Trust store generator scripts for various Gemini clients

Go to file

nervuri c46eb8b3d0 remove --insecure flag from agunua commands No longer required, since version 1.5.		2021-09-24 12:35:45 +03:00
agunua	fix IDN conversion failure in generator scripts	2021-06-04 18:05:37 +03:00
amfora	fix IDN conversion failure in generator scripts	2021-06-04 18:05:37 +03:00
lagrange	update Lagrange trust store format	2021-09-16 20:52:13 +03:00
LICENSE.txt	init	2021-04-28 12:20:18 +03:00
README.md	mention Agunua as an optional dependency	2021-06-24 16:55:17 +03:00
cert-details.sh	remove extra space in $sig_algo	2021-06-30 20:53:24 +03:00
excluded-hosts	add exclusion list for specific hosts, private IPs and reserved TLDs	2021-06-30 20:57:14 +03:00
expiry-boundaries.sh	init	2021-04-28 12:20:18 +03:00
get-certs.sh	add spacing to stderr output	2021-06-24 16:13:47 +03:00
get-hosts.sh	remove --insecure flag from agunua commands	2021-09-24 12:35:45 +03:00
main.sh	add script for pruning old certificates	2021-06-24 16:17:02 +03:00
prune-old-certs.sh	add script for pruning old certificates	2021-06-24 16:17:02 +03:00
test-hosts	init	2021-04-28 12:20:18 +03:00

README.md

Gemini Trust Store Generators

Geminispace is (currently) small enough that we can afford to download all known capsules' TLS certificates and use them to generate trust stores for various Gemini clients. If verified via multiple network perspectives, using a pre-generated trust store is a major improvement over blindly trusting-on-first-use.

This repo contains scripts for:

downloading a list of hosts from geminispace.info and Lupa
downloading the TLS certificates of those hosts
generating a table containing details about each certificate
generating trust stores for various Gemini clients, currently:

Trust stores generated by these scripts can be found at https://tildegit.org/nervuri/trust-stores

Dependencies

Required: OpenSSL, idn

Optional: torsocks (for .onion capsules and for double-checking certificates using a different network perspective) and Agunua (for downloading host lists more securely).

To install them in Debian, run: sudo apt install openssl idn torsocks and pip3 install agunua.

Usage

./main.sh will run all scripts. For the trust stores repo, I use time ./main.sh >log-stdout 2>log-stderr. For 893 hosts, the command takes around 80 minutes to complete with Tor verification and 45 minutes without.

get-certs.sh accepts tor as an optional argument, to double-check certificates using the Tor network. If you have torsocks installed, this option will automatically be used when you run ./main.sh.

All trust store generators accept certificate expiry boundaries as arguments. Ex:

./generate.sh          # all certs
./generate.sh 90+      # certs that will expire in more than 90 days from now
./generate.sh 30-      # certs that have expired more than 30 days ago
./generate.sh 30- 90+  # both of the above; in other words, certs are excluded if:
                       # {30 days ago} < cert_expiry < {90 days from now}

This is to assist client developers who wish to bundle pre-generated trust stores with their clients, but only want to include long-lived (and long-expired) certificates.

How to contribute

The project is hosted at tildegit.org. If you don't want to make an account, just shoot me an email with your patch/suggestion/bug report/whatever else.