_dir}/randomkey.txt" -out \ + "${_temp_dir}/autofirma.key" 2777 + openssl req -new -passin file:"${_temp_dir}/randomkey.txt" \ + -key "${_temp_dir}/autofirma.key" \ + -out "${_temp_dir}/autofirma.csr" \ + -subj "/CN=${_cert_cn}" + openssl x509 -req -days ${_cert_days} \ + -in "${_temp_dir}/autofirma.csr" \ + -signkey "${_temp_dir}/autofirma.key" \ + -passin file:"${_temp_dir}/randomkey.txt" \ + -out "${_autofirma_ca}" + # Make user certificate and key + openssl genrsa -aes128 -passout file:"${_temp_dir}/randomkey.txt" -out \ + "${_temp_dir}/user.key" 2777 + openssl req -new -passin file:"${_temp_dir}/randomkey.txt" \ + -key "${_temp_dir}/user.key" \ + -out "${_temp_dir}/user.csr" \ + -subj "/CN=127.0.0.1" + _make_ca_config + openssl ca -batch -config "${_temp_dir}/openssl.cnf" \ + -policy signing_policy \ + -extensions signing_req \ + -cert "${_autofirma_ca}" \ + -keyfile "${_temp_dir}/autofirma.key" \ + -passin file:"${_temp_dir}/randomkey.txt" \ + -in "${_temp_dir}/user.csr" \ + -out "${_temp_dir}/user.cer" + # Make user pfx from certificate and key + openssl pkcs12 -export -passin file:"${_temp_dir}/randomkey.txt" \ + -certfile "${_autofirma_ca}" \ + -in "${_temp_dir}/user.cer" \ + -inkey "${_temp_dir}/user.key" \ + -name "socketautofirmalocal" \ + -passout pass:654321 \ + -out "${_autofirma_pfx}" + rm -rf ${_temp_dir} + unset _temp_dir +} + +# If any required cert or key is missing rebuild it +{ [ ! -r "${_autofirma_ca}" ] || [ ! -r "${_autofirma_pfx}" ]; } && \ + do_init +unset _autofirma_dir _cert_days + +# Always update CA in profiles +trust_ca + +# Run app java -jar /usr/share/java/autofirma/autofirma.jar $@ |