Check-in [3244026fd6]
Overview
Comment:Added working certificate support
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 3244026fd617fe4f6763765ed5ff9eea02272888
User & Date: rkeene on 2014-11-17 20:37:58
Other Links: manifest | tags
Context
2014-11-17
20:50
Updated to trim trailing newlines check-in: 3242c8d4d5 user: rkeene tags: trunk
20:37
Added working certificate support check-in: 3244026fd6 user: rkeene tags: trunk
20:37
Updated to include entire error stack on error for --tcl mode in AppFSd check-in: 4b2e0bf187 user: rkeene tags: trunk
Changes

Modified .fossil-settings/ignore-glob from [efc67b31c0] to [09c745f86a].

1
2
3
4
5
6
7


appfsd
appfsd.o
appfsd.tcl.h
sha1.o
sha1.tcl.h
pki.tcl.h
pki.tcl.new









>
>
1
2
3
4
5
6
7
8
9
appfsd
appfsd.o
appfsd.tcl.h
sha1.o
sha1.tcl.h
pki.tcl.h
pki.tcl.new
pki.tcl
CA

Added appfs-cert version [536bd4fe36].

































































































































































































































































































































































































































































































































































































































>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
#! /usr/bin/env bash

appfsd_options=()

CA_CERT_FILE='AppFS_CA.crt'
CA_KEY_FILE='AppFS_CA.key'
export CA_CERT_FILE CA_KEY_FILE

function call_appfsd() {
	appfsd "${appfsd_options[@]}" "$@"
}

function read_password() {
	local prompt variable

	prompt="$1"
	variable="$2"

	if [ -z "$(eval echo '$'${variable})" ]; then
		echo -n "${prompt}" >&2

		stty -echo
		IFS='' read -r $variable
		stty echo
		echo '' >&2
	fi
}

function read_text() {
	local prompt variable

	prompt="$1"
	variable="$2"

	if [ -z "$(eval echo '$'${variable})" ]; then
		echo -n "${prompt}" >&2

		IFS='' read -r $variable
	fi
}

function generate_ca_cert_and_key() {
	read_text 'Certificate Authority (CA) Company Name (O): ' CA_DN_S_O
	read_text 'Certificate Authority (CA) Responsible Party Name (CN): ' CA_DN_S_CN
	read_password 'Password for Certificate Authority Key: ' CA_PASSWORD

	export CA_DN_S_O CA_DN_S_CN CA_PASSWORD

	call_appfsd --tcl '
package require pki

set filename_cert $::env(CA_CERT_FILE)
set filename_key  $::env(CA_KEY_FILE)

puts -nonewline "Generating RSA Key..."
flush stdout
set key [pki::rsa::generate 2048]
puts " Done."

lappend key subject "O=$::env(CA_DN_S_O),CN=$::env(CA_DN_S_CN)"

set ca [pki::x509::create_cert $key $key 1 [clock seconds] [clock add [clock seconds] 5 years] 1 [list] 1]

puts "Writing \"$filename_cert\""
set fd [open $filename_cert w 0644]
puts $fd $ca
close $fd

puts "Writing \"$filename_key\""
set fd [open $filename_key w 0400]
puts $fd [pki::key $key $::env(CA_PASSWORD)]
close $fd
'
}

function generate_key() {
	read_password 'Password for Site Key: ' SITE_PASSWORD

	export SITE_PASSWORD

	call_appfsd --tcl '
package require pki

if {[info exists ::env(SITE_KEY_FILE)]} {
	set filename_key $::env(SITE_KEY_FILE)
} else {
	set filename_key "AppFS_Site.key"
}

puts -nonewline "Generating RSA Key..."
flush stdout
set key [pki::rsa::generate 2048]
puts " Done."

puts "Writing \"$filename_key\""
set fd [open $filename_key w 0400]
puts $fd [pki::key $key $::env(SITE_PASSWORD)]
close $fd
'
}

function generate_csr() {
	read_text 'Site hostname: ' SITE_HOSTNAME

	if [ -z "${SITE_KEY_FILE}" ]; then
		SITE_KEY_FILE="AppFS_Site_${SITE_HOSTNAME}.key"
	fi

	export SITE_HOSTNAME SITE_KEY_FILE

	if [ -f "${SITE_KEY_FILE}" ]; then
		echo 'Key file already exists.'
		read_password 'Password for (existing) Site Key: ' SITE_PASSWORD

		export SITE_PASSWORD
	else
		generate_key
	fi

call_appfsd --tcl '
package require pki

if {[info exists ::env(SITE_KEY_FILE)]} {
        set filename_key $::env(SITE_KEY_FILE)
} else {
        set filename_key "AppFS_Site.key"
}
set filename_csr "[file rootname $filename_key].csr"

set key [read [open $filename_key]]

set key [::pki::pkcs::parse_key $key $::env(SITE_PASSWORD)]

set csr [::pki::pkcs::create_csr $key [list CN $::env(SITE_HOSTNAME)] 1]

puts "Writing \"$filename_csr\""
set fd [open $filename_csr w 0644]
puts $fd $csr
close $fd
'
}

function generate_cert() {
	SITE_CSR_FILE="$1"

	read_text 'Certificate Signing Request (CSR) file: ' SITE_CSR_FILE

	if [ -z "${SITE_CSR_FILE}" ]; then
		generate_csr || exit 1

		SITE_CSR_FILE="$(echo "${SITE_KEY_FILE}" | sed 's@.[^\.]*$@@').csr"
	fi

	if [ ! -e "${CA_CERT_FILE}" -o ! -e "${CA_KEY_FILE}" ]; then
		read_text 'Certificate Authority (CA) Certificate Filename: ' CA_CERT_FILE
		read_text 'Certificate Authority (CA) Key Filename: ' CA_KEY_FILE
	fi

	read_password 'Certificate Authority (CA) Password: ' CA_PASSWORD

	SITE_SERIAL_NUMBER="$(uuidgen | dd conv=ucase 2>/dev/null | sed 's@-@@g;s@^@ibase=16; @' | bc -lq)"

	export SITE_CSR_FILE SITE_SERIAL_NUMBER CA_CERT_FILE CA_KEY_FILE CA_PASSWORD

	SITE_CERT="$(call_appfsd --tcl '
package require pki

set csr [read [open $::env(SITE_CSR_FILE)]]
set csr [::pki::pkcs::parse_csr $csr]

set ca_key [read [open $::env(CA_KEY_FILE)]]
set ca_cert [read [open $::env(CA_CERT_FILE)]]

set ca_key [::pki::pkcs::parse_key $ca_key $::env(CA_PASSWORD)]
set ca_cert [::pki::x509::parse_cert $ca_cert]
set ca_key [concat $ca_key $ca_cert]

set cert [::pki::x509::create_cert $csr $ca_key $::env(SITE_SERIAL_NUMBER) [clock seconds] [clock add [clock seconds] 1 year] 0 [list] 1]

puts $cert
')"

	SITE_SUBJECT="$(echo "${SITE_CERT}" | openssl x509 -subject -noout | sed 's@.*= @@')"

	echo "${USER}@${HOSTNAME} $(date): ${SITE_SERIAL_NUMBER} ${SITE_SUBJECT}" >> "${CA_KEY_FILE}.issued"

	echo "${SITE_CERT}"
}

function generate_selfsigned() {
	read_password 'Password for Key: ' SITE_PASSWORD
	read_text 'Site hostname: ' SITE_HOSTNAME

	SITE_SERIAL_NUMBER="$(uuidgen | dd conv=ucase 2>/dev/null | sed 's@-@@g;s@^@ibase=16; @' | bc -lq)"

	export SITE_PASSWORD SITE_HOSTNAME SITE_SERIAL_NUMBER

	call_appfsd --tcl '
package require pki

set filename_cert "AppFS_Site_$::env(SITE_HOSTNAME).crt"
set filename_key  "AppFS_Site_$::env(SITE_HOSTNAME).key"

puts -nonewline "Generating RSA Key..."
flush stdout
set key [pki::rsa::generate 2048]
puts " Done."

lappend key subject "CN=$::env(SITE_HOSTNAME)"

set cert [pki::x509::create_cert $key $key $::env(SITE_SERIAL_NUMBER) [clock seconds] [clock add [clock seconds] 1 years] 1 [list] 1]

puts "Writing \"$filename_cert\""
set fd [open $filename_cert w 0644]
puts $fd $cert
close $fd

puts "Writing \"$filename_key\""
set fd [open $filename_key w 0400]
puts $fd [pki::key $key $::env(SITE_PASSWORD)]
close $fd
'
}

function sign_site() {
	SITE_INDEX_FILE="$1"
	SITE_KEY_FILE="$2"
	SITE_CERT_FILE="$3"

	read_text 'AppFS Site Index file: ' SITE_INDEX_FILE
	read_text 'Site Key filename: ' SITE_KEY_FILE
	read_text 'Site Certificate filename: ' SITE_CERT_FILE
	read_password "Password for Key (${SITE_KEY_FILE}): " SITE_PASSWORD

	export SITE_INDEX_FILE SITE_KEY_FILE SITE_CERT_FILE SITE_PASSWORD

	call_appfsd --tcl "$(cat <<\_EOF_
package require pki

set fd [open $::env(SITE_INDEX_FILE)]
gets $fd line
close $fd

set line [split $line ","]

# Data to be signed
set data [join [lrange $line 0 1] ","]

set key [read [open $::env(SITE_KEY_FILE)]]
set key [::pki::pkcs::parse_key $key $::env(SITE_PASSWORD)]

set cert [read [open $::env(SITE_CERT_FILE)]]
array set cert_arr [::pki::_parse_pem $cert "-----BEGIN CERTIFICATE-----" "-----END CERTIFICATE-----"]
binary scan $cert_arr(data) H* cert

set signature [::pki::sign $data $key]
binary scan $signature H* signature

set data [split $data ","]
lappend data $cert
lappend data $signature

set data [join $data ","]

set fd [open "$::env(SITE_INDEX_FILE).new" "w"]
puts $fd $data
close $fd

file rename -force -- "$::env(SITE_INDEX_FILE).new" $::env(SITE_INDEX_FILE)

_EOF_
)"
}

cmd="$1"
shift
case "${cmd}" in
	generate-ca)
		generate_ca_cert_and_key "$@" || exit 1
		;;
	generate-key)
		# Hidden, users should use "generate-csr" instead
		generate_key "$@" || exit 1
		;;
	generate-csr)
		generate_csr "$@" || exit 1
		;;
	sign-csr|generate-cert)
		generate_cert "$@" || exit 1
		;;
	generate-selfsigned)
		generate_selfsigned "$@" || exit 1
		;;
	sign-site)
		sign_site "$@" || exit 1
		;;
	*)
		echo 'Usage: appfs-cert {generate-selfsigned|generate-ca|generate-csr|sign-csr|generate-cert|sign-site}' >&2

		exit 1
		;;
esac

exit 0

Modified appfsd.tcl from [2e09ba053f] to [af3233ef21].

20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
	}
}

namespace eval ::appfs {
	variable cachedir "/tmp/appfs-cache"
	variable ttl 3600
	variable nttl 60


	proc _hash_sep {hash {seps 4}} {
		for {set idx 0} {$idx < $seps} {incr idx} {
			append retval "[string range $hash [expr {$idx * 2}] [expr {($idx * 2) + 1}]]/"
		}
		append retval "[string range $hash [expr {$idx * 2}] end]"








|







20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
	}
}

namespace eval ::appfs {
	variable cachedir "/tmp/appfs-cache"
	variable ttl 3600
	variable nttl 60
	variable trusted_cas [list]

	proc _hash_sep {hash {seps 4}} {
		for {set idx 0} {$idx < $seps} {incr idx} {
			append retval "[string range $hash [expr {$idx * 2}] [expr {($idx * 2) + 1}]]/"
		}
		append retval "[string range $hash [expr {$idx * 2}] end]"

93
94
95
96
97
98
99
100




















101
102
103
104
105
106
107
		if {![regexp {^[0-9a-f]*$} $value]} {
			return false
		}

		return true
	}

	proc _verifySignatureAndCertificate {certificate signature} {




















		return true
	}

	proc _normalizeOS {os} {
		set os [string tolower [string trim $os]]

		switch -- $os {







|
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>







93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
		if {![regexp {^[0-9a-f]*$} $value]} {
			return false
		}

		return true
	}

	proc _verifySignatureAndCertificate {hostname certificate signature hash} {
		set certificate [binary format "H*" $certificate]
		set signature   [binary format "H*" $signature]

		set certificate [::pki::x509::parse_cert $certificate]

		array set certificate_arr $certificate
		set certificate_cn [::pki::x509::_dn_to_cn $certificate_arr(subject)]

		if {![::pki::verify $signature "$hash,sha1" $certificate]} {
			return false
		}

		if {[string tolower $certificate_cn] != [string tolower $hostname]} {
			return false
		}

		if {![::pki::x509::verify_cert $certificate $::appfs::trusted_cas]} {
			return false
		}

		return true
	}

	proc _normalizeOS {os} {
		set os [string tolower [string trim $os]]

		switch -- $os {
148
149
150
151
152
153
154
155
156
157
158


159




160






















161
162
163
164
165
166
167
	}

	proc init {} {
		if {[info exists ::appfs::init_called]} {
			return
		}

		# Force [parray] to be loaded
		catch {
			parray does_not_exist
		}







		set ::appfs::init_called 1























		# Load configuration file
		set config_file [file join $::appfs::cachedir config]
		if {[file exists $config_file]} {
			source $config_file
		}








|



>
>
|
>
>
>
>

>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>







168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
	}

	proc init {} {
		if {[info exists ::appfs::init_called]} {
			return
		}

		# Force [parray] and [clock] to be loaded
		catch {
			parray does_not_exist
		}
		catch {
			clock seconds
		}
		catch {
			clock add [clock seconds] 3 seconds
		}

		set ::appfs::init_called 1

		# Add a default CA to list of trusted CAs
		lappend ::appfs::trusted_cas [::pki::x509::parse_cert {
-----BEGIN CERTIFICATE-----
MIIC7DCCAdSgAwIBAgIBATANBgkqhkiG9w0BAQUFADAvMRIwEAYDVQQKEwlSb3kg
S2VlbmUxGTAXBgNVBAMTEEFwcEZTIEtleSBNYXN0ZXIwHhcNMTQxMTE3MjAxNzI4
WhcNMTkxMTE3MjAxNzI4WjAvMRIwEAYDVQQKEwlSb3kgS2VlbmUxGTAXBgNVBAMT
EEFwcEZTIEtleSBNYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCq6uSK46yG5b6RJWwRlvw5glAnjsc1GiX3duXA0vG4qnKUnDtl/jcMmq2GMOB9
Iy1tjabEHA0MhW2j7Vwe/O9MLFJkJ30M1PVD7YZRRNaAsz3UWIKEjPI7BBc32KOm
BL3CTXCCdzllL1HhVbnM5iCAmgHcg1DUk/EvWXvnEDxXRy2lV9mQsmDedrffY7Wl
Or57nlczaMuPLpyRSkv75PAnjQJxT3sWlBpy+/H9ImudQdpJNf/FtxcqN7iDwH5B
vIceYEtDVxFsvo5HOVkSl9jeo5E4Gpe3wyfRhoqB2UkaW1Kq0iH5R+00S760xQMx
LL9L1duhu1dL7HsmEw7IeYURAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
KoZIhvcNAQEFBQADggEBAKhO4ZSzYP37BqixNHKK9+gSeC6Fga85iLWhwpPW0kSl
z03hal80KZ+kPMzb8C52N283tQNAqJ9Q8akDPZxSzzMUVOGpGw2pJ7ZswKDz0ZTa
0edq/gdT/HrdegvNtDPc2jona5FVOYqwdcz5kbl1UWBaBp3VXUgcYjXSRaBK43Wd
cveiDUeZw7gHqRSN/AyYUCtJzWmvGsJuIFhMBonuz8jylhyMJCYJFT4iMUC8MNIw
niX1xx+Nu6fPV5ZZHj9rbhiBaLjm+tkDwtPgA3j2pxvHKYptuWxeYO+9DDNa9sCb
E5AnJIlOnd/tGe0Chf0sFQg+l9nNiNrWGgzdd9ZPJK4=
-----END CERTIFICATE-----
}]

		# Load configuration file
		set config_file [file join $::appfs::cachedir config]
		if {[file exists $config_file]} {
			source $config_file
		}

239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
		set indexhashcert   [lindex $indexhash_data 2]
		set indexhashsig    [lindex $indexhash_data 3]

		if {![_isHash $indexhash]} {
			return -code error "Invalid hash: $indexhash"
		}

		if {![_verifySignatureAndCertificate $indexhashcert $indexhashsig]} {
			return -code error "Invalid signature or certificate from $hostname"
		}

		set file [download $hostname $indexhash]
		set fd [open $file]
		set data [read $fd]
		close $fd







|







287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
		set indexhashcert   [lindex $indexhash_data 2]
		set indexhashsig    [lindex $indexhash_data 3]

		if {![_isHash $indexhash]} {
			return -code error "Invalid hash: $indexhash"
		}

		if {![_verifySignatureAndCertificate $hostname $indexhashcert $indexhashsig $indexhash]} {
			return -code error "Invalid signature or certificate from $hostname"
		}

		set file [download $hostname $indexhash]
		set fd [open $file]
		set data [read $fd]
		close $fd