diff options
| author | Óscar García Amor | 2021-04-15 13:29:58 +0200 |
|---|---|---|
| committer | Óscar García Amor | 2021-04-15 13:29:58 +0200 |
| commit | 5934c26993c831730443f068febb9ab40aad9833 (patch) | |
| tree | fc47720294dbc8b680b6bda73d97ea409c197b56 /autofirma | |
| parent | c715f1b54eb7a6c00225e50f5bf71053c1318546 (diff) | |
| download | aur-5934c26993c831730443f068febb9ab40aad9833.tar.gz | |
upgpkg: autofirma-bin 1.6.5-2
Better certificate and key generation
Diffstat (limited to 'autofirma')
| -rw-r--r-- | autofirma | 119 |
1 files changed, 118 insertions, 1 deletions
diff --git a/autofirma b/autofirma index 131d04bb4a29..1bec678fa2e3 100644 --- a/autofirma +++ b/autofirma @@ -1,2 +1,119 @@ -#! /bin/sh +#! /bin/bash +_autofirma_dir="${HOME}/.afirma/AutoFirma" +_autofirma_ca="${_autofirma_dir}/AutoFirma_ROOT.cer" +_autofirma_pfx="${_autofirma_dir}/autofirma.pfx" +_cert_days="3650" +_cert_cn="AutoFirma ROOT LOCAL" +_firefox_profiles_ini="${HOME}/.mozilla/firefox/profiles.ini" +_nssdb="sql:${HOME}/.pki/nssdb" + +function _make_ca_config { + cat << EOF > "${_temp_dir}/openssl.cnf" +[ ca ] +default_ca=CA_autofirma +[ CA_autofirma ] +dir=${_temp_dir} +new_certs_dir=\$dir +database=\$dir/index.txt +serial=\$dir/serial.txt +default_days=${_cert_days} +default_crl_days=30 +default_md=sha256 +preserve=no +x509_extensions=ca_extensions +email_in_dn=no +copy_extensions=copy +[ ca_extensions ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always, issuer +basicConstraints=critical, CA:true +keyUsage=keyCertSign, cRLSign +[ signing_policy ] +countryName=optional +stateOrProvinceName=optional +localityName=optional +organizationName=optional +organizationalUnitName=optional +commonName=supplied +emailAddress=optional +[ signing_req ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage=digitalSignature,keyEncipherment +EOF +touch "${_temp_dir}/index.txt" +echo "01" > "${_temp_dir}/serial.txt" +} + +function trust_ca { + # Add in shared user database + certutil -d "${_nssdb}" -D -n "${_cert_cn}" && \ + certutil -d "${_nssdb}" -A -i "${_autofirma_ca}" -n "${_cert_cn}" -t C,, + # Add in default firefox profile (if exists) + if [ -r "${_firefox_profiles_ini}" ]; then + _firefox_default_profile="$(grep Default ${_firefox_profiles_ini})" + _firefox_default_profile_dir="${HOME}/.mozilla/firefox/${_firefox_default_profile##*=}" + [ -d "${_firefox_default_profile_dir}" ] && \ + certutil -d "${_firefox_default_profile_dir}" -D -n "${_cert_cn}" && \ + certutil -d "${_firefox_default_profile_dir}" -A -i "${_autofirma_ca}" -n "${_cert_cn}" -t C,, + unset _autofirma_ca _autofirma_pfx _cert_cn _nssdb \ + _firefox_profiles_ini _firefox_default_profile _firefox_default_profile_dir +fi +} + +function do_init { + _temp_dir="$(mktemp -d)" + mkdir -p "${_autofirma_dir}" + rm -f "${_autofirma_ca}" "${_autofirma_pfx}" + openssl rand -base64 48 > "${_temp_dir}/randomkey.txt" + # Make local CA + openssl genrsa -aes128 -passout file:"${_temp_dir}/randomkey.txt" -out \ + "${_temp_dir}/autofirma.key" 2777 + openssl req -new -passin file:"${_temp_dir}/randomkey.txt" \ + -key "${_temp_dir}/autofirma.key" \ + -out "${_temp_dir}/autofirma.csr" \ + -subj "/CN=${_cert_cn}" + openssl x509 -req -days ${_cert_days} \ + -in "${_temp_dir}/autofirma.csr" \ + -signkey "${_temp_dir}/autofirma.key" \ + -passin file:"${_temp_dir}/randomkey.txt" \ + -out "${_autofirma_ca}" + # Make user certificate and key + openssl genrsa -aes128 -passout file:"${_temp_dir}/randomkey.txt" -out \ + "${_temp_dir}/user.key" 2777 + openssl req -new -passin file:"${_temp_dir}/randomkey.txt" \ + -key "${_temp_dir}/user.key" \ + -out "${_temp_dir}/user.csr" \ + -subj "/CN=127.0.0.1" + _make_ca_config + openssl ca -batch -config "${_temp_dir}/openssl.cnf" \ + -policy signing_policy \ + -extensions signing_req \ + -cert "${_autofirma_ca}" \ + -keyfile "${_temp_dir}/autofirma.key" \ + -passin file:"${_temp_dir}/randomkey.txt" \ + -in "${_temp_dir}/user.csr" \ + -out "${_temp_dir}/user.cer" + # Make user pfx from certificate and key + openssl pkcs12 -export -passin file:"${_temp_dir}/randomkey.txt" \ + -certfile "${_autofirma_ca}" \ + -in "${_temp_dir}/user.cer" \ + -inkey "${_temp_dir}/user.key" \ + -name "socketautofirmalocal" \ + -passout pass:654321 \ + -out "${_autofirma_pfx}" + rm -rf ${_temp_dir} + unset _temp_dir +} + +# If any required cert or key is missing rebuild it +{ [ ! -r "${_autofirma_ca}" ] || [ ! -r "${_autofirma_pfx}" ]; } && \ + do_init +unset _autofirma_dir _cert_days + +# Always update CA in profiles +trust_ca + +# Run app java -jar /usr/share/java/autofirma/autofirma.jar $@ |