diff options
Diffstat (limited to 'autofirma')
-rw-r--r-- | autofirma | 135 |
1 files changed, 135 insertions, 0 deletions
diff --git a/autofirma b/autofirma new file mode 100644 index 000000000000..21ae146d9ef4 --- /dev/null +++ b/autofirma @@ -0,0 +1,135 @@ +#! /bin/bash +_autofirma_dir="${HOME}/.afirma/AutoFirma" +_autofirma_ca="${_autofirma_dir}/AutoFirma_ROOT.cer" +_autofirma_pfx="${_autofirma_dir}/autofirma.pfx" +_cert_days="3650" +_cert_cn="AutoFirma ROOT" +_firefox_profiles_ini="${HOME}/.mozilla/firefox/profiles.ini" +_nssdb="sql:${HOME}/.pki/nssdb" + +function _make_ca_config { + cat << EOF > "${_temp_dir}/openssl.cnf" +[ ca ] +default_ca=CA_autofirma +[ CA_autofirma ] +dir=${_temp_dir} +new_certs_dir=\$dir +database=\$dir/index.txt +serial=\$dir/serial +crlnumber=\$dir/crlnumber +default_days=${_cert_days} +default_crl_days=30 +default_md=sha256 +preserve=no +x509_extensions=usr_cert +email_in_dn=no +copy_extensions=copy +[ policy_ca ] +countryName=optional +stateOrProvinceName=optional +localityName=optional +organizationName=optional +organizationalUnitName=optional +commonName=supplied +emailAddress=optional +[ req ] +default_bits=4096 +x509_extensions=v3_ca +distinguished_name=req_distinguished_name +[ req_distinguished_name ] +commonName_default=${_cert_cn} +[ usr_cert ] +basicConstraints=CA:FALSE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +subjectAltName=IP:127.0.0.1 +[ v3_ca ] +basicConstraints=critical,CA:TRUE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +keyUsage=cRLSign,digitalSignature,keyCertSign,keyEncipherment,dataEncipherment +extendedKeyUsage=serverAuth,clientAuth,anyExtendedKeyUsage +EOF +touch "${_temp_dir}/index.txt" +echo "01" > "${_temp_dir}/crlnumber" +} + +function trust_ca { + # Add CA in shared user database + certutil -d "${_nssdb}" -D -n "${_cert_cn}" > /dev/null 2>&1 + certutil -d "${_nssdb}" -A -i "${_autofirma_ca}" -n "${_cert_cn}" -t C,, + # Add CA in all firefox profiles (if any) + if [ -r "${_firefox_profiles_ini}" ]; then + _firefox_profile_paths=($(grep Path ${_firefox_profiles_ini})) + for _firefox_profile_path in ${_firefox_profile_paths[@]}; do + _firefox_profile_path="${_firefox_profile_path##*=}" + # Check if profile path is absolute or relative + [ ! -d "${_firefox_profile_path}" ] && \ + _firefox_profile_path="${HOME}/.mozilla/firefox/${_firefox_profile_path}" + # Add CA in current firefox profile + if [ -d "${_firefox_profile_path}" ]; then + certutil -d "${_firefox_profile_path}" -D -n "${_cert_cn}" > /dev/null 2>&1 + certutil -d "${_firefox_profile_path}" -A -i "${_autofirma_ca}" -n "${_cert_cn}" -t C,, + fi + done + unset _autofirma_ca _autofirma_pfx _cert_cn _nssdb \ + _firefox_profiles_ini _firefox_profile_paths _firefox_profile_path +fi +} + +function do_init { + mkdir -p "${_autofirma_dir}" + _temp_dir="$(mktemp -d)" + _ca="openssl ca -config ${_temp_dir}/openssl.cnf" + _req="openssl req -config ${_temp_dir}/openssl.cnf" + rm -f "${_autofirma_ca}" "${_autofirma_pfx}" + _make_ca_config + openssl rand -base64 48 > "${_temp_dir}/randomkey.txt" + # Make local CA + ${_req} -new -passout file:"${_temp_dir}/randomkey.txt" \ + -keyout "${_temp_dir}/autofirma.key" \ + -subj "/CN=${_cert_cn}" \ + -out "${_temp_dir}/autofirma.csr" + ${_ca} -batch -create_serial -notext -selfsign \ + -extensions v3_ca \ + -policy policy_ca \ + -out "${_autofirma_ca}" \ + -days ${_cert_days} \ + -passin file:"${_temp_dir}/randomkey.txt" \ + -keyfile "${_temp_dir}/autofirma.key" \ + -infiles "${_temp_dir}/autofirma.csr" + # Make user certificate and key + ${_req} -new -passout file:"${_temp_dir}/randomkey.txt" \ + -keyout "${_temp_dir}/user.key" \ + -subj "/CN=127.0.0.1" \ + -out "${_temp_dir}/user.csr" + ${_ca} -batch -notext \ + -extensions usr_cert \ + -policy policy_ca \ + -out "${_temp_dir}/user.cer" \ + -cert "${_autofirma_ca}" \ + -keyfile "${_temp_dir}/autofirma.key" \ + -passin file:"${_temp_dir}/randomkey.txt" \ + -infiles "${_temp_dir}/user.csr" + # Make user pfx from certificate and key + openssl pkcs12 -export -passin file:"${_temp_dir}/randomkey.txt" \ + -inkey "${_temp_dir}/user.key" \ + -certfile "${_autofirma_ca}" \ + -in "${_temp_dir}/user.cer" \ + -name "socketautofirma" \ + -passout pass:654321 \ + -out "${_autofirma_pfx}" + rm -rf ${_temp_dir} + unset _ca _req _temp_dir +} + +# If any required cert or key is missing rebuild it +{ [ ! -r "${_autofirma_ca}" ] || [ ! -r "${_autofirma_pfx}" ]; } && \ + do_init +unset _autofirma_dir _cert_days + +# Always update CA in profiles +trust_ca + +# Run app +java -jar /usr/share/java/autofirma/autofirma.jar $@ |