80 lines
2.2 KiB
Bash
Executable File
80 lines
2.2 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
### Agunua ###
|
|
# https://framagit.org/bortzmeyer/agunua
|
|
#
|
|
## Trust store format ##
|
|
# For each host, a file is created: `~/.agunua/fingerprints/${host_file}`,
|
|
# where the name of ${host_file} is identical to the requested host[:port],
|
|
# except for IDNs, which are converted to punycode.
|
|
# The file contains 3 lines:
|
|
# 1. spki:sha256:base64 -> certificate public key (SPKI) fingerprint
|
|
# 2. expiry date
|
|
# 3. start date
|
|
#
|
|
## Example ##
|
|
# $ cat ~/.agunua/fingerprints/gemini.circumlunar.space
|
|
# GgOhVhkgDbRJZJTskDgcH+i9ngFCJg9tij2WLtPPxy8=
|
|
# 2025-10-03T13:50:37Z
|
|
# 2020-10-03T13:50:37Z
|
|
|
|
set -o errexit # (-e) exit immediately if any command has a non-zero exit status
|
|
set -o nounset # (-u) don't accept undefined variables
|
|
#set -o xtrace # for debugging
|
|
|
|
# Go where this script is.
|
|
cd "$(dirname "$0")" || exit
|
|
|
|
trust_store=fingerprints # directory
|
|
|
|
# Remove old fingerprints directory, if present.
|
|
rm -Rf $trust_store
|
|
# Create fingerprints directory.
|
|
mkdir -p $trust_store
|
|
|
|
# Add the "cert_is_not_within_expiry_boundaries" function.
|
|
. ../expiry-boundaries.sh
|
|
|
|
for cert_file in ../certs/*; do
|
|
|
|
cert=$(cat "$cert_file")
|
|
|
|
if cert_is_not_within_expiry_boundaries; then
|
|
>&2 echo "excluded: $cert_file"
|
|
continue
|
|
fi
|
|
|
|
host=$(expr "$cert_file" : '^../certs\/\(.*\)\:[0-9]*\.pem$')
|
|
port=$(expr "$cert_file" : '^../certs\/.*\:\([0-9]*\)\.pem$')
|
|
|
|
# Hostname to punycode.
|
|
host=$(echo "$host" | idn --allow-unassigned)
|
|
|
|
# File for certificate/public key pinning
|
|
if [ "$port" = 1965 ]; then
|
|
pinning_file="$trust_store/$host"
|
|
else
|
|
pinning_file="$trust_store/$host:$port"
|
|
fi
|
|
|
|
# Certificate public key (SPKI) fingerprint
|
|
fingerprint=$(echo "$cert" \
|
|
| openssl x509 -pubkey -noout \
|
|
| openssl pkey -pubin -outform der \
|
|
| openssl dgst -sha256 -binary \
|
|
| openssl enc -base64 -A)
|
|
|
|
# Expiry date
|
|
enddate=$(echo "$cert" | openssl x509 -enddate -noout | cut -d '=' -f 2)
|
|
enddate=$(date -d "$enddate" +"%Y-%m-%dT%H:%M:%SZ" --utc)
|
|
|
|
# Start date
|
|
startdate=$(echo "$cert" | openssl x509 -startdate -noout | cut -d '=' -f 2)
|
|
startdate=$(date -d "$startdate" +"%Y-%m-%dT%H:%M:%SZ" --utc)
|
|
|
|
printf "%s\n%s\n%s\n" "$fingerprint" "$enddate" "$startdate" > "$pinning_file"
|
|
|
|
done
|
|
|
|
echo OK
|