Browse Source

init

master
nervuri 6 months ago
commit
1d1371943d
Signed by: nervuri GPG Key ID: C4769EEA7BA61672
  1. 116
      LICENSE.txt
  2. 46
      README.md
  3. 9
      agunua/INSTRUCTIONS.md
  4. 81
      agunua/generate-trust-store.sh
  5. 16
      amfora/INSTRUCTIONS.md
  6. 77
      amfora/generate-trust-store.sh
  7. 30
      amfora/merge-trust-stores.sh
  8. 59
      cert-details.sh
  9. 60
      expiry-boundaries.sh
  10. 139
      get-certs.sh
  11. 40
      get-hosts.sh
  12. 16
      lagrange/INSTRUCTIONS.md
  13. 60
      lagrange/generate-trust-store.sh
  14. 30
      lagrange/merge-trust-stores.sh
  15. 28
      main.sh
  16. 15
      test-hosts

116
LICENSE.txt

@ -0,0 +1,116 @@
CC0 1.0 Universal
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer
exclusive Copyright and Related Rights (defined below) upon the creator and
subsequent owner(s) (each and all, an "owner") of an original work of
authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for the
purpose of contributing to a commons of creative, cultural and scientific
works ("Commons") that the public can reliably and without fear of later
claims of infringement build upon, modify, incorporate in other works, reuse
and redistribute as freely as possible in any form whatsoever and for any
purposes, including without limitation commercial purposes. These owners may
contribute to the Commons to promote the ideal of a free culture and the
further production of creative, cultural and scientific works, or to gain
reputation or greater distribution for their Work in part through the use and
efforts of others.
For these and/or other purposes and motivations, and without any expectation
of additional consideration or compensation, the person associating CC0 with a
Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
and publicly distribute the Work under its terms, with knowledge of his or her
Copyright and Related Rights in the Work and the meaning and intended legal
effect of CC0 on those rights.
1. Copyright and Related Rights. A Work made available under CC0 may be
protected by copyright and related or neighboring rights ("Copyright and
Related Rights"). Copyright and Related Rights include, but are not limited
to, the following:
i. the right to reproduce, adapt, distribute, perform, display, communicate,
and translate a Work;
ii. moral rights retained by the original author(s) and/or performer(s);
iii. publicity and privacy rights pertaining to a person's image or likeness
depicted in a Work;
iv. rights protecting against unfair competition in regards to a Work,
subject to the limitations in paragraph 4(a), below;
v. rights protecting the extraction, dissemination, use and reuse of data in
a Work;
vi. database rights (such as those arising under Directive 96/9/EC of the
European Parliament and of the Council of 11 March 1996 on the legal
protection of databases, and under any national implementation thereof,
including any amended or successor version of such directive); and
vii. other similar, equivalent or corresponding rights throughout the world
based on applicable law or treaty, and any national implementations thereof.
2. Waiver. To the greatest extent permitted by, but not in contravention of,
applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
and Related Rights and associated claims and causes of action, whether now
known or unknown (including existing as well as future claims and causes of
action), in the Work (i) in all territories worldwide, (ii) for the maximum
duration provided by applicable law or treaty (including future time
extensions), (iii) in any current or future medium and for any number of
copies, and (iv) for any purpose whatsoever, including without limitation
commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
the Waiver for the benefit of each member of the public at large and to the
detriment of Affirmer's heirs and successors, fully intending that such Waiver
shall not be subject to revocation, rescission, cancellation, termination, or
any other legal or equitable action to disrupt the quiet enjoyment of the Work
by the public as contemplated by Affirmer's express Statement of Purpose.
3. Public License Fallback. Should any part of the Waiver for any reason be
judged legally invalid or ineffective under applicable law, then the Waiver
shall be preserved to the maximum extent permitted taking into account
Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
is so judged Affirmer hereby grants to each affected person a royalty-free,
non transferable, non sublicensable, non exclusive, irrevocable and
unconditional license to exercise Affirmer's Copyright and Related Rights in
the Work (i) in all territories worldwide, (ii) for the maximum duration
provided by applicable law or treaty (including future time extensions), (iii)
in any current or future medium and for any number of copies, and (iv) for any
purpose whatsoever, including without limitation commercial, advertising or
promotional purposes (the "License"). The License shall be deemed effective as
of the date CC0 was applied by Affirmer to the Work. Should any part of the
License for any reason be judged legally invalid or ineffective under
applicable law, such partial invalidity or ineffectiveness shall not
invalidate the remainder of the License, and in such case Affirmer hereby
affirms that he or she will not (i) exercise any of his or her remaining
Copyright and Related Rights in the Work or (ii) assert any associated claims
and causes of action with respect to the Work, in either case contrary to
Affirmer's express Statement of Purpose.
4. Limitations and Disclaimers.
a. No trademark or patent rights held by Affirmer are waived, abandoned,
surrendered, licensed or otherwise affected by this document.
b. Affirmer offers the Work as-is and makes no representations or warranties
of any kind concerning the Work, express, implied, statutory or otherwise,
including without limitation warranties of title, merchantability, fitness
for a particular purpose, non infringement, or the absence of latent or
other defects, accuracy, or the present or absence of errors, whether or not
discoverable, all to the greatest extent permissible under applicable law.
c. Affirmer disclaims responsibility for clearing rights of other persons
that may apply to the Work or any use thereof, including without limitation
any person's Copyright and Related Rights in the Work. Further, Affirmer
disclaims responsibility for obtaining any necessary consents, permissions
or other rights required for any use of the Work.
d. Affirmer understands and acknowledges that Creative Commons is not a
party to this document and has no duty or obligation with respect to this
CC0 or use of the Work.
For more information, please see
<http://creativecommons.org/publicdomain/zero/1.0/>

46
README.md

@ -0,0 +1,46 @@
# Gemini Trust Store Generators
Geminispace is (currently) small enough that we can afford to download all known capsules' TLS certificates and use them to generate trust stores for various Gemini clients. If verified via multiple network perspectives, using a pre-generated trust store is a major improvement over blindly trusting-on-first-use.
This repo contains scripts for:
1. downloading a list of hosts from gemini://geminispace.info/known-hosts
2. downloading the TLS certificates of those hosts
3. generating a table containing details about each certificate
4. generating trust stores for various Gemini clients, currently:
* [Agunua](agunua/)
* [Amfora](amfora/)
* [Lagrange](lagrange/)
Trust stores generated by these scripts can be found at https://tildegit.org/nervuri/trust-stores
## Dependencies
Required: [OpenSSL](https://www.openssl.org/), [idn](https://www.gnu.org/software/libidn/)
Optional: [torsocks](https://packages.debian.org/buster/torsocks) (for .onion capsules and for double-checking certificates using a different network perspective)
To install them in Debian, run: `sudo apt install openssl idn torsocks`
## Usage
`./main.sh` will run all scripts. For the [trust stores repo](https://tildegit.org/nervuri/trust-stores), I use `time ./main.sh >log-stdout 2>log-stderr`. For 893 hosts, the command takes around 80 minutes to complete with Tor verification and 45 minutes without.
`get-certs.sh` accepts `tor` as an optional argument, to double-check certificates using the Tor network. If you have `torsocks` installed, this option will automatically be used when you run `./main.sh`.
All trust store generators accept certificate expiry boundaries as arguments. Ex:
```
./generate.sh # all certs
./generate.sh 90+ # certs that will expire in more than 90 days from now
./generate.sh 30- # certs that have expired more than 30 days ago
./generate.sh 30- 90+ # both of the above; in other words, certs are excluded if:
# {30 days ago} < cert_expiry < {90 days from now}
```
This is to assist client developers who wish to bundle pre-generated trust stores with their clients, but only want to include long-lived (and long-expired) certificates.
## How to contribute
The project is hosted [at tildegit.org](https://tildegit.org/nervuri/trust-store-generators). If you don't want to make an account, just [shoot me an email](https://nervuri.net/contact) with your [patch](https://git-send-email.io/)/suggestion/bug report/whatever else.

9
agunua/INSTRUCTIONS.md

@ -0,0 +1,9 @@
# Instructions for Agunua
Agunua's trust store is `~/.agunua/fingerprints/` on GNU/Linux systems. For each host, a file is created in that directory.
You can replace the `fingerprints` directory with the generated one, or merge them by running:
```
cp fingerprints/* ~/.agunua/fingerprints/
```

81
agunua/generate-trust-store.sh

@ -0,0 +1,81 @@
#!/bin/sh
### Agunua ###
# https://framagit.org/bortzmeyer/agunua
#
## Trust store format ##
# For each host, a file is created: `~/.agunua/fingerprints/${host_file}`,
# where the name of ${host_file} is identical to the requested host[:port],
# except for IDNs, which are converted to punycode.
# The file contains 3 lines:
# 1. spki:sha256:base64 -> certificate public key (SPKI) fingerprint
# 2. expiry date
# 3. start date
#
## Example ##
# $ cat ~/.agunua/fingerprints/gemini.circumlunar.space
# GgOhVhkgDbRJZJTskDgcH+i9ngFCJg9tij2WLtPPxy8=
# 2025-10-03T13:50:37Z
# 2020-10-03T13:50:37Z
set -o errexit # (-e) exit immediately if any command has a non-zero exit status
set -o nounset # (-u) don't accept undefined variables
#set -o xtrace # for debugging
# Go where this script is.
cd "$(dirname "$0")" || exit
trust_store=fingerprints # directory
# Remove old fingerprints directory, if present.
rm -Rf $trust_store
# Create fingerprints directory.
mkdir -p $trust_store
# Add the "cert_is_not_within_expiry_boundaries" function.
. ../expiry-boundaries.sh
for cert_file in ../certs/*; do
cert=$(cat "$cert_file")
if cert_is_not_within_expiry_boundaries; then
>&2 echo "excluded: $cert_file"
continue
fi
host=$(expr "$cert_file" : '^../certs\/\(.*\)\:[0-9]*\.pem$')
port=$(expr "$cert_file" : '^../certs\/.*\:\([0-9]*\)\.pem$')
# Hostname to punycode.
host=$(echo "$host" | idn)
# File for certificate/public key pinning
if [ "$port" = 1965 ]; then
pinning_file="$trust_store/$host"
else
pinning_file="$trust_store/$host:$port"
fi
# Certificate public key (SPKI) fingerprint
echo "$cert" \
| openssl x509 -pubkey -noout \
| openssl pkey -pubin -outform der \
| openssl dgst -sha256 -binary \
| openssl enc -base64 -A \
> "$pinning_file"
echo >> "$pinning_file" # newline
# Expiry date
enddate=$(echo "$cert" | openssl x509 -enddate -noout | cut -d '=' -f 2)
enddate=$(date -d "$enddate" +"%Y-%m-%dT%H:%M:%SZ" --utc)
echo "$enddate" >> "$pinning_file"
# Start date
startdate=$(echo "$cert" | openssl x509 -startdate -noout | cut -d '=' -f 2)
startdate=$(date -d "$startdate" +"%Y-%m-%dT%H:%M:%SZ" --utc)
echo "$startdate" >> "$pinning_file"
done
echo OK

16
amfora/INSTRUCTIONS.md

@ -0,0 +1,16 @@
# Instructions for Amfora
Amfora's trust store is `~/.cache/amfora/tofu.toml` on GNU/Linux systems.
You can replace it with the generated `tofu.toml`, or merge them using the provided script:
```
# First a test run:
./merge-trust-stores.sh ~/.cache/amfora/tofu.toml
# The entries in ~/.cache/amfora/tofu.toml that are not included in the
# script-generated trust store will appear at the end of the output.
# If it looks ok, then run:
./merge-trust-stores.sh ~/.cache/amfora/tofu.toml > ~/.cache/amfora/tofu.toml
```

77
amfora/generate-trust-store.sh

@ -0,0 +1,77 @@
#!/bin/sh
### Amfora ###
# https://github.com/makeworld-the-better-one/amfora
#
## Trust store format ##
# The file "~/.cache/amfora/tofu.toml" is used.
# It contains 2 lines for each host:port:
# 1. "example/org:port" = "spki:sha256:uppercase" -> certificate public key (SPKI) fingerprint
# 2. "example/org/expiry:port" = expiry date
# Dots in the hostname are converted to slashes.
# IDNs are converted to punycode.
#
## Example ##
# $ cat ~/.cache/amfora/tofu.toml
# "gemini/circumlunar/space" = "1A03A15619200DB4496494EC90381C1FE8BD9E0142260F6D8A3D962ED3CFC72F"
# "gemini/circumlunar/space/expiry" = 2025-10-03T13:50:37Z
set -o errexit # (-e) exit immediately if any command has a non-zero exit status
set -o nounset # (-u) don't accept undefined variables
#set -o xtrace # for debugging
# Go where this script is.
cd "$(dirname "$0")" || exit
trust_store="tofu.toml"
# Remove the old trust store.
rm -f "$trust_store"
# Add the "cert_is_not_within_expiry_boundaries" function.
. ../expiry-boundaries.sh
for cert_file in ../certs/*; do
cert=$(cat "$cert_file")
if cert_is_not_within_expiry_boundaries; then
>&2 echo "excluded: $cert_file"
continue
fi
host=$(expr "$cert_file" : '^../certs\/\(.*\)\:[0-9]*\.pem$')
port=$(expr "$cert_file" : '^../certs\/.*\:\([0-9]*\)\.pem$')
# Hostname to punycode.
host=$(echo "$host" | idn)
# Replace dots with slashes.
host=$(echo "$host" | tr . /)
# Append port if not default
if [ "$port" = 1965 ]; then
port_string=''
else
port_string=":$port"
fi
# Certificate public key (SPKI) fingerprint
fingerprint=$(echo "$cert" \
| openssl x509 -pubkey -noout \
| openssl pkey -pubin -outform der \
| openssl dgst -sha256 \
| cut -d ' ' -f 2 \
| tr '[:lower:]' '[:upper:]')
line1=$(printf "\"%s$port_string\" = \"%s\"" "$host" "$fingerprint")
# Expiry date
enddate=$(echo "$cert" | openssl x509 -enddate -noout | cut -d '=' -f 2)
enddate=$(date -d "$enddate" +"%Y-%m-%dT%H:%M:%SZ" --utc)
line2=$(printf "\"%s/expiry$port_string\" = %s" "$host" "$enddate")
printf "%s\n%s\n" "$line1" "$line2" >> "$trust_store"
done
echo OK

30
amfora/merge-trust-stores.sh

@ -0,0 +1,30 @@
#!/bin/sh
set -o errexit # (-e) exit immediately if any command has a non-zero exit status
set -o nounset # (-u) don't accept undefined variables
#set -o xtrace # for debugging
if [ -z "${1:-}" ]; then
>&2 echo "The path to the user's trust store must be provided."
>&2 echo "The default on GNU/Linux is ~/.cache/amfora/tofu.toml"
exit 1
fi
dir="$(dirname "$0")" # directory where this script is
trust_store=$(cat "$dir/tofu.toml") # script-generated trust store
# Loop through user's trust store.
while read -r line; do
entry=$(echo "$line" | cut -d ' ' -f 1)
# If this entry is not in the script-generated trust store, add it.
if ! echo "$trust_store" | grep -qF "$entry"; then
trust_store="$trust_store\n$line"
fi
done < "${1:-}"
# Output to stdout.
echo "$trust_store"

59
cert-details.sh

@ -0,0 +1,59 @@
#!/bin/sh
# Generate markdown and CSV files containing cert info for each host.
set -o errexit # (-e) exit immediately if any command has a non-zero exit status
set -o nounset # (-u) don't accept undefined variables
#set -o xtrace # for debugging
# Go where this script is.
cd "$(dirname "$0")" || exit
# Table header
md_table="| Host | Cert | Expiry | Key Algorithm | Key Size (bits) | Signature Algorithm |
--- | --- | --- | --- | --- | ---\n"
csv_table="Host,Expiry,Key Algorithm,Key Size (bits),Signature Algorithm\n"
for cert_file in certs/*.pem; do
host=$(expr "$cert_file" : '^certs\/\(.*\)\:[0-9]*\.pem$')
port=$(expr "$cert_file" : '^certs\/.*\:\([0-9]*\)\.pem$')
if [ "$port" != 1965 ]; then
host="$host:$port"
fi
# Get cert details: expiry, key algo, key size, signature algo.
end_date=$(openssl x509 -in "$cert_file" -enddate -noout | cut -d '=' -f 2)
end_date=$(date -d "$end_date" +"%Y-%m-%d" --utc)
cert_details=$(openssl x509 -in "$cert_file" -noout -text)
key_algo=$(echo "$cert_details" | grep 'Public Key Algorithm:' | cut -d ':' -f 2)
if [ "$key_algo" = ' id-ecPublicKey' ]; then
key_algo='ECDSA'
elif [ "$key_algo" = ' rsaEncryption' ]; then
key_algo='RSA'
elif [ "$key_algo" = ' ED25519' ]; then
key_algo='ED25519'
fi
if [ "$key_algo" = 'ED25519' ]; then
key_size='256'
else
key_size=$(echo "$cert_details" | grep 'Public-Key:' | cut -d ':' -f 2)
key_size=$(expr "$key_size" : '^..\([0-9]*\).*$')
fi
sig_algo=$(echo "$cert_details" | grep ' Signature Algorithm:' | cut -d ':' -f 2)
# Add a table row.
md_table="$md_table| [$host](gemini://$host/) | [PEM]($cert_file) | $end_date | $key_algo | $key_size |$sig_algo |\n"
csv_table="$csv_table""$host,$end_date,$key_algo,$key_size,$sig_algo\n"
done
# Write to files.
echo "$md_table" > cert-details.md
echo "$csv_table" > cert-details.csv
echo OK

60
expiry-boundaries.sh

@ -0,0 +1,60 @@
#!/bin/sh
# This file is included in every trust store generator script.
#
# It defines a function which checks if the expiry date of a
# certificate is within the specified boundaries.
#
# Boundaries can be specified like this:
#
# ./generate.sh # all certs
# ./generate.sh 90+ # certs that will expire in more than 90 days from now
# ./generate.sh 30- # certs that have expired more than 30 days ago
# ./generate.sh 30- 90+ # both of the above; so certs are excluded if:
# # {30 days ago} < cert_expiry < {90 days from now}
# Get the provided boundaries, if any.
minus_timestamp=''
plus_timestamp=''
now=$(date +%s)
for arg in "$@"; do
sign=$(expr "$arg" : '^[0-9]*\(-\|+\)$')
if [ "$sign" = '-' ]; then
minus_days=$(expr "$arg" : '^\([0-9]*\)-$')
minus_timestamp=$((now - minus_days * 86400))
elif [ "$sign" = '+' ]; then
plus_days=$(expr "$arg" : '^\([0-9]*\)+$')
plus_timestamp=$((now + plus_days * 86400))
else
continue
fi
done
cert_is_not_within_expiry_boundaries() (
# If `return 0`, cert will be excluded.
if [ -z "$minus_timestamp" ] && [ -z "$plus_timestamp" ]; then
# No boundaries were specified.
return 1 # false
fi
# Get expiration date from certificate.
cert_exp=$(echo "$cert" | openssl x509 -enddate -noout | cut -d '=' -f 2)
# Convert it to Unix timestamp.
cert_exp=$(date -d "$cert_exp" +%s)
if [ -n "$minus_timestamp" ] && [ "$cert_exp" -lt "$minus_timestamp" ]; then
# $cert_exp < $minus_timestamp, so the cert is within boundaries.
return 1 # false
elif [ -n "$plus_timestamp" ] && [ "$cert_exp" -gt "$plus_timestamp" ]; then
# $cert_exp > $plus_timestamp, so the cert is within boundaries.
return 1 # false
fi
# Certs are excluded if:
# $minus_timestamp < $cert_exp < $plus_timestamp
return 0 # true
)

139
get-certs.sh

@ -0,0 +1,139 @@
#!/bin/sh
# Download TLS certificates of hosts specified in the `hosts` file.
set -o errexit # (-e) exit immediately if any command has a non-zero exit status
set -o nounset # (-u) don't accept undefined variables
#set -o xtrace # for debugging
# Go where this script is.
cd "$(dirname "$0")" || exit
# Create certs directory, if it does not exist.
mkdir -p certs
# Define function for fetching a certificate.
fetch_cert() (
hp="$1" # host and port
timeout="${2:-}"
torsocks="${3:-}"
# For .onion domains, connect using Tor.
if [ -z "${hp##*.onion:*}" ]; then
torsocks='torsocks'
fi
# If a Tor connection was requested and torsocks is not installed, return.
if [ "$torsocks" != '' ] && ! command -v torsocks >/dev/null; then
>&2 echo "torsocks not available ($hp)"
return
fi
response=$($timeout $torsocks openssl s_client -connect "$hp" </dev/null 2>/dev/null \
| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p')
# If no response, try again.
if [ -z "$response" ]; then
sleep 5
response=$($timeout $torsocks openssl s_client -connect "$hp" </dev/null 2>/dev/null \
| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p')
# If still no response and Tor was not used, try one last time.
if [ -z "$response" ] && [ -z "$torsocks" ]; then
sleep 10
response=$($timeout openssl s_client -connect "$hp" </dev/null 2>/dev/null \
| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p')
fi
fi
echo "$response"
)
# Loop through all hosts.
while read -r host; do
printf "%s" "$host"
port='1965' # default Gemini port
# Check if host contains square brackets:
# [IPv4], [IPv6], [IPv4]:port or [IPv6]:port.
if expr "$host" : '^\[.*\]' >/dev/null; then
if expr "$host" : '^\[.*\]\:\([0-9]*\)$' >/dev/null; then
port=$(expr "$host" : '^\[.*\]\:\([0-9]*\)$')
fi
host=$(expr "$host" : '^\[\(.*\)\]')
# No square brackets, just host:port.
# If $host contains only a single ":", then it is not an IPv6 address.
elif [ "$(echo "$host" | tr -dc ':' | wc -c)" = 1 ]; then
port=$(echo "$host" | cut -d ':' -f 2)
host=$(echo "$host" | cut -d ':' -f 1)
fi
# Hostname to punycode.
host=$(echo "$host" | idn)
# Hostname to lowercase.
host=$(echo "$host" | tr '[:upper:]' '[:lower:]')
# Generate host_and_port string.
if [ -z "${host##*:*}" ]; then
# If host is an IPv6 address, add brackets around it.
host_and_port="[$host]:$port"
else
host_and_port="$host:$port"
fi
# Get cert.
cert=$(fetch_cert "$host_and_port" 'timeout 5')
if [ -z "$cert" ]; then
>&2 echo "$host_and_port - connection failed"
fi
# If "tor" option is used, then connect again via Tor,
# to check if we get the same cert from a different network perspective.
if [ "${1:-}" = 'tor' ] && [ -n "${host##*.onion}" ]; then
# If torsocks is not installed, return.
if ! command -v torsocks >/dev/null; then
>&2 echo "torsocks not available ($host_and_port)"
exit 1
fi
cert_via_tor=$(fetch_cert "$host_and_port" 'timeout 15' 'torsocks')
if [ -z "$cert_via_tor" ]; then
>&2 echo "$host_and_port - Tor connection failed"
elif [ -n "$cert" ] && [ "$cert" != "$cert_via_tor" ]; then
>&2 echo "$host_and_port - Tor VERIFICATION FAILED (certs don't match)!!!"
# In this case, don't save the certificate.
continue
else
# If direct connection failed and Tor connection succeeded,
# use the cert received via Tor.
cert="$cert_via_tor"
fi
fi
if [ -n "$cert" ]; then
# If we got a cert back, then the host and port were valid,
# so they are safe to include in a file name.
# Convert from punycode to unicode, if needed.
host_and_port=$(echo "$host_and_port" | idn --idna-to-unicode)
echo "$cert" > "certs/${host_and_port}.pem"
printf ' - OK'
else
printf ' - failed'
fi
echo # newline
sleep 0.3
done < hosts
echo OK

40
get-hosts.sh

@ -0,0 +1,40 @@
#!/bin/sh
# Download a list of Gemini hosts from gemini://geminispace.info/known-hosts
set -o errexit # (-e) exit immediately if any command has a non-zero exit status
set -o nounset # (-u) don't accept undefined variables
#set -o xtrace # for debugging
# Go where this script is.
cd "$(dirname "$0")" || exit
# If Agunua is installed, use it.
if command -v agunua >/dev/null; then
# Using Agunua is more secure, because it does certificate pinning.
hosts=$(agunua --insecure --binary gemini://geminispace.info/known-hosts \
| grep "gemini://" | cut -d ' ' -f 3)
else
# If Agunua is not installed, pipe the request into OpenSSL s_client.
hosts=$(printf "gemini://geminispace.info/known-hosts\r\n" \
| timeout 5 openssl s_client -quiet -connect "geminispace.info:1965" 2>/dev/null \
| grep "gemini://" | cut -d ' ' -f 3)
fi
if [ -z "$hosts" ]; then
>&2 echo "hosts file download failed."
exit 1
fi
# Add a few hosts that are missing from geminispace.info
hosts="$hosts
illegaldrugs.net
feeds.drewdevault.com"
# Remove a host which changes its cert every few minutes.
hosts=$(echo "$hosts" | grep -v 'tofu-tester.random-projects.net:1966')
# Save to file.
echo "$hosts" | sort | uniq > hosts
echo OK

16
lagrange/INSTRUCTIONS.md

@ -0,0 +1,16 @@
# Instructions for Lagrange
Lagrange's trust store is `~/.config/lagrange/trusted.txt` on GNU/Linux systems.
You can replace it with the generated `trusted.txt`, or merge them using the provided script:
```
# First a test run:
./merge-trust-stores.sh ~/.config/lagrange/trusted.txt
# The entries in ~/.config/lagrange/trusted.txt that are not included in the
# script-generated trust store will appear at the end of the output.
# If it looks ok, then run:
./merge-trust-stores.sh ~/.config/lagrange/trusted.txt > ~/.config/lagrange/trusted.txt
```

60
lagrange/generate-trust-store.sh

@ -0,0 +1,60 @@
#!/bin/sh
### Lagrange ###
# https://gmi.skyjake.fi/lagrange/
#
## Trust store format ##
# The file "~/.config/lagrange/trusted.txt" is used on GNU/Linux and BSD.
# For other platforms, see https://github.com/skyjake/lagrange#user-files
# This file contains one line for each host (ports are not taken into account):
# example.org expiry_timestamp cert:sha256
# IDNs are converted to punycode.
#
## Example ##
# $ cat ~/.config/lagrange/trusted.txt
# gemini.circumlunar.space 1759495837 5b4086d6914231f55828c815faae1f10e28b8bd42af6a1e286a711e9b7d78326
set -o errexit # (-e) exit immediately if any command has a non-zero exit status
set -o nounset # (-u) don't accept undefined variables
#set -o xtrace # for debugging
# Go where this script is.
cd "$(dirname "$0")" || exit
trust_store="trusted.txt"
# Remove the old trust store.
rm -f "$trust_store"
# Add the "cert_is_not_within_expiry_boundaries" function.
. ../expiry-boundaries.sh
for cert_file in ../certs/*; do
cert=$(cat "$cert_file")
if cert_is_not_within_expiry_boundaries; then
>&2 echo "excluded: $cert_file"
continue
fi
host=$(expr "$cert_file" : '^../certs\/\(.*\)\:[0-9]*\.pem$')
# Hostname to punycode.
host=$(echo "$host" | idn)
# Expiry date
enddate=$(echo "$cert" | openssl x509 -enddate -noout | cut -d '=' -f 2)
enddate=$(date -d "$enddate" +%s --utc)
# Certificate fingerprint
fingerprint=$(echo "$cert" \
| openssl x509 -outform der \
| sha256sum \
| cut -d ' ' -f 1)
echo "$host $enddate $fingerprint" >> "$trust_store"
done
echo OK

30
lagrange/merge-trust-stores.sh

@ -0,0 +1,30 @@
#!/bin/sh
set -o errexit # (-e) exit immediately if any command has a non-zero exit status
set -o nounset # (-u) don't accept undefined variables
#set -o xtrace # for debugging
if [ -z "${1:-}" ]; then
>&2 echo "The path to the user's trust store must be provided."
>&2 echo "The default on GNU/Linux is ~/.config/lagrange/trusted.txt"
exit 1
fi
dir="$(dirname "$0")" # directory where this script is
trust_store=$(cat "$dir/trusted.txt") # script-generated trust store
# Loop through user's trust store.
while read -r line; do
entry=$(echo "$line" | cut -d ' ' -f 1)
# If this entry is not in the script-generated trust store, add it.
if ! echo "$trust_store" | grep -qF "$entry"; then
trust_store="$trust_store\n$line"
fi
done < "${1:-}"
# Output to stdout.
echo "$trust_store"

28
main.sh

@ -0,0 +1,28 @@
#!/bin/sh
# Run all scripts.
set -o errexit # (-e) exit immediately if any command has a non-zero exit status
# Go where this script is.
cd "$(dirname "$0")" || exit
echo '=== get hosts ==='
./get-hosts.sh
echo '=== get certs ==='
if command -v torsocks >/dev/null; then
./get-certs.sh tor
else
./get-certs.sh
fi
echo '=== cert details ==='
./cert-details.sh
echo '=== Agunua ==='
agunua/generate-trust-store.sh
echo '=== Amfora ==='
amfora/generate-trust-store.sh
echo '=== Lagrange ==='
lagrange/generate-trust-store.sh

15
test-hosts

@ -0,0 +1,15 @@
gemini.circumlunar.space
pureXO.mom
[purexo.mom]
89.47.164.70
[89.47.164.70]
89.47.164.70:1965
[89.47.164.70]:1965
2a02:7b40:592f:a446::1
[2a02:7b40:592f:a446::1]
[2a02:7b40:592f:a446::1]:1965
protonirockerxow.onion:443
wikipedia.geminet.org
wikipedia.geminet.org:1966
gémeaux.bortzmeyer.org
xn--gmeaux-bva.bortzmeyer.org
Loading…
Cancel
Save