autofirma


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

#! /bin/bash
_autofirma_dir="${HOME}/.afirma/AutoFirma"
_autofirma_ca="${_autofirma_dir}/AutoFirma_ROOT.cer"
_autofirma_pfx="${_autofirma_dir}/autofirma.pfx"
_cert_days="3650"
_cert_cn="AutoFirma ROOT"
_firefox_profiles_ini="${HOME}/.mozilla/firefox/profiles.ini"
_nssdb="sql:${HOME}/.pki/nssdb"

function _make_ca_config {
  cat << EOF > "${_temp_dir}/openssl.cnf"
[ ca ]
default_ca=CA_autofirma
[ CA_autofirma ]
dir=${_temp_dir}
new_certs_dir=\$dir
database=\$dir/index.txt
serial=\$dir/serial
crlnumber=\$dir/crlnumber
default_days=${_cert_days}
default_crl_days=30
default_md=sha256
preserve=no
x509_extensions=usr_cert
email_in_dn=no
copy_extensions=copy
[ policy_ca ]
countryName=optional
stateOrProvinceName=optional
localityName=optional
organizationName=optional
organizationalUnitName=optional
commonName=supplied
emailAddress=optional
[ req ]
default_bits=4096
x509_extensions=v3_ca
distinguished_name=req_distinguished_name
[ req_distinguished_name ]
commonName_default=${_cert_cn}
[ usr_cert ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
subjectAltName=IP:127.0.0.1
[ v3_ca ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
keyUsage=cRLSign,digitalSignature,keyCertSign,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth,anyExtendedKeyUsage
EOF
touch "${_temp_dir}/index.txt"
echo "01" > "${_temp_dir}/crlnumber"
}

function trust_ca {
  # Add in shared user database
  certutil -d "${_nssdb}" -D -n "${_cert_cn}" > /dev/null 2>&1
  certutil -d "${_nssdb}" -A -i "${_autofirma_ca}" -n "${_cert_cn}" -t C,,
  # Add in default firefox profile (if exists)
  if [ -r "${_firefox_profiles_ini}" ]; then
    _firefox_default_profile="$(grep Default ${_firefox_profiles_ini})"
    _firefox_default_profile_dir="${HOME}/.mozilla/firefox/${_firefox_default_profile##*=}"
    if [ -d "${_firefox_default_profile_dir}" ]; then
      certutil -d "${_firefox_default_profile_dir}" -D -n "${_cert_cn}" > /dev/null 2>&1
      certutil -d "${_firefox_default_profile_dir}" -A -i "${_autofirma_ca}" -n "${_cert_cn}" -t C,,
    fi
  unset _autofirma_ca _autofirma_pfx _cert_cn _nssdb \
    _firefox_profiles_ini _firefox_default_profile _firefox_default_profile_dir
fi
}

function do_init {
  mkdir -p "${_autofirma_dir}"
  _temp_dir="$(mktemp -d)"
  _ca="openssl ca -config ${_temp_dir}/openssl.cnf"
  _req="openssl req -config ${_temp_dir}/openssl.cnf"
  rm -f "${_autofirma_ca}" "${_autofirma_pfx}"
  _make_ca_config
  openssl rand -base64 48 > "${_temp_dir}/randomkey.txt"
  # Make local CA
  ${_req} -new -passout file:"${_temp_dir}/randomkey.txt" \
    -keyout "${_temp_dir}/autofirma.key" \
    -subj "/CN=${_cert_cn}" \
    -out "${_temp_dir}/autofirma.csr"
  ${_ca} -batch -create_serial -notext -selfsign \
    -extensions v3_ca \
    -policy policy_ca \
    -out "${_autofirma_ca}" \
    -days ${_cert_days} \
    -passin file:"${_temp_dir}/randomkey.txt" \
    -keyfile "${_temp_dir}/autofirma.key" \
    -infiles "${_temp_dir}/autofirma.csr"
  # Make user certificate and key
  ${_req} -new -passout file:"${_temp_dir}/randomkey.txt" \
    -keyout "${_temp_dir}/user.key" \
    -subj "/CN=127.0.0.1" \
    -out "${_temp_dir}/user.csr"
  ${_ca} -batch -notext \
    -extensions usr_cert \
    -policy policy_ca \
    -out "${_temp_dir}/user.cer" \
    -cert "${_autofirma_ca}" \
    -keyfile "${_temp_dir}/autofirma.key" \
    -passin file:"${_temp_dir}/randomkey.txt" \
    -infiles "${_temp_dir}/user.csr"
  # Make user pfx from certificate and key
  openssl pkcs12 -export -passin file:"${_temp_dir}/randomkey.txt" \
    -inkey "${_temp_dir}/user.key" \
    -certfile "${_autofirma_ca}" \
    -in "${_temp_dir}/user.cer" \
    -name "socketautofirma" \
    -passout pass:654321 \
    -out "${_autofirma_pfx}"
  rm -rf ${_temp_dir}
  unset _ca _req _temp_dir
}

# If any required cert or key is missing rebuild it
{ [ ! -r "${_autofirma_ca}" ] || [ ! -r "${_autofirma_pfx}" ]; } && \
  do_init
unset _autofirma_dir _cert_days

# Always update CA in profiles
trust_ca

# Run app
java -jar /usr/share/java/autofirma/autofirma.jar $@