AppFS: Check-in [3244026fd6]

Overview

Comment:	Added working certificate support
Downloads:	Tarball \| ZIP archive \| SQL archive
Timelines:	family \| ancestors \| descendants \| both \| trunk
Files:	files \| file ages \| folders
SHA1:	3244026fd617fe4f6763765ed5ff9eea02272888
User & Date:	rkeene on 2014-11-17 20:37:58
Other Links:	manifest \| tags

Context

2014-11-17
20:50		Updated to trim trailing newlines check-in: 3242c8d4d5 user: rkeene tags: trunk
20:37		Added working certificate support check-in: 3244026fd6 user: rkeene tags: trunk
20:37		Updated to include entire error stack on error for --tcl mode in AppFSd check-in: 4b2e0bf187 user: rkeene tags: trunk

Changes

Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Modified .fossil-settings/ignore-glob from [efc67b31c0] to [09c745f86a].

Added appfs-cert version [536bd4fe36].

Modified appfsd.tcl from [2e09ba053f] to [af3233ef21].

︙
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34	20 21 22 23 24 25 26 27 28 29 30 31 32 33 34	- +	} } namespace eval ::appfs { variable cachedir "/tmp/appfs-cache" variable ttl 3600 variable nttl 60 variable trusted_cas [list] proc _hash_sep {hash {seps 4}} { for {set idx 0} {$idx < $seps} {incr idx} { append retval "[string range $hash [expr {$idx * 2}] [expr {($idx * 2) + 1}]]/" } append retval "[string range $hash [expr {$idx * 2}] end]"
︙
93 94 95 96 97 98 99 ~~100~~ 101 102 103 104 105 106 107	93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127	- + + + + + + + + + + + + + + + + + + + + +	if {![regexp {^[0-9a-f]$} $value]} { return false } return true } ~~proc _verifySignatureAndCertificate {certificate signature} {~~ proc _verifySignatureAndCertificate {hostname certificate signature hash} { set certificate [binary format "H" $certificate] set signature [binary format "H*" $signature] set certificate [::pki::x509::parse_cert $certificate] array set certificate_arr $certificate set certificate_cn [::pki::x509::_dn_to_cn $certificate_arr(subject)] if {![::pki::verify $signature "$hash,sha1" $certificate]} { return false } if {[string tolower $certificate_cn] != [string tolower $hostname]} { return false } if {![::pki::x509::verify_cert $certificate $::appfs::trusted_cas]} { return false } return true } proc _normalizeOS {os} { set os [string tolower [string trim $os]] switch -- $os {
︙
148 149 150 151 152 153 154 ~~155~~ 156 157 158 ~~159~~ 160 161 162 163 164 165 166 167	168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215	- + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + +	} proc init {} { if {[info exists ::appfs::init_called]} { return } ~~# Force [parray] to be loaded~~ # Force [parray] and [clock] to be loaded catch { parray does_not_exist } catch { clock seconds } catch { clock add [clock seconds] 3 seconds } set ::appfs::init_called 1 # Add a default CA to list of trusted CAs lappend ::appfs::trusted_cas [::pki::x509::parse_cert { -----BEGIN CERTIFICATE----- MIIC7DCCAdSgAwIBAgIBATANBgkqhkiG9w0BAQUFADAvMRIwEAYDVQQKEwlSb3kg S2VlbmUxGTAXBgNVBAMTEEFwcEZTIEtleSBNYXN0ZXIwHhcNMTQxMTE3MjAxNzI4 WhcNMTkxMTE3MjAxNzI4WjAvMRIwEAYDVQQKEwlSb3kgS2VlbmUxGTAXBgNVBAMT EEFwcEZTIEtleSBNYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQCq6uSK46yG5b6RJWwRlvw5glAnjsc1GiX3duXA0vG4qnKUnDtl/jcMmq2GMOB9 Iy1tjabEHA0MhW2j7Vwe/O9MLFJkJ30M1PVD7YZRRNaAsz3UWIKEjPI7BBc32KOm BL3CTXCCdzllL1HhVbnM5iCAmgHcg1DUk/EvWXvnEDxXRy2lV9mQsmDedrffY7Wl Or57nlczaMuPLpyRSkv75PAnjQJxT3sWlBpy+/H9ImudQdpJNf/FtxcqN7iDwH5B vIceYEtDVxFsvo5HOVkSl9jeo5E4Gpe3wyfRhoqB2UkaW1Kq0iH5R+00S760xQMx LL9L1duhu1dL7HsmEw7IeYURAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJ KoZIhvcNAQEFBQADggEBAKhO4ZSzYP37BqixNHKK9+gSeC6Fga85iLWhwpPW0kSl z03hal80KZ+kPMzb8C52N283tQNAqJ9Q8akDPZxSzzMUVOGpGw2pJ7ZswKDz0ZTa 0edq/gdT/HrdegvNtDPc2jona5FVOYqwdcz5kbl1UWBaBp3VXUgcYjXSRaBK43Wd cveiDUeZw7gHqRSN/AyYUCtJzWmvGsJuIFhMBonuz8jylhyMJCYJFT4iMUC8MNIw niX1xx+Nu6fPV5ZZHj9rbhiBaLjm+tkDwtPgA3j2pxvHKYptuWxeYO+9DDNa9sCb E5AnJIlOnd/tGe0Chf0sFQg+l9nNiNrWGgzdd9ZPJK4= -----END CERTIFICATE----- }] # Load configuration file set config_file [file join $::appfs::cachedir config] if {[file exists $config_file]} { source $config_file }
︙
239 240 241 242 243 244 245 ~~246~~ 247 248 249 250 251 252 253	287 288 289 290 291 292 293 294 295 296 297 298 299 300 301	- +	set indexhashcert [lindex $indexhash_data 2] set indexhashsig [lindex $indexhash_data 3] if {![_isHash $indexhash]} { return -code error "Invalid hash: $indexhash" } ~~if {![_verifySignatureAndCertificate $indexhashcert $indexhashsig]} {~~ if {![_verifySignatureAndCertificate $hostname $indexhashcert $indexhashsig $indexhash]} { return -code error "Invalid signature or certificate from $hostname" } set file [download $hostname $indexhash] set fd [open $file] set data [read $fd] close $fd
︙
















































































































































































































































































































1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304	+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +	#! /usr/bin/env bash appfsd_options=() CA_CERT_FILE='AppFS_CA.crt' CA_KEY_FILE='AppFS_CA.key' export CA_CERT_FILE CA_KEY_FILE function call_appfsd() { appfsd "${appfsd_options[@]}" "$@" } function read_password() { local prompt variable prompt="$1" variable="$2" if [ -z "$(eval echo '$'${variable})" ]; then echo -n "${prompt}" >&2 stty -echo IFS='' read -r $variable stty echo echo '' >&2 fi } function read_text() { local prompt variable prompt="$1" variable="$2" if [ -z "$(eval echo '$'${variable})" ]; then echo -n "${prompt}" >&2 IFS='' read -r $variable fi } function generate_ca_cert_and_key() { read_text 'Certificate Authority (CA) Company Name (O): ' CA_DN_S_O read_text 'Certificate Authority (CA) Responsible Party Name (CN): ' CA_DN_S_CN read_password 'Password for Certificate Authority Key: ' CA_PASSWORD export CA_DN_S_O CA_DN_S_CN CA_PASSWORD call_appfsd --tcl ' package require pki set filename_cert $::env(CA_CERT_FILE) set filename_key $::env(CA_KEY_FILE) puts -nonewline "Generating RSA Key..." flush stdout set key [pki::rsa::generate 2048] puts " Done." lappend key subject "O=$::env(CA_DN_S_O),CN=$::env(CA_DN_S_CN)" set ca [pki::x509::create_cert $key $key 1 [clock seconds] [clock add [clock seconds] 5 years] 1 [list] 1] puts "Writing \"$filename_cert\"" set fd [open $filename_cert w 0644] puts $fd $ca close $fd puts "Writing \"$filename_key\"" set fd [open $filename_key w 0400] puts $fd [pki::key $key $::env(CA_PASSWORD)] close $fd ' } function generate_key() { read_password 'Password for Site Key: ' SITE_PASSWORD export SITE_PASSWORD call_appfsd --tcl ' package require pki if {[info exists ::env(SITE_KEY_FILE)]} { set filename_key $::env(SITE_KEY_FILE) } else { set filename_key "AppFS_Site.key" } puts -nonewline "Generating RSA Key..." flush stdout set key [pki::rsa::generate 2048] puts " Done." puts "Writing \"$filename_key\"" set fd [open $filename_key w 0400] puts $fd [pki::key $key $::env(SITE_PASSWORD)] close $fd ' } function generate_csr() { read_text 'Site hostname: ' SITE_HOSTNAME if [ -z "${SITE_KEY_FILE}" ]; then SITE_KEY_FILE="AppFS_Site_${SITE_HOSTNAME}.key" fi export SITE_HOSTNAME SITE_KEY_FILE if [ -f "${SITE_KEY_FILE}" ]; then echo 'Key file already exists.' read_password 'Password for (existing) Site Key: ' SITE_PASSWORD export SITE_PASSWORD else generate_key fi call_appfsd --tcl ' package require pki if {[info exists ::env(SITE_KEY_FILE)]} { set filename_key $::env(SITE_KEY_FILE) } else { set filename_key "AppFS_Site.key" } set filename_csr "[file rootname $filename_key].csr" set key [read [open $filename_key]] set key [::pki::pkcs::parse_key $key $::env(SITE_PASSWORD)] set csr [::pki::pkcs::create_csr $key [list CN $::env(SITE_HOSTNAME)] 1] puts "Writing \"$filename_csr\"" set fd [open $filename_csr w 0644] puts $fd $csr close $fd ' } function generate_cert() { SITE_CSR_FILE="$1" read_text 'Certificate Signing Request (CSR) file: ' SITE_CSR_FILE if [ -z "${SITE_CSR_FILE}" ]; then generate_csr \|\| exit 1 SITE_CSR_FILE="$(echo "${SITE_KEY_FILE}" \| sed 's@.[^\.]$@@').csr" fi if [ ! -e "${CA_CERT_FILE}" -o ! -e "${CA_KEY_FILE}" ]; then read_text 'Certificate Authority (CA) Certificate Filename: ' CA_CERT_FILE read_text 'Certificate Authority (CA) Key Filename: ' CA_KEY_FILE fi read_password 'Certificate Authority (CA) Password: ' CA_PASSWORD SITE_SERIAL_NUMBER="$(uuidgen \| dd conv=ucase 2>/dev/null \| sed 's@-@@g;s@^@ibase=16; @' \| bc -lq)" export SITE_CSR_FILE SITE_SERIAL_NUMBER CA_CERT_FILE CA_KEY_FILE CA_PASSWORD SITE_CERT="$(call_appfsd --tcl ' package require pki set csr [read [open $::env(SITE_CSR_FILE)]] set csr [::pki::pkcs::parse_csr $csr] set ca_key [read [open $::env(CA_KEY_FILE)]] set ca_cert [read [open $::env(CA_CERT_FILE)]] set ca_key [::pki::pkcs::parse_key $ca_key $::env(CA_PASSWORD)] set ca_cert [::pki::x509::parse_cert $ca_cert] set ca_key [concat $ca_key $ca_cert] set cert [::pki::x509::create_cert $csr $ca_key $::env(SITE_SERIAL_NUMBER) [clock seconds] [clock add [clock seconds] 1 year] 0 [list] 1] puts $cert ')" SITE_SUBJECT="$(echo "${SITE_CERT}" \| openssl x509 -subject -noout \| sed 's@.= @@')" echo "${USER}@${HOSTNAME} $(date): ${SITE_SERIAL_NUMBER} ${SITE_SUBJECT}" >> "${CA_KEY_FILE}.issued" echo "${SITE_CERT}" } function generate_selfsigned() { read_password 'Password for Key: ' SITE_PASSWORD read_text 'Site hostname: ' SITE_HOSTNAME SITE_SERIAL_NUMBER="$(uuidgen \| dd conv=ucase 2>/dev/null \| sed 's@-@@g;s@^@ibase=16; @' \| bc -lq)" export SITE_PASSWORD SITE_HOSTNAME SITE_SERIAL_NUMBER call_appfsd --tcl ' package require pki set filename_cert "AppFS_Site_$::env(SITE_HOSTNAME).crt" set filename_key "AppFS_Site_$::env(SITE_HOSTNAME).key" puts -nonewline "Generating RSA Key..." flush stdout set key [pki::rsa::generate 2048] puts " Done." lappend key subject "CN=$::env(SITE_HOSTNAME)" set cert [pki::x509::create_cert $key $key $::env(SITE_SERIAL_NUMBER) [clock seconds] [clock add [clock seconds] 1 years] 1 [list] 1] puts "Writing \"$filename_cert\"" set fd [open $filename_cert w 0644] puts $fd $cert close $fd puts "Writing \"$filename_key\"" set fd [open $filename_key w 0400] puts $fd [pki::key $key $::env(SITE_PASSWORD)] close $fd ' } function sign_site() { SITE_INDEX_FILE="$1" SITE_KEY_FILE="$2" SITE_CERT_FILE="$3" read_text 'AppFS Site Index file: ' SITE_INDEX_FILE read_text 'Site Key filename: ' SITE_KEY_FILE read_text 'Site Certificate filename: ' SITE_CERT_FILE read_password "Password for Key (${SITE_KEY_FILE}): " SITE_PASSWORD export SITE_INDEX_FILE SITE_KEY_FILE SITE_CERT_FILE SITE_PASSWORD call_appfsd --tcl "$(cat <<\_EOF_ package require pki set fd [open $::env(SITE_INDEX_FILE)] gets $fd line close $fd set line [split $line ","] # Data to be signed set data [join [lrange $line 0 1] ","] set key [read [open $::env(SITE_KEY_FILE)]] set key [::pki::pkcs::parse_key $key $::env(SITE_PASSWORD)] set cert [read [open $::env(SITE_CERT_FILE)]] array set cert_arr [::pki::_parse_pem $cert "-----BEGIN CERTIFICATE-----" "-----END CERTIFICATE-----"] binary scan $cert_arr(data) H* cert set signature [::pki::sign $data $key] binary scan $signature H* signature set data [split $data ","] lappend data $cert lappend data $signature set data [join $data ","] set fd [open "$::env(SITE_INDEX_FILE).new" "w"] puts $fd $data close $fd file rename -force -- "$::env(SITE_INDEX_FILE).new" $::env(SITE_INDEX_FILE) _EOF_ )" } cmd="$1" shift case "${cmd}" in generate-ca) generate_ca_cert_and_key "$@" \|\| exit 1 ;; generate-key) # Hidden, users should use "generate-csr" instead generate_key "$@" \|\| exit 1 ;; generate-csr) generate_csr "$@" \|\| exit 1 ;; sign-csr\|generate-cert) generate_cert "$@" \|\| exit 1 ;; generate-selfsigned) generate_selfsigned "$@" \|\| exit 1 ;; sign-site) sign_site "$@" \|\| exit 1 ;; *) echo 'Usage: appfs-cert {generate-selfsigned\|generate-ca\|generate-csr\|sign-csr\|generate-cert\|sign-site}' >&2 exit 1 ;; esac exit 0