diff --git a/astronaut/astronaut b/astronaut/astronaut index 355f480..3bd2c8b 100755 --- a/astronaut/astronaut +++ b/astronaut/astronaut @@ -79,11 +79,11 @@ fi # Tools for the astronaut mksum() { - echo $(md5sum "$@" 2> /dev/null | cut -d' ' -f1) + echo "$(md5sum "$@" 2> /dev/null | cut -d' ' -f1)" } download() { - local name="$(basename "$1")" + local name="$(basename "$1" | cut -d? -f1)" local path="$dir_source/$name" local checksum="" if [ "$2" -a -f "$path" ]; then @@ -116,9 +116,18 @@ extract() { $(echo "$cmd" | sed -e 's@{src}@'"$dir_source/$1"'@g') } +getfile() { + cp "$dir_source/$1" "$dir_build/$1" +} + dlextract() { download "$1" "$2" - extract "$(basename "$1")" + extract "$(basename "$1" | cut -d? -f1)" +} + +dlfile() { + download "$1" "$2" + getfile "$(basename "$1" | cut -d? -f1)" } extrafile() { diff --git a/astronaut/hello.sat b/astronaut/hello.sat index dde4bb6..7c53bb8 100644 --- a/astronaut/hello.sat +++ b/astronaut/hello.sat @@ -9,12 +9,22 @@ version=2.9 download "http://ftp.gnu.org/pub/gnu/$name/$name-$version.tar.gz" \ "67607d2616a0faaf5bc94c59dca7c3cb" \ "curl -L -o {dst} {src}" + # Name [REQUIRED], Custom command extract "$name-$version.tar.gz" \ "tar xvf {src}" + # Abbreviation for the above functions. Does not allow custom commands #dlextract "http://ftp.gnu.org/pub/gnu/$name/$name-$version.tar.gz" \ # "67607d2616a0faaf5bc94c59dca7c3cb" + +# Copy some file you downloaded over to the build directory +#getfile "Waffles.txt" + +# Abbreviation for downloading a file and copying it over +#dlfile "http://example.com/Waffles.txt" \ +# "MD5SUM" + # Copy local file to build directory. Path relative to the location of the satellite file #extrafile "Herpaderp.txt" diff --git a/tools/satellites/extrafiles/ca-certificates/make-ca.sh b/tools/satellites/extrafiles/ca-certificates/make-ca.sh new file mode 100755 index 0000000..0f1e207 --- /dev/null +++ b/tools/satellites/extrafiles/ca-certificates/make-ca.sh @@ -0,0 +1,95 @@ +#!/bin/sh +# Begin make-ca.sh +# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs +# +# The file certdata.txt must exist in the local directory +# Version number is obtained from the version of the data. +# +# Authors: DJ Lucas +# Bruce Dubbs +# +# Version 20120211 + +if [ "$1" ]; then + certdata="$1" +else + certdata="./certdata.txt" +fi + +if [ "$2" ]; then + certdir="$2" +else + certdir="./certs" +fi + +if [ ! -r $certdata ]; then + echo "Can't find certdata" 1>&2 + exit 1 +fi + +TEMPDIR=$(mktemp -d) +TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH" +CONVERTSCRIPT="./make-cert.pl" + +mkdir "${TEMPDIR}/certs" + +# Get a list of starting lines for each cert +CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1) + +# Get a list of ending lines for each cert +CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1` + +# Start a loop +for certbegin in ${CERTBEGINLIST}; do + for certend in ${CERTENDLIST}; do + if test "${certend}" -gt "${certbegin}"; then + break + fi + done + + # Dump to a temp file with the name of the file as the beginning line number + sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp" +done + +unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend + +mkdir -p "$certdir" +rm -f "$certdir/*" # Make sure the directory is clean + +for tempfile in ${TEMPDIR}/certs/*.tmp; do + # Make sure that the cert is trusted... + grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \ + egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null + + if test "${?}" = "0"; then + # Throw a meaningful error and remove the file + cp "${tempfile}" tempfile.cer + perl ${CONVERTSCRIPT} > tempfile.crt + keyhash=$(openssl x509 -noout -in tempfile.crt -hash) + echo "Certificate ${keyhash} is not trusted! Removing..." + rm -f tempfile.cer tempfile.crt "${tempfile}" + continue + fi + + # If execution made it to here in the loop, the temp cert is trusted + # Find the cert data and generate a cert file for it + + cp "${tempfile}" tempfile.cer + perl ${CONVERTSCRIPT} > tempfile.crt + keyhash=$(openssl x509 -noout -in tempfile.crt -hash) + mv tempfile.crt "$certdir/${keyhash}.pem" + rm -f tempfile.cer "${tempfile}" + echo "Created ${keyhash}.pem" +done + +# Remove blacklisted files +# MD5 Collision Proof of Concept CA +if test -f "$certdir/8f111d69.pem"; then + echo "Certificate 8f111d69 is not trusted! Removing..." + rm -f "$certdir/8f111d69.pem" +fi + +# Finally, generate the bundle and clean up. +cat "$certdir"/*.pem > "$certdir/ca-certificates.crt" +echo "Created ca-certificates.crt" +rm -r "${TEMPDIR}" diff --git a/tools/satellites/extrafiles/ca-certificates/make-cert.pl b/tools/satellites/extrafiles/ca-certificates/make-cert.pl new file mode 100755 index 0000000..60b6fea --- /dev/null +++ b/tools/satellites/extrafiles/ca-certificates/make-cert.pl @@ -0,0 +1,49 @@ +#!/usr/bin/perl -w + +# Used to generate PEM encoded files from Mozilla certdata.txt. +# Run as ./make-cert.pl > certificate.crt +# +# Parts of this script courtesy of RedHat (mkcabundle.pl) +# +# This script modified for use with single file data (tempfile.cer) extracted +# from certdata.txt, taken from the latest version in the Mozilla NSS source. +# mozilla/security/nss/lib/ckfw/builtins/certdata.txt +# +# Authors: DJ Lucas +# Bruce Dubbs +# +# Version 20120211 + +my $certdata = './tempfile.cer'; + +open( IN, "cat $certdata|" ) + || die "could not open $certdata"; + +my $incert = 0; + +while ( ) +{ + if ( /^CKA_VALUE MULTILINE_OCTAL/ ) + { + $incert = 1; + open( OUT, "|openssl x509 -text -inform DER -fingerprint" ) + || die "could not pipe to openssl x509"; + } + + elsif ( /^END/ && $incert ) + { + close( OUT ); + $incert = 0; + print "\n\n"; + } + + elsif ($incert) + { + my @bs = split( /\\/ ); + foreach my $b (@bs) + { + chomp $b; + printf( OUT "%c", oct($b) ) unless $b eq ''; + } + } +}