1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
#! /bin/bash
_autofirma_dir="${HOME}/.afirma/AutoFirma"
_autofirma_ca="${_autofirma_dir}/AutoFirma_ROOT.cer"
_autofirma_pfx="${_autofirma_dir}/autofirma.pfx"
_cert_days="3650"
_cert_cn="AutoFirma ROOT"
_firefox_profiles_ini="${HOME}/.mozilla/firefox/profiles.ini"
_nssdb="sql:${HOME}/.pki/nssdb"
function _make_ca_config {
cat << EOF > "${_temp_dir}/openssl.cnf"
[ ca ]
default_ca=CA_autofirma
[ CA_autofirma ]
dir=${_temp_dir}
new_certs_dir=\$dir
database=\$dir/index.txt
serial=\$dir/serial
crlnumber=\$dir/crlnumber
default_days=${_cert_days}
default_crl_days=30
default_md=sha256
preserve=no
x509_extensions=usr_cert
email_in_dn=no
copy_extensions=copy
[ policy_ca ]
countryName=optional
stateOrProvinceName=optional
localityName=optional
organizationName=optional
organizationalUnitName=optional
commonName=supplied
emailAddress=optional
[ req ]
default_bits=4096
x509_extensions=v3_ca
distinguished_name=req_distinguished_name
[ req_distinguished_name ]
commonName_default=${_cert_cn}
[ usr_cert ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
subjectAltName=IP:127.0.0.1
[ v3_ca ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
keyUsage=cRLSign,digitalSignature,keyCertSign,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth,anyExtendedKeyUsage
EOF
touch "${_temp_dir}/index.txt"
echo "01" > "${_temp_dir}/crlnumber"
}
function trust_ca {
# Add in shared user database
certutil -d "${_nssdb}" -D -n "${_cert_cn}" > /dev/null 2>&1
certutil -d "${_nssdb}" -A -i "${_autofirma_ca}" -n "${_cert_cn}" -t C,,
# Add in default firefox profile (if exists)
if [ -r "${_firefox_profiles_ini}" ]; then
_firefox_default_profile="$(grep Default ${_firefox_profiles_ini})"
_firefox_default_profile_dir="${HOME}/.mozilla/firefox/${_firefox_default_profile##*=}"
if [ -d "${_firefox_default_profile_dir}" ]; then
certutil -d "${_firefox_default_profile_dir}" -D -n "${_cert_cn}" > /dev/null 2>&1
certutil -d "${_firefox_default_profile_dir}" -A -i "${_autofirma_ca}" -n "${_cert_cn}" -t C,,
fi
unset _autofirma_ca _autofirma_pfx _cert_cn _nssdb \
_firefox_profiles_ini _firefox_default_profile _firefox_default_profile_dir
fi
}
function do_init {
mkdir -p "${_autofirma_dir}"
_temp_dir="$(mktemp -d)"
_ca="openssl ca -config ${_temp_dir}/openssl.cnf"
_req="openssl req -config ${_temp_dir}/openssl.cnf"
rm -f "${_autofirma_ca}" "${_autofirma_pfx}"
_make_ca_config
openssl rand -base64 48 > "${_temp_dir}/randomkey.txt"
# Make local CA
${_req} -new -passout file:"${_temp_dir}/randomkey.txt" \
-keyout "${_temp_dir}/autofirma.key" \
-subj "/CN=${_cert_cn}" \
-out "${_temp_dir}/autofirma.csr"
${_ca} -batch -create_serial -notext -selfsign \
-extensions v3_ca \
-policy policy_ca \
-out "${_autofirma_ca}" \
-days ${_cert_days} \
-passin file:"${_temp_dir}/randomkey.txt" \
-keyfile "${_temp_dir}/autofirma.key" \
-infiles "${_temp_dir}/autofirma.csr"
# Make user certificate and key
${_req} -new -passout file:"${_temp_dir}/randomkey.txt" \
-keyout "${_temp_dir}/user.key" \
-subj "/CN=127.0.0.1" \
-out "${_temp_dir}/user.csr"
${_ca} -batch -notext \
-extensions usr_cert \
-policy policy_ca \
-out "${_temp_dir}/user.cer" \
-cert "${_autofirma_ca}" \
-keyfile "${_temp_dir}/autofirma.key" \
-passin file:"${_temp_dir}/randomkey.txt" \
-infiles "${_temp_dir}/user.csr"
# Make user pfx from certificate and key
openssl pkcs12 -export -passin file:"${_temp_dir}/randomkey.txt" \
-inkey "${_temp_dir}/user.key" \
-certfile "${_autofirma_ca}" \
-in "${_temp_dir}/user.cer" \
-name "socketautofirma" \
-passout pass:654321 \
-out "${_autofirma_pfx}"
rm -rf ${_temp_dir}
unset _ca _req _temp_dir
}
# If any required cert or key is missing rebuild it
{ [ ! -r "${_autofirma_ca}" ] || [ ! -r "${_autofirma_pfx}" ]; } && \
do_init
unset _autofirma_dir _cert_days
# Always update CA in profiles
trust_ca
# Run app
java -jar /usr/share/java/autofirma/autofirma.jar $@
|