commit 1d1371943d2a6927d937a90bb53bcd3d2bab82fa Author: nervuri Date: Wed Apr 28 09:20:18 2021 +0000 init diff --git a/LICENSE.txt b/LICENSE.txt new file mode 100644 index 0000000..670154e --- /dev/null +++ b/LICENSE.txt @@ -0,0 +1,116 @@ +CC0 1.0 Universal + +Statement of Purpose + +The laws of most jurisdictions throughout the world automatically confer +exclusive Copyright and Related Rights (defined below) upon the creator and +subsequent owner(s) (each and all, an "owner") of an original work of +authorship and/or a database (each, a "Work"). + +Certain owners wish to permanently relinquish those rights to a Work for the +purpose of contributing to a commons of creative, cultural and scientific +works ("Commons") that the public can reliably and without fear of later +claims of infringement build upon, modify, incorporate in other works, reuse +and redistribute as freely as possible in any form whatsoever and for any +purposes, including without limitation commercial purposes. These owners may +contribute to the Commons to promote the ideal of a free culture and the +further production of creative, cultural and scientific works, or to gain +reputation or greater distribution for their Work in part through the use and +efforts of others. + +For these and/or other purposes and motivations, and without any expectation +of additional consideration or compensation, the person associating CC0 with a +Work (the "Affirmer"), to the extent that he or she is an owner of Copyright +and Related Rights in the Work, voluntarily elects to apply CC0 to the Work +and publicly distribute the Work under its terms, with knowledge of his or her +Copyright and Related Rights in the Work and the meaning and intended legal +effect of CC0 on those rights. + +1. Copyright and Related Rights. A Work made available under CC0 may be +protected by copyright and related or neighboring rights ("Copyright and +Related Rights"). Copyright and Related Rights include, but are not limited +to, the following: + + i. the right to reproduce, adapt, distribute, perform, display, communicate, + and translate a Work; + + ii. moral rights retained by the original author(s) and/or performer(s); + + iii. publicity and privacy rights pertaining to a person's image or likeness + depicted in a Work; + + iv. rights protecting against unfair competition in regards to a Work, + subject to the limitations in paragraph 4(a), below; + + v. rights protecting the extraction, dissemination, use and reuse of data in + a Work; + + vi. database rights (such as those arising under Directive 96/9/EC of the + European Parliament and of the Council of 11 March 1996 on the legal + protection of databases, and under any national implementation thereof, + including any amended or successor version of such directive); and + + vii. other similar, equivalent or corresponding rights throughout the world + based on applicable law or treaty, and any national implementations thereof. + +2. Waiver. To the greatest extent permitted by, but not in contravention of, +applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and +unconditionally waives, abandons, and surrenders all of Affirmer's Copyright +and Related Rights and associated claims and causes of action, whether now +known or unknown (including existing as well as future claims and causes of +action), in the Work (i) in all territories worldwide, (ii) for the maximum +duration provided by applicable law or treaty (including future time +extensions), (iii) in any current or future medium and for any number of +copies, and (iv) for any purpose whatsoever, including without limitation +commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes +the Waiver for the benefit of each member of the public at large and to the +detriment of Affirmer's heirs and successors, fully intending that such Waiver +shall not be subject to revocation, rescission, cancellation, termination, or +any other legal or equitable action to disrupt the quiet enjoyment of the Work +by the public as contemplated by Affirmer's express Statement of Purpose. + +3. Public License Fallback. Should any part of the Waiver for any reason be +judged legally invalid or ineffective under applicable law, then the Waiver +shall be preserved to the maximum extent permitted taking into account +Affirmer's express Statement of Purpose. In addition, to the extent the Waiver +is so judged Affirmer hereby grants to each affected person a royalty-free, +non transferable, non sublicensable, non exclusive, irrevocable and +unconditional license to exercise Affirmer's Copyright and Related Rights in +the Work (i) in all territories worldwide, (ii) for the maximum duration +provided by applicable law or treaty (including future time extensions), (iii) +in any current or future medium and for any number of copies, and (iv) for any +purpose whatsoever, including without limitation commercial, advertising or +promotional purposes (the "License"). The License shall be deemed effective as +of the date CC0 was applied by Affirmer to the Work. Should any part of the +License for any reason be judged legally invalid or ineffective under +applicable law, such partial invalidity or ineffectiveness shall not +invalidate the remainder of the License, and in such case Affirmer hereby +affirms that he or she will not (i) exercise any of his or her remaining +Copyright and Related Rights in the Work or (ii) assert any associated claims +and causes of action with respect to the Work, in either case contrary to +Affirmer's express Statement of Purpose. + +4. Limitations and Disclaimers. + + a. No trademark or patent rights held by Affirmer are waived, abandoned, + surrendered, licensed or otherwise affected by this document. + + b. Affirmer offers the Work as-is and makes no representations or warranties + of any kind concerning the Work, express, implied, statutory or otherwise, + including without limitation warranties of title, merchantability, fitness + for a particular purpose, non infringement, or the absence of latent or + other defects, accuracy, or the present or absence of errors, whether or not + discoverable, all to the greatest extent permissible under applicable law. + + c. Affirmer disclaims responsibility for clearing rights of other persons + that may apply to the Work or any use thereof, including without limitation + any person's Copyright and Related Rights in the Work. Further, Affirmer + disclaims responsibility for obtaining any necessary consents, permissions + or other rights required for any use of the Work. + + d. Affirmer understands and acknowledges that Creative Commons is not a + party to this document and has no duty or obligation with respect to this + CC0 or use of the Work. + +For more information, please see + diff --git a/README.md b/README.md new file mode 100644 index 0000000..53cd518 --- /dev/null +++ b/README.md @@ -0,0 +1,46 @@ +# Gemini Trust Store Generators + +Geminispace is (currently) small enough that we can afford to download all known capsules' TLS certificates and use them to generate trust stores for various Gemini clients. If verified via multiple network perspectives, using a pre-generated trust store is a major improvement over blindly trusting-on-first-use. + +This repo contains scripts for: + +1. downloading a list of hosts from gemini://geminispace.info/known-hosts +2. downloading the TLS certificates of those hosts +3. generating a table containing details about each certificate +4. generating trust stores for various Gemini clients, currently: + +* [Agunua](agunua/) +* [Amfora](amfora/) +* [Lagrange](lagrange/) + +Trust stores generated by these scripts can be found at https://tildegit.org/nervuri/trust-stores + +## Dependencies + +Required: [OpenSSL](https://www.openssl.org/), [idn](https://www.gnu.org/software/libidn/) + +Optional: [torsocks](https://packages.debian.org/buster/torsocks) (for .onion capsules and for double-checking certificates using a different network perspective) + +To install them in Debian, run: `sudo apt install openssl idn torsocks` + +## Usage + +`./main.sh` will run all scripts. For the [trust stores repo](https://tildegit.org/nervuri/trust-stores), I use `time ./main.sh >log-stdout 2>log-stderr`. For 893 hosts, the command takes around 80 minutes to complete with Tor verification and 45 minutes without. + +`get-certs.sh` accepts `tor` as an optional argument, to double-check certificates using the Tor network. If you have `torsocks` installed, this option will automatically be used when you run `./main.sh`. + +All trust store generators accept certificate expiry boundaries as arguments. Ex: + +``` +./generate.sh # all certs +./generate.sh 90+ # certs that will expire in more than 90 days from now +./generate.sh 30- # certs that have expired more than 30 days ago +./generate.sh 30- 90+ # both of the above; in other words, certs are excluded if: + # {30 days ago} < cert_expiry < {90 days from now} +``` + +This is to assist client developers who wish to bundle pre-generated trust stores with their clients, but only want to include long-lived (and long-expired) certificates. + +## How to contribute + +The project is hosted [at tildegit.org](https://tildegit.org/nervuri/trust-store-generators). If you don't want to make an account, just [shoot me an email](https://nervuri.net/contact) with your [patch](https://git-send-email.io/)/suggestion/bug report/whatever else. diff --git a/agunua/INSTRUCTIONS.md b/agunua/INSTRUCTIONS.md new file mode 100644 index 0000000..edd8e56 --- /dev/null +++ b/agunua/INSTRUCTIONS.md @@ -0,0 +1,9 @@ +# Instructions for Agunua + +Agunua's trust store is `~/.agunua/fingerprints/` on GNU/Linux systems. For each host, a file is created in that directory. + +You can replace the `fingerprints` directory with the generated one, or merge them by running: + +``` +cp fingerprints/* ~/.agunua/fingerprints/ +``` diff --git a/agunua/generate-trust-store.sh b/agunua/generate-trust-store.sh new file mode 100755 index 0000000..7b4642f --- /dev/null +++ b/agunua/generate-trust-store.sh @@ -0,0 +1,81 @@ +#!/bin/sh + +### Agunua ### +# https://framagit.org/bortzmeyer/agunua +# +## Trust store format ## +# For each host, a file is created: `~/.agunua/fingerprints/${host_file}`, +# where the name of ${host_file} is identical to the requested host[:port], +# except for IDNs, which are converted to punycode. +# The file contains 3 lines: +# 1. spki:sha256:base64 -> certificate public key (SPKI) fingerprint +# 2. expiry date +# 3. start date +# +## Example ## +# $ cat ~/.agunua/fingerprints/gemini.circumlunar.space +# GgOhVhkgDbRJZJTskDgcH+i9ngFCJg9tij2WLtPPxy8= +# 2025-10-03T13:50:37Z +# 2020-10-03T13:50:37Z + +set -o errexit # (-e) exit immediately if any command has a non-zero exit status +set -o nounset # (-u) don't accept undefined variables +#set -o xtrace # for debugging + +# Go where this script is. +cd "$(dirname "$0")" || exit + +trust_store=fingerprints # directory + +# Remove old fingerprints directory, if present. +rm -Rf $trust_store +# Create fingerprints directory. +mkdir -p $trust_store + +# Add the "cert_is_not_within_expiry_boundaries" function. +. ../expiry-boundaries.sh + +for cert_file in ../certs/*; do + + cert=$(cat "$cert_file") + + if cert_is_not_within_expiry_boundaries; then + >&2 echo "excluded: $cert_file" + continue + fi + + host=$(expr "$cert_file" : '^../certs\/\(.*\)\:[0-9]*\.pem$') + port=$(expr "$cert_file" : '^../certs\/.*\:\([0-9]*\)\.pem$') + + # Hostname to punycode. + host=$(echo "$host" | idn) + + # File for certificate/public key pinning + if [ "$port" = 1965 ]; then + pinning_file="$trust_store/$host" + else + pinning_file="$trust_store/$host:$port" + fi + + # Certificate public key (SPKI) fingerprint + echo "$cert" \ + | openssl x509 -pubkey -noout \ + | openssl pkey -pubin -outform der \ + | openssl dgst -sha256 -binary \ + | openssl enc -base64 -A \ + > "$pinning_file" + echo >> "$pinning_file" # newline + + # Expiry date + enddate=$(echo "$cert" | openssl x509 -enddate -noout | cut -d '=' -f 2) + enddate=$(date -d "$enddate" +"%Y-%m-%dT%H:%M:%SZ" --utc) + echo "$enddate" >> "$pinning_file" + + # Start date + startdate=$(echo "$cert" | openssl x509 -startdate -noout | cut -d '=' -f 2) + startdate=$(date -d "$startdate" +"%Y-%m-%dT%H:%M:%SZ" --utc) + echo "$startdate" >> "$pinning_file" + +done + +echo OK diff --git a/amfora/INSTRUCTIONS.md b/amfora/INSTRUCTIONS.md new file mode 100644 index 0000000..aca0333 --- /dev/null +++ b/amfora/INSTRUCTIONS.md @@ -0,0 +1,16 @@ +# Instructions for Amfora + +Amfora's trust store is `~/.cache/amfora/tofu.toml` on GNU/Linux systems. + +You can replace it with the generated `tofu.toml`, or merge them using the provided script: + +``` +# First a test run: +./merge-trust-stores.sh ~/.cache/amfora/tofu.toml + +# The entries in ~/.cache/amfora/tofu.toml that are not included in the +# script-generated trust store will appear at the end of the output. + +# If it looks ok, then run: +./merge-trust-stores.sh ~/.cache/amfora/tofu.toml > ~/.cache/amfora/tofu.toml +``` diff --git a/amfora/generate-trust-store.sh b/amfora/generate-trust-store.sh new file mode 100755 index 0000000..0c408c2 --- /dev/null +++ b/amfora/generate-trust-store.sh @@ -0,0 +1,77 @@ +#!/bin/sh + +### Amfora ### +# https://github.com/makeworld-the-better-one/amfora +# +## Trust store format ## +# The file "~/.cache/amfora/tofu.toml" is used. +# It contains 2 lines for each host:port: +# 1. "example/org:port" = "spki:sha256:uppercase" -> certificate public key (SPKI) fingerprint +# 2. "example/org/expiry:port" = expiry date +# Dots in the hostname are converted to slashes. +# IDNs are converted to punycode. +# +## Example ## +# $ cat ~/.cache/amfora/tofu.toml +# "gemini/circumlunar/space" = "1A03A15619200DB4496494EC90381C1FE8BD9E0142260F6D8A3D962ED3CFC72F" +# "gemini/circumlunar/space/expiry" = 2025-10-03T13:50:37Z + +set -o errexit # (-e) exit immediately if any command has a non-zero exit status +set -o nounset # (-u) don't accept undefined variables +#set -o xtrace # for debugging + +# Go where this script is. +cd "$(dirname "$0")" || exit + +trust_store="tofu.toml" + +# Remove the old trust store. +rm -f "$trust_store" + +# Add the "cert_is_not_within_expiry_boundaries" function. +. ../expiry-boundaries.sh + +for cert_file in ../certs/*; do + + cert=$(cat "$cert_file") + + if cert_is_not_within_expiry_boundaries; then + >&2 echo "excluded: $cert_file" + continue + fi + + host=$(expr "$cert_file" : '^../certs\/\(.*\)\:[0-9]*\.pem$') + port=$(expr "$cert_file" : '^../certs\/.*\:\([0-9]*\)\.pem$') + + # Hostname to punycode. + host=$(echo "$host" | idn) + + # Replace dots with slashes. + host=$(echo "$host" | tr . /) + + # Append port if not default + if [ "$port" = 1965 ]; then + port_string='' + else + port_string=":$port" + fi + + # Certificate public key (SPKI) fingerprint + fingerprint=$(echo "$cert" \ + | openssl x509 -pubkey -noout \ + | openssl pkey -pubin -outform der \ + | openssl dgst -sha256 \ + | cut -d ' ' -f 2 \ + | tr '[:lower:]' '[:upper:]') + line1=$(printf "\"%s$port_string\" = \"%s\"" "$host" "$fingerprint") + + # Expiry date + enddate=$(echo "$cert" | openssl x509 -enddate -noout | cut -d '=' -f 2) + enddate=$(date -d "$enddate" +"%Y-%m-%dT%H:%M:%SZ" --utc) + line2=$(printf "\"%s/expiry$port_string\" = %s" "$host" "$enddate") + + printf "%s\n%s\n" "$line1" "$line2" >> "$trust_store" + +done + +echo OK diff --git a/amfora/merge-trust-stores.sh b/amfora/merge-trust-stores.sh new file mode 100755 index 0000000..80e72ee --- /dev/null +++ b/amfora/merge-trust-stores.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +set -o errexit # (-e) exit immediately if any command has a non-zero exit status +set -o nounset # (-u) don't accept undefined variables +#set -o xtrace # for debugging + +if [ -z "${1:-}" ]; then + >&2 echo "The path to the user's trust store must be provided." + >&2 echo "The default on GNU/Linux is ~/.cache/amfora/tofu.toml" + exit 1 +fi + +dir="$(dirname "$0")" # directory where this script is + +trust_store=$(cat "$dir/tofu.toml") # script-generated trust store + +# Loop through user's trust store. +while read -r line; do + + entry=$(echo "$line" | cut -d ' ' -f 1) + + # If this entry is not in the script-generated trust store, add it. + if ! echo "$trust_store" | grep -qF "$entry"; then + trust_store="$trust_store\n$line" + fi + +done < "${1:-}" + +# Output to stdout. +echo "$trust_store" diff --git a/cert-details.sh b/cert-details.sh new file mode 100755 index 0000000..9ac8298 --- /dev/null +++ b/cert-details.sh @@ -0,0 +1,59 @@ +#!/bin/sh + +# Generate markdown and CSV files containing cert info for each host. + +set -o errexit # (-e) exit immediately if any command has a non-zero exit status +set -o nounset # (-u) don't accept undefined variables +#set -o xtrace # for debugging + +# Go where this script is. +cd "$(dirname "$0")" || exit + +# Table header +md_table="| Host | Cert | Expiry | Key Algorithm | Key Size (bits) | Signature Algorithm | +--- | --- | --- | --- | --- | ---\n" +csv_table="Host,Expiry,Key Algorithm,Key Size (bits),Signature Algorithm\n" + +for cert_file in certs/*.pem; do + + host=$(expr "$cert_file" : '^certs\/\(.*\)\:[0-9]*\.pem$') + port=$(expr "$cert_file" : '^certs\/.*\:\([0-9]*\)\.pem$') + if [ "$port" != 1965 ]; then + host="$host:$port" + fi + + # Get cert details: expiry, key algo, key size, signature algo. + end_date=$(openssl x509 -in "$cert_file" -enddate -noout | cut -d '=' -f 2) + end_date=$(date -d "$end_date" +"%Y-%m-%d" --utc) + + cert_details=$(openssl x509 -in "$cert_file" -noout -text) + + key_algo=$(echo "$cert_details" | grep 'Public Key Algorithm:' | cut -d ':' -f 2) + if [ "$key_algo" = ' id-ecPublicKey' ]; then + key_algo='ECDSA' + elif [ "$key_algo" = ' rsaEncryption' ]; then + key_algo='RSA' + elif [ "$key_algo" = ' ED25519' ]; then + key_algo='ED25519' + fi + + if [ "$key_algo" = 'ED25519' ]; then + key_size='256' + else + key_size=$(echo "$cert_details" | grep 'Public-Key:' | cut -d ':' -f 2) + key_size=$(expr "$key_size" : '^..\([0-9]*\).*$') + fi + + sig_algo=$(echo "$cert_details" | grep ' Signature Algorithm:' | cut -d ':' -f 2) + + # Add a table row. + md_table="$md_table| [$host](gemini://$host/) | [PEM]($cert_file) | $end_date | $key_algo | $key_size |$sig_algo |\n" + csv_table="$csv_table""$host,$end_date,$key_algo,$key_size,$sig_algo\n" + +done + +# Write to files. +echo "$md_table" > cert-details.md +echo "$csv_table" > cert-details.csv + +echo OK diff --git a/expiry-boundaries.sh b/expiry-boundaries.sh new file mode 100644 index 0000000..3b07440 --- /dev/null +++ b/expiry-boundaries.sh @@ -0,0 +1,60 @@ +#!/bin/sh + +# This file is included in every trust store generator script. +# +# It defines a function which checks if the expiry date of a +# certificate is within the specified boundaries. +# +# Boundaries can be specified like this: +# +# ./generate.sh # all certs +# ./generate.sh 90+ # certs that will expire in more than 90 days from now +# ./generate.sh 30- # certs that have expired more than 30 days ago +# ./generate.sh 30- 90+ # both of the above; so certs are excluded if: +# # {30 days ago} < cert_expiry < {90 days from now} + + +# Get the provided boundaries, if any. +minus_timestamp='' +plus_timestamp='' +now=$(date +%s) +for arg in "$@"; do + sign=$(expr "$arg" : '^[0-9]*\(-\|+\)$') + if [ "$sign" = '-' ]; then + minus_days=$(expr "$arg" : '^\([0-9]*\)-$') + minus_timestamp=$((now - minus_days * 86400)) + elif [ "$sign" = '+' ]; then + plus_days=$(expr "$arg" : '^\([0-9]*\)+$') + plus_timestamp=$((now + plus_days * 86400)) + else + continue + fi +done + + +cert_is_not_within_expiry_boundaries() ( + + # If `return 0`, cert will be excluded. + + if [ -z "$minus_timestamp" ] && [ -z "$plus_timestamp" ]; then + # No boundaries were specified. + return 1 # false + fi + + # Get expiration date from certificate. + cert_exp=$(echo "$cert" | openssl x509 -enddate -noout | cut -d '=' -f 2) + # Convert it to Unix timestamp. + cert_exp=$(date -d "$cert_exp" +%s) + + if [ -n "$minus_timestamp" ] && [ "$cert_exp" -lt "$minus_timestamp" ]; then + # $cert_exp < $minus_timestamp, so the cert is within boundaries. + return 1 # false + elif [ -n "$plus_timestamp" ] && [ "$cert_exp" -gt "$plus_timestamp" ]; then + # $cert_exp > $plus_timestamp, so the cert is within boundaries. + return 1 # false + fi + + # Certs are excluded if: + # $minus_timestamp < $cert_exp < $plus_timestamp + return 0 # true +) diff --git a/get-certs.sh b/get-certs.sh new file mode 100755 index 0000000..5b00847 --- /dev/null +++ b/get-certs.sh @@ -0,0 +1,139 @@ +#!/bin/sh + +# Download TLS certificates of hosts specified in the `hosts` file. + +set -o errexit # (-e) exit immediately if any command has a non-zero exit status +set -o nounset # (-u) don't accept undefined variables +#set -o xtrace # for debugging + +# Go where this script is. +cd "$(dirname "$0")" || exit + +# Create certs directory, if it does not exist. +mkdir -p certs + + +# Define function for fetching a certificate. +fetch_cert() ( + hp="$1" # host and port + timeout="${2:-}" + torsocks="${3:-}" + + # For .onion domains, connect using Tor. + if [ -z "${hp##*.onion:*}" ]; then + torsocks='torsocks' + fi + + # If a Tor connection was requested and torsocks is not installed, return. + if [ "$torsocks" != '' ] && ! command -v torsocks >/dev/null; then + >&2 echo "torsocks not available ($hp)" + return + fi + + response=$($timeout $torsocks openssl s_client -connect "$hp" /dev/null \ + | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p') + + # If no response, try again. + if [ -z "$response" ]; then + sleep 5 + response=$($timeout $torsocks openssl s_client -connect "$hp" /dev/null \ + | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p') + + # If still no response and Tor was not used, try one last time. + if [ -z "$response" ] && [ -z "$torsocks" ]; then + sleep 10 + response=$($timeout openssl s_client -connect "$hp" /dev/null \ + | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p') + fi + fi + + echo "$response" +) + + +# Loop through all hosts. +while read -r host; do + + printf "%s" "$host" + + port='1965' # default Gemini port + + # Check if host contains square brackets: + # [IPv4], [IPv6], [IPv4]:port or [IPv6]:port. + if expr "$host" : '^\[.*\]' >/dev/null; then + if expr "$host" : '^\[.*\]\:\([0-9]*\)$' >/dev/null; then + port=$(expr "$host" : '^\[.*\]\:\([0-9]*\)$') + fi + host=$(expr "$host" : '^\[\(.*\)\]') + + # No square brackets, just host:port. + # If $host contains only a single ":", then it is not an IPv6 address. + elif [ "$(echo "$host" | tr -dc ':' | wc -c)" = 1 ]; then + port=$(echo "$host" | cut -d ':' -f 2) + host=$(echo "$host" | cut -d ':' -f 1) + fi + + # Hostname to punycode. + host=$(echo "$host" | idn) + + # Hostname to lowercase. + host=$(echo "$host" | tr '[:upper:]' '[:lower:]') + + # Generate host_and_port string. + if [ -z "${host##*:*}" ]; then + # If host is an IPv6 address, add brackets around it. + host_and_port="[$host]:$port" + else + host_and_port="$host:$port" + fi + + # Get cert. + cert=$(fetch_cert "$host_and_port" 'timeout 5') + + if [ -z "$cert" ]; then + >&2 echo "$host_and_port - connection failed" + fi + + # If "tor" option is used, then connect again via Tor, + # to check if we get the same cert from a different network perspective. + if [ "${1:-}" = 'tor' ] && [ -n "${host##*.onion}" ]; then + + # If torsocks is not installed, return. + if ! command -v torsocks >/dev/null; then + >&2 echo "torsocks not available ($host_and_port)" + exit 1 + fi + + cert_via_tor=$(fetch_cert "$host_and_port" 'timeout 15' 'torsocks') + + if [ -z "$cert_via_tor" ]; then + >&2 echo "$host_and_port - Tor connection failed" + elif [ -n "$cert" ] && [ "$cert" != "$cert_via_tor" ]; then + >&2 echo "$host_and_port - Tor VERIFICATION FAILED (certs don't match)!!!" + # In this case, don't save the certificate. + continue + else + # If direct connection failed and Tor connection succeeded, + # use the cert received via Tor. + cert="$cert_via_tor" + fi + + fi + + if [ -n "$cert" ]; then + # If we got a cert back, then the host and port were valid, + # so they are safe to include in a file name. + # Convert from punycode to unicode, if needed. + host_and_port=$(echo "$host_and_port" | idn --idna-to-unicode) + echo "$cert" > "certs/${host_and_port}.pem" + printf ' - OK' + else + printf ' - failed' + fi + + echo # newline + sleep 0.3 + +done < hosts + +echo OK diff --git a/get-hosts.sh b/get-hosts.sh new file mode 100755 index 0000000..61ef977 --- /dev/null +++ b/get-hosts.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +# Download a list of Gemini hosts from gemini://geminispace.info/known-hosts + +set -o errexit # (-e) exit immediately if any command has a non-zero exit status +set -o nounset # (-u) don't accept undefined variables +#set -o xtrace # for debugging + +# Go where this script is. +cd "$(dirname "$0")" || exit + +# If Agunua is installed, use it. +if command -v agunua >/dev/null; then + # Using Agunua is more secure, because it does certificate pinning. + hosts=$(agunua --insecure --binary gemini://geminispace.info/known-hosts \ + | grep "gemini://" | cut -d ' ' -f 3) +else + # If Agunua is not installed, pipe the request into OpenSSL s_client. + hosts=$(printf "gemini://geminispace.info/known-hosts\r\n" \ + | timeout 5 openssl s_client -quiet -connect "geminispace.info:1965" 2>/dev/null \ + | grep "gemini://" | cut -d ' ' -f 3) +fi + +if [ -z "$hosts" ]; then + >&2 echo "hosts file download failed." + exit 1 +fi + +# Add a few hosts that are missing from geminispace.info +hosts="$hosts +illegaldrugs.net +feeds.drewdevault.com" + +# Remove a host which changes its cert every few minutes. +hosts=$(echo "$hosts" | grep -v 'tofu-tester.random-projects.net:1966') + +# Save to file. +echo "$hosts" | sort | uniq > hosts + +echo OK diff --git a/lagrange/INSTRUCTIONS.md b/lagrange/INSTRUCTIONS.md new file mode 100644 index 0000000..b9d8bcc --- /dev/null +++ b/lagrange/INSTRUCTIONS.md @@ -0,0 +1,16 @@ +# Instructions for Lagrange + +Lagrange's trust store is `~/.config/lagrange/trusted.txt` on GNU/Linux systems. + +You can replace it with the generated `trusted.txt`, or merge them using the provided script: + +``` +# First a test run: +./merge-trust-stores.sh ~/.config/lagrange/trusted.txt + +# The entries in ~/.config/lagrange/trusted.txt that are not included in the +# script-generated trust store will appear at the end of the output. + +# If it looks ok, then run: +./merge-trust-stores.sh ~/.config/lagrange/trusted.txt > ~/.config/lagrange/trusted.txt +``` diff --git a/lagrange/generate-trust-store.sh b/lagrange/generate-trust-store.sh new file mode 100755 index 0000000..cb0f14f --- /dev/null +++ b/lagrange/generate-trust-store.sh @@ -0,0 +1,60 @@ +#!/bin/sh + +### Lagrange ### +# https://gmi.skyjake.fi/lagrange/ +# +## Trust store format ## +# The file "~/.config/lagrange/trusted.txt" is used on GNU/Linux and BSD. +# For other platforms, see https://github.com/skyjake/lagrange#user-files +# This file contains one line for each host (ports are not taken into account): +# example.org expiry_timestamp cert:sha256 +# IDNs are converted to punycode. +# +## Example ## +# $ cat ~/.config/lagrange/trusted.txt +# gemini.circumlunar.space 1759495837 5b4086d6914231f55828c815faae1f10e28b8bd42af6a1e286a711e9b7d78326 + +set -o errexit # (-e) exit immediately if any command has a non-zero exit status +set -o nounset # (-u) don't accept undefined variables +#set -o xtrace # for debugging + +# Go where this script is. +cd "$(dirname "$0")" || exit + +trust_store="trusted.txt" + +# Remove the old trust store. +rm -f "$trust_store" + +# Add the "cert_is_not_within_expiry_boundaries" function. +. ../expiry-boundaries.sh + +for cert_file in ../certs/*; do + + cert=$(cat "$cert_file") + + if cert_is_not_within_expiry_boundaries; then + >&2 echo "excluded: $cert_file" + continue + fi + + host=$(expr "$cert_file" : '^../certs\/\(.*\)\:[0-9]*\.pem$') + + # Hostname to punycode. + host=$(echo "$host" | idn) + + # Expiry date + enddate=$(echo "$cert" | openssl x509 -enddate -noout | cut -d '=' -f 2) + enddate=$(date -d "$enddate" +%s --utc) + + # Certificate fingerprint + fingerprint=$(echo "$cert" \ + | openssl x509 -outform der \ + | sha256sum \ + | cut -d ' ' -f 1) + + echo "$host $enddate $fingerprint" >> "$trust_store" + +done + +echo OK diff --git a/lagrange/merge-trust-stores.sh b/lagrange/merge-trust-stores.sh new file mode 100755 index 0000000..5f86bc1 --- /dev/null +++ b/lagrange/merge-trust-stores.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +set -o errexit # (-e) exit immediately if any command has a non-zero exit status +set -o nounset # (-u) don't accept undefined variables +#set -o xtrace # for debugging + +if [ -z "${1:-}" ]; then + >&2 echo "The path to the user's trust store must be provided." + >&2 echo "The default on GNU/Linux is ~/.config/lagrange/trusted.txt" + exit 1 +fi + +dir="$(dirname "$0")" # directory where this script is + +trust_store=$(cat "$dir/trusted.txt") # script-generated trust store + +# Loop through user's trust store. +while read -r line; do + + entry=$(echo "$line" | cut -d ' ' -f 1) + + # If this entry is not in the script-generated trust store, add it. + if ! echo "$trust_store" | grep -qF "$entry"; then + trust_store="$trust_store\n$line" + fi + +done < "${1:-}" + +# Output to stdout. +echo "$trust_store" diff --git a/main.sh b/main.sh new file mode 100755 index 0000000..2c0fe7a --- /dev/null +++ b/main.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +# Run all scripts. + +set -o errexit # (-e) exit immediately if any command has a non-zero exit status + +# Go where this script is. +cd "$(dirname "$0")" || exit + +echo '=== get hosts ===' +./get-hosts.sh + +echo '=== get certs ===' +if command -v torsocks >/dev/null; then + ./get-certs.sh tor +else + ./get-certs.sh +fi + +echo '=== cert details ===' +./cert-details.sh + +echo '=== Agunua ===' +agunua/generate-trust-store.sh +echo '=== Amfora ===' +amfora/generate-trust-store.sh +echo '=== Lagrange ===' +lagrange/generate-trust-store.sh diff --git a/test-hosts b/test-hosts new file mode 100644 index 0000000..5736bb6 --- /dev/null +++ b/test-hosts @@ -0,0 +1,15 @@ +gemini.circumlunar.space +pureXO.mom +[purexo.mom] +89.47.164.70 +[89.47.164.70] +89.47.164.70:1965 +[89.47.164.70]:1965 +2a02:7b40:592f:a446::1 +[2a02:7b40:592f:a446::1] +[2a02:7b40:592f:a446::1]:1965 +protonirockerxow.onion:443 +wikipedia.geminet.org +wikipedia.geminet.org:1966 +gémeaux.bortzmeyer.org +xn--gmeaux-bva.bortzmeyer.org