Merge branch 'master' into old_signer_image

2020-12-28 21:20:00 +01:00 · 2020-12-28 21:20:00 +01:00 · da93c32436
parent fd39d4adce 5c924ee206
commit da93c32436
11 changed files with 66 additions and 34 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -34,9 +34,7 @@ ij_css_use_double_quotes = true
 ij_css_value_alignment = do_not_align

 [{*.pl,*.pm}]
-indent_size = 2
-tab_width = 2
-ij_continuation_indent_size = 2
+ij_continuation_indent_size = 4
 ij_perl5_align_attributes = false
 ij_perl5_align_comments_on_consequent_lines = true
 ij_perl5_align_consecutive_assignments = 0
@ -54,9 +52,9 @@ ij_perl5_assignment_wrap = off
 ij_perl5_attributes_wrap = 0
 ij_perl5_binary_operation_sign_on_next_line = false
 ij_perl5_binary_operation_wrap = off
-ij_perl5_brace_style_compound = 1
-ij_perl5_brace_style_namespace = 1
-ij_perl5_brace_style_sub = 1
+ij_perl5_brace_style_compound = 0
+ij_perl5_brace_style_namespace = 0
+ij_perl5_brace_style_sub = 0
 ij_perl5_call_parameters_wrap = off
 ij_perl5_else_on_new_line = true
 ij_perl5_keep_indents_on_empty_lines = false
--- a/cats.Dockerfile
+++ b/cats.Dockerfile
@ -11,9 +11,10 @@ RUN apt-get update \
    nullmailer \
    php5-mysql \
    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-
-STOPSIGNAL SIGWINCH
+    && rm -rf /var/lib/apt/lists/* \
+    && curl --silent --location --output /usr/local/bin/dumb-init \
+       https://github.com/Yelp/dumb-init/releases/download/v1.2.4/dumb-init_1.2.4_x86_64 \
+    && chmod +x /usr/local/bin/dumb-init

 COPY docker/apache-cats-foreground /usr/local/bin/
 COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
@ -33,10 +34,11 @@ RUN a2ensite cats.cacert.localhost ; \
    a2enmod rewrite ; \
    a2enmod ssl ; \
    cd /usr/local/share/ca-certificates ; \
-    curl -O http://www.cacert.org/certs/root_X0F.crt ; \
-    curl -O http://www.cacert.org/certs/class3_X0E.crt ; \
+    curl --silent --remote-name http://www.cacert.org/certs/root_X0F.crt ; \
+    curl --silent --remote-name http://www.cacert.org/certs/class3_X0E.crt ; \
    update-ca-certificates

 EXPOSE 443

+ENTRYPOINT ["/usr/local/bin/dumb-init", "--"]
 CMD ["/usr/local/bin/apache-cats-foreground"]
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -42,7 +42,6 @@ services:
      CRL_DIRECTORY: /srv/certs/crl
      DEFAULT_HOSTNAME: www.cacert.localhost
      SECURE_HOSTNAME: secure.cacert.localhost
-      TVERIFY_HOSTNAME: tverify.cacert.localhost
      INSECURE_PORT: 8080
      SECURE_PORT: 8443
      RETURN_ADDRESS: "returns@cacert.localhost"
@ -96,7 +95,6 @@ services:
    environment:
      MYSQL_WEBDB_HOSTNAME: db
      MYSQL_WEBDB_DATABASE: cacert
-      CSR_DIRECTORY: /srv/certs/csr
      CRT_DIRECTORY: /srv/certs/crt
      CRL_DIRECTORY: /srv/certs/crl
      SMTP_HOST: smtp
@ -115,6 +113,10 @@ services:
      SIGNER_WORKDIR: /srv/ca/work
      SIGNER_CA_CONFIG: /srv/caconfig
      SIGNER_BASEDIR: /srv/ca
+      SIGNER_GPG_KEYRING_DIR: /srv/ca/gpg
+      SIGNER_GPG_ID: gpg@cacert.localhost
+      SIGNER_CPS_URL: https://www.cacert.localhost:8443/cps.php
+      SIGNER_OCSP_URL: http://ocsp.cacert.localhost/
    volumes:
      - signersockets:/srv/sockets
      - signerdata:/srv/ca
--- a/docker/run-dovecot
+++ b/docker/run-dovecot
@ -7,4 +7,6 @@ chmod 0640 /etc/dovecot/imap_user.txt
 chown dovecot.dovecot /etc/dovecot/imap_user.txt
 echo "log_path = /dev/stderr" > /etc/dovecot/local.conf

+trap "exit 0" TERM INT
+
 dovecot -F
--- a/docker/run-postfix
+++ b/docker/run-postfix
@ -4,4 +4,6 @@ set -eu
 mkdir -p /home/catchall/Maildir/tmp /home/catchall/Maildir/new /home/catchall/Maildir/cur
 chown -Rc catchall.catchall /home/catchall/Maildir

+trap "exit 0" INT TERM
+
 postfix start-fg
--- a/docker/run-signer
+++ b/docker/run-signer
@ -2,10 +2,6 @@

 set -eu

-rm -f /srv/sockets/signer
-socat -d -d PTY,link=/dev/ttyUSB0 UNIX-LISTEN:/srv/sockets/signer 2>&1 &
-sleep 1
-
 export SERIAL_PORT=/dev/ttyUSB0

 mkdir -p /srv/ca/CA/certs /srv/ca/CA/private /srv/ca/CA/newcerts
@ -13,18 +9,24 @@ cp /srv/testca/root/ca.crt.pem /srv/ca/CA/ca.crt.pem
 cp /srv/testca/root/private/ca.key.pem /srv/ca/CA/private/ca.key.pem
 if [ ! -f /srv/ca/CA/index.txt ]; then cp /srv/testca/root/index.txt /srv/ca/CA/index.txt; fi
 if [ ! -f /srv/ca/CA/index.txt.attr ]; then cp /srv/testca/root/index.txt.attr /srv/ca/CA/index.txt.attr; fi
-if [ ! -f /srv/ca/CA/serial ]; then echo -n '00' > /srv/ca/CA/serial; fi
-if [ ! -f /srv/ca/CA/crlnumber ]; then echo 1000 > /srv/ca/CA/crlnumber; fi
+if [ ! -f /srv/ca/CA/serial ]; then printf '00' >/srv/ca/CA/serial; fi
+if [ ! -f /srv/ca/CA/crlnumber ]; then echo 1000 >/srv/ca/CA/crlnumber; fi

-mkdir -p /srv/ca/class3/certs /srv/ca/class3/private /srv/ca/class3/newcerts
+mkdir -p /srv/ca/class3/certs /srv/ca/class3/private /srv/ca/class3/newcerts /srv/ca/gpg/gpg_root_0
 cp /srv/testca/class3/ca.crt.pem /srv/ca/class3/ca.crt.pem
 cp /srv/testca/class3/private/ca.key.pem /srv/ca/class3/private/ca.key.pem
 if [ ! -f /srv/ca/class3/index.txt ]; then cp /srv/testca/class3/index.txt /srv/ca/class3/index.txt; fi
 if [ ! -f /srv/ca/class3/index.txt.attr ]; then cp /srv/testca/class3/index.txt.attr /srv/ca/class3/index.txt.attr; fi
-if [ ! -f /srv/ca/class3/serial ]; then echo -n '00' > /srv/ca/class3/serial; fi
-if [ ! -f /srv/ca/class3/crlnumber ]; then echo 1000 > /srv/ca/class3/crlnumber; fi
+if [ ! -f /srv/ca/class3/serial ]; then printf '00' >/srv/ca/class3/serial; fi
+if [ ! -f /srv/ca/class3/crlnumber ]; then echo 1000 >/srv/ca/class3/crlnumber; fi
+if [ ! -f /srv/ca/gpg/gpg_root_0/secring.gpg ]; then cp /srv/testca/gpg/gpg_root_0/secring.gpg /srv/ca/gpg/gpg_root_0/secring.gpg; fi
+if [ ! -f /srv/ca/gpg/gpg_root_0/pubring.gpg ]; then cp /srv/testca/gpg/gpg_root_0/pubring.gpg /srv/ca/gpg/gpg_root_0/pubring.gpg; fi
+
+rm -f /srv/sockets/signer
+socat -d -d PTY,link=/dev/ttyUSB0 UNIX-LISTEN:/srv/sockets/signer 2>&1 &
+sleep 1

 cd /srv/CommModule/

 touch server.pl-active
-exec perl -w server.pl
+exec perl -w server.pl
--- a/mgr.Dockerfile
+++ b/mgr.Dockerfile
@ -14,9 +14,10 @@ RUN apt-get update \
    php5-mysql \
    zendframework \
    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-
-STOPSIGNAL SIGWINCH
+    && rm -rf /var/lib/apt/lists/* \
+    && curl --silent --location --output /usr/local/bin/dumb-init \
+       https://github.com/Yelp/dumb-init/releases/download/v1.2.4/dumb-init_1.2.4_x86_64 \
+    && chmod +x /usr/local/bin/dumb-init

 COPY docker/apache-mgr-foreground /usr/local/bin/
 COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
@ -37,10 +38,11 @@ RUN a2ensite mgr.cacert.localhost ; \
    a2enmod rewrite ; \
    a2enmod ssl ; \
    cd /usr/local/share/ca-certificates ; \
-    curl -O http://www.cacert.org/certs/root_X0F.crt ; \
-    curl -O http://www.cacert.org/certs/class3_X0E.crt ; \
+    curl --silent --remote-name http://www.cacert.org/certs/root_X0F.crt ; \
+    curl --silent --remote-name http://www.cacert.org/certs/class3_X0E.crt ; \
    update-ca-certificates

 EXPOSE 443

+ENTRYPOINT ["/usr/local/bin/dumb-init", "--"]
 CMD ["/usr/local/bin/apache-mgr-foreground"]
--- a/setup_test_ca.sh
+++ b/setup_test_ca.sh
@ -4,12 +4,15 @@ set -eu

 ORGANIZATION="CAcert Inc."
 COUNTRY_CODE="AU"
+CACERT_GPG_NAME="CA Cert Signing Authority (Root CA)"
+CACERT_GPG_EMAIL="gpg@cacert.localhost"
+
 . ./.env

 if [ ! -d testca/ ]; then
  mkdir -p testca/
  cd testca
-  mkdir -p root/newcerts class3/newcerts root/private class3/private certs
+  mkdir -p root/newcerts class3/newcerts root/private class3/private certs gpg/gpg_root_0
  touch root/index.txt class3/index.txt
 else
  cd testca
@ -223,3 +226,17 @@ if [ ! -f certs/testclient.p12 ]; then
    -in certs/testclient.crt.pem \
    -name "${CLIENT_CERT_USERNAME}"
 fi
+
+if [ ! -f gpg/gpg_root_0/secring.gpg ]; then
+  chmod 0700 gpg/gpg_root_0
+  gpg --homedir gpg/gpg_root_0 --generate-key --batch <<EOF
+Key-Type: RSA
+Key-Length: 4096
+Key-Usage: cert
+Name-Real: ${CACERT_GPG_NAME}
+Name-Email: ${CACERT_GPG_EMAIL}
+%no-protection
+EOF
+  gpg --homedir gpg/gpg_root_0 --export | gpg1 --homedir gpg/gpg_root_0 --import
+  gpg --homedir gpg/gpg_root_0 --export-secret-keys | gpg1 --homedir gpg/gpg_root_0 --import
+fi
--- a/signer.Dockerfile
+++ b/signer.Dockerfile
@ -9,6 +9,7 @@ RUN echo "deb http://archive.debian.org/debian squeeze main" > /etc/apt/sources.
    libdevice-serialport-perl \
    libdigest-sha-perl \
    libfile-counterfile-perl \
+    libreadonly-perl \
    openssl \
    perl \
    socat \
--- a/signer_client.Dockerfile
+++ b/signer_client.Dockerfile
@ -11,7 +11,9 @@ RUN apt-get update \
    libdbd-mysql-perl \
    libdbi-perl \
    libdevice-serialport-perl \
+    libemail-mime-perl \
    libfile-counterfile-perl \
+    libreadonly-perl \
    openssl \
    perl \
    socat \
--- a/webdb.Dockerfile
+++ b/webdb.Dockerfile
@ -37,9 +37,10 @@ RUN apt-get update \
    wamerican \
    whois \
    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-
-STOPSIGNAL SIGWINCH
+    && rm -rf /var/lib/apt/lists/* \
+    && curl --silent --location --output /usr/local/bin/dumb-init \
+       https://github.com/Yelp/dumb-init/releases/download/v1.2.4/dumb-init_1.2.4_x86_64 \
+    && chmod +x /usr/local/bin/dumb-init

 COPY docker/apache-webdb-foreground /usr/local/bin/
 COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
@ -64,11 +65,12 @@ RUN a2ensite www.cacert.localhost ; \
    a2enmod ssl ; \
    ln -s /etc/php5/mods-available/cacert.ini /etc/php5/apache2/conf.d/20-cacert.ini ; \
    cd /usr/local/share/ca-certificates ; \
-    curl -O http://www.cacert.org/certs/root_X0F.crt ; \
-    curl -O http://www.cacert.org/certs/class3_X0E.crt ; \
+    curl --silent --remote-name http://www.cacert.org/certs/root_X0F.crt ; \
+    curl --silent --remote-name http://www.cacert.org/certs/class3_X0E.crt ; \
    update-ca-certificates

 EXPOSE 80
 EXPOSE 443

+ENTRYPOINT ["/usr/local/bin/dumb-init", "--"]
 CMD ["/usr/local/bin/apache-webdb-foreground"]