From 82f90f7fa2a8d586793923c8ec355e86faa3911f Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sat, 26 Dec 2020 07:01:39 +0100 Subject: [PATCH 1/9] Align Perl brace formatting with perltidy --- .editorconfig | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.editorconfig b/.editorconfig index a3971e1..0ae10fe 100644 --- a/.editorconfig +++ b/.editorconfig @@ -54,9 +54,9 @@ ij_perl5_assignment_wrap = off ij_perl5_attributes_wrap = 0 ij_perl5_binary_operation_sign_on_next_line = false ij_perl5_binary_operation_wrap = off -ij_perl5_brace_style_compound = 1 -ij_perl5_brace_style_namespace = 1 -ij_perl5_brace_style_sub = 1 +ij_perl5_brace_style_compound = 0 +ij_perl5_brace_style_namespace = 0 +ij_perl5_brace_style_sub = 0 ij_perl5_call_parameters_wrap = off ij_perl5_else_on_new_line = true ij_perl5_keep_indents_on_empty_lines = false From b6bead34ab79a7b651e80b31b08f0789c6a61bad Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sat, 26 Dec 2020 08:31:58 +0100 Subject: [PATCH 2/9] Add GPG support to signer image --- docker-compose.yml | 2 ++ docker/run-signer | 12 +++++++----- setup_test_ca.sh | 15 ++++++++++++++- 3 files changed, 23 insertions(+), 6 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index a560efb..3e39487 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -115,6 +115,8 @@ services: SIGNER_WORKDIR: /srv/ca/work SIGNER_CA_CONFIG: /srv/caconfig SIGNER_BASEDIR: /srv/ca + SIGNER_GPG_KEYRING_DIR: /srv/ca/gpg + SIGNER_GPG_ID: gpg@cacert.localhost volumes: - signersockets:/srv/sockets - signerdata:/srv/ca diff --git a/docker/run-signer b/docker/run-signer index edf1ca0..9f95d85 100755 --- a/docker/run-signer +++ b/docker/run-signer @@ -2,10 +2,6 @@ set -eu -rm -f /srv/sockets/signer -socat -d -d PTY,link=/dev/ttyUSB0 UNIX-LISTEN:/srv/sockets/signer 2>&1 & -sleep 1 - export SERIAL_PORT=/dev/ttyUSB0 mkdir -p /srv/ca/CA/certs /srv/ca/CA/private /srv/ca/CA/newcerts @@ -16,13 +12,19 @@ if [ ! -f /srv/ca/CA/index.txt.attr ]; then cp /srv/testca/root/index.txt.attr / if [ ! -f /srv/ca/CA/serial ]; then echo -n '00' > /srv/ca/CA/serial; fi if [ ! -f /srv/ca/CA/crlnumber ]; then echo 1000 > /srv/ca/CA/crlnumber; fi -mkdir -p /srv/ca/class3/certs /srv/ca/class3/private /srv/ca/class3/newcerts +mkdir -p /srv/ca/class3/certs /srv/ca/class3/private /srv/ca/class3/newcerts /srv/ca/gpg/gpg_root_0 cp /srv/testca/class3/ca.crt.pem /srv/ca/class3/ca.crt.pem cp /srv/testca/class3/private/ca.key.pem /srv/ca/class3/private/ca.key.pem if [ ! -f /srv/ca/class3/index.txt ]; then cp /srv/testca/class3/index.txt /srv/ca/class3/index.txt; fi if [ ! -f /srv/ca/class3/index.txt.attr ]; then cp /srv/testca/class3/index.txt.attr /srv/ca/class3/index.txt.attr; fi if [ ! -f /srv/ca/class3/serial ]; then echo -n '00' > /srv/ca/class3/serial; fi if [ ! -f /srv/ca/class3/crlnumber ]; then echo 1000 > /srv/ca/class3/crlnumber; fi +if [ ! -f /srv/ca/gpg/gpg_root_0/secring.gpg ]; then cp /srv/testca/gpg/gpg_root_0/secring.gpg /srv/ca/gpg/gpg_root_0/secring.gpg; fi +if [ ! -f /srv/ca/gpg/gpg_root_0/pubring.gpg ]; then cp /srv/testca/gpg/gpg_root_0/secring.gpg /srv/ca/gpg/gpg_root_0/pubring.gpg; fi + +rm -f /srv/sockets/signer +socat -d -d PTY,link=/dev/ttyUSB0 UNIX-LISTEN:/srv/sockets/signer 2>&1 & +sleep 1 cd /srv/CommModule/ diff --git a/setup_test_ca.sh b/setup_test_ca.sh index 6b9a5fc..755a415 100755 --- a/setup_test_ca.sh +++ b/setup_test_ca.sh @@ -9,7 +9,7 @@ COUNTRY_CODE="AU" if [ ! -d testca/ ]; then mkdir -p testca/ cd testca - mkdir -p root/newcerts class3/newcerts root/private class3/private certs + mkdir -p root/newcerts class3/newcerts root/private class3/private certs gpg/gpg_root_0 touch root/index.txt class3/index.txt else cd testca @@ -223,3 +223,16 @@ if [ ! -f certs/testclient.p12 ]; then -in certs/testclient.crt.pem \ -name "${CLIENT_CERT_USERNAME}" fi + +if [ ! -f gpg/gpg_root_0/secring.gpg ]; then + gpg --homedir testca/gpg/gpg_root_0 --generate-key --batch < Date: Sat, 26 Dec 2020 11:52:37 +0100 Subject: [PATCH 3/9] Fix gpg setup for signer --- docker/run-signer | 12 ++++++------ setup_test_ca.sh | 18 +++++++++++------- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/docker/run-signer b/docker/run-signer index 9f95d85..c145ea5 100755 --- a/docker/run-signer +++ b/docker/run-signer @@ -9,18 +9,18 @@ cp /srv/testca/root/ca.crt.pem /srv/ca/CA/ca.crt.pem cp /srv/testca/root/private/ca.key.pem /srv/ca/CA/private/ca.key.pem if [ ! -f /srv/ca/CA/index.txt ]; then cp /srv/testca/root/index.txt /srv/ca/CA/index.txt; fi if [ ! -f /srv/ca/CA/index.txt.attr ]; then cp /srv/testca/root/index.txt.attr /srv/ca/CA/index.txt.attr; fi -if [ ! -f /srv/ca/CA/serial ]; then echo -n '00' > /srv/ca/CA/serial; fi -if [ ! -f /srv/ca/CA/crlnumber ]; then echo 1000 > /srv/ca/CA/crlnumber; fi +if [ ! -f /srv/ca/CA/serial ]; then printf '00' >/srv/ca/CA/serial; fi +if [ ! -f /srv/ca/CA/crlnumber ]; then echo 1000 >/srv/ca/CA/crlnumber; fi mkdir -p /srv/ca/class3/certs /srv/ca/class3/private /srv/ca/class3/newcerts /srv/ca/gpg/gpg_root_0 cp /srv/testca/class3/ca.crt.pem /srv/ca/class3/ca.crt.pem cp /srv/testca/class3/private/ca.key.pem /srv/ca/class3/private/ca.key.pem if [ ! -f /srv/ca/class3/index.txt ]; then cp /srv/testca/class3/index.txt /srv/ca/class3/index.txt; fi if [ ! -f /srv/ca/class3/index.txt.attr ]; then cp /srv/testca/class3/index.txt.attr /srv/ca/class3/index.txt.attr; fi -if [ ! -f /srv/ca/class3/serial ]; then echo -n '00' > /srv/ca/class3/serial; fi -if [ ! -f /srv/ca/class3/crlnumber ]; then echo 1000 > /srv/ca/class3/crlnumber; fi +if [ ! -f /srv/ca/class3/serial ]; then printf '00' >/srv/ca/class3/serial; fi +if [ ! -f /srv/ca/class3/crlnumber ]; then echo 1000 >/srv/ca/class3/crlnumber; fi if [ ! -f /srv/ca/gpg/gpg_root_0/secring.gpg ]; then cp /srv/testca/gpg/gpg_root_0/secring.gpg /srv/ca/gpg/gpg_root_0/secring.gpg; fi -if [ ! -f /srv/ca/gpg/gpg_root_0/pubring.gpg ]; then cp /srv/testca/gpg/gpg_root_0/secring.gpg /srv/ca/gpg/gpg_root_0/pubring.gpg; fi +if [ ! -f /srv/ca/gpg/gpg_root_0/pubring.gpg ]; then cp /srv/testca/gpg/gpg_root_0/pubring.gpg /srv/ca/gpg/gpg_root_0/pubring.gpg; fi rm -f /srv/sockets/signer socat -d -d PTY,link=/dev/ttyUSB0 UNIX-LISTEN:/srv/sockets/signer 2>&1 & @@ -29,4 +29,4 @@ sleep 1 cd /srv/CommModule/ touch server.pl-active -exec perl -w server.pl \ No newline at end of file +exec perl -w server.pl diff --git a/setup_test_ca.sh b/setup_test_ca.sh index 755a415..9a9a3b3 100755 --- a/setup_test_ca.sh +++ b/setup_test_ca.sh @@ -4,6 +4,9 @@ set -eu ORGANIZATION="CAcert Inc." COUNTRY_CODE="AU" +CACERT_GPG_NAME="CA Cert Signing Authority (Root CA)" +CACERT_GPG_EMAIL="gpg@cacert.localhost" + . ./.env if [ ! -d testca/ ]; then @@ -225,14 +228,15 @@ if [ ! -f certs/testclient.p12 ]; then fi if [ ! -f gpg/gpg_root_0/secring.gpg ]; then - gpg --homedir testca/gpg/gpg_root_0 --generate-key --batch < Date: Sat, 26 Dec 2020 12:13:27 +0100 Subject: [PATCH 4/9] Configure OCSP and CPS URLs for local signer --- docker-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 3e39487..564cf76 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -117,6 +117,8 @@ services: SIGNER_BASEDIR: /srv/ca SIGNER_GPG_KEYRING_DIR: /srv/ca/gpg SIGNER_GPG_ID: gpg@cacert.localhost + SIGNER_CPS_URL: https://www.cacert.localhost:8443/cps.php + SIGNER_OCSP_URL: http://ocsp.cacert.localhost/ volumes: - signersockets:/srv/sockets - signerdata:/srv/ca From aa9685aa277e255a3337c2e7ec4fd9cfdb4b220d Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sat, 26 Dec 2020 15:52:34 +0100 Subject: [PATCH 5/9] Remove obsolete tverify hostname --- docker-compose.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 564cf76..e09ed8c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -42,7 +42,6 @@ services: CRL_DIRECTORY: /srv/certs/crl DEFAULT_HOSTNAME: www.cacert.localhost SECURE_HOSTNAME: secure.cacert.localhost - TVERIFY_HOSTNAME: tverify.cacert.localhost INSECURE_PORT: 8080 SECURE_PORT: 8443 RETURN_ADDRESS: "returns@cacert.localhost" From fd9d45668b7f953f8ff2b7dcc644859e3b533819 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sat, 26 Dec 2020 17:10:15 +0100 Subject: [PATCH 6/9] Implement signal handling --- cats.Dockerfile | 12 +++++++----- docker/run-dovecot | 2 ++ docker/run-postfix | 2 ++ mgr.Dockerfile | 12 +++++++----- webdb.Dockerfile | 12 +++++++----- 5 files changed, 25 insertions(+), 15 deletions(-) diff --git a/cats.Dockerfile b/cats.Dockerfile index 870ce48..3958ac8 100644 --- a/cats.Dockerfile +++ b/cats.Dockerfile @@ -11,9 +11,10 @@ RUN apt-get update \ nullmailer \ php5-mysql \ && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -STOPSIGNAL SIGWINCH + && rm -rf /var/lib/apt/lists/* \ + && curl --silent --location --output /usr/local/bin/dumb-init \ + https://github.com/Yelp/dumb-init/releases/download/v1.2.4/dumb-init_1.2.4_x86_64 \ + && chmod +x /usr/local/bin/dumb-init COPY docker/apache-cats-foreground /usr/local/bin/ COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt @@ -33,10 +34,11 @@ RUN a2ensite cats.cacert.localhost ; \ a2enmod rewrite ; \ a2enmod ssl ; \ cd /usr/local/share/ca-certificates ; \ - curl -O http://www.cacert.org/certs/root_X0F.crt ; \ - curl -O http://www.cacert.org/certs/class3_X0E.crt ; \ + curl --silent --remote-name http://www.cacert.org/certs/root_X0F.crt ; \ + curl --silent --remote-name http://www.cacert.org/certs/class3_X0E.crt ; \ update-ca-certificates EXPOSE 443 +ENTRYPOINT ["/usr/local/bin/dumb-init", "--"] CMD ["/usr/local/bin/apache-cats-foreground"] diff --git a/docker/run-dovecot b/docker/run-dovecot index 31b9b37..bcabcf8 100755 --- a/docker/run-dovecot +++ b/docker/run-dovecot @@ -7,4 +7,6 @@ chmod 0640 /etc/dovecot/imap_user.txt chown dovecot.dovecot /etc/dovecot/imap_user.txt echo "log_path = /dev/stderr" > /etc/dovecot/local.conf +trap "exit 0" TERM INT + dovecot -F diff --git a/docker/run-postfix b/docker/run-postfix index b9836f8..dba3653 100755 --- a/docker/run-postfix +++ b/docker/run-postfix @@ -4,4 +4,6 @@ set -eu mkdir -p /home/catchall/Maildir/tmp /home/catchall/Maildir/new /home/catchall/Maildir/cur chown -Rc catchall.catchall /home/catchall/Maildir +trap "exit 0" INT TERM + postfix start-fg diff --git a/mgr.Dockerfile b/mgr.Dockerfile index e258fc3..46151f9 100644 --- a/mgr.Dockerfile +++ b/mgr.Dockerfile @@ -14,9 +14,10 @@ RUN apt-get update \ php5-mysql \ zendframework \ && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -STOPSIGNAL SIGWINCH + && rm -rf /var/lib/apt/lists/* \ + && curl --silent --location --output /usr/local/bin/dumb-init \ + https://github.com/Yelp/dumb-init/releases/download/v1.2.4/dumb-init_1.2.4_x86_64 \ + && chmod +x /usr/local/bin/dumb-init COPY docker/apache-mgr-foreground /usr/local/bin/ COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt @@ -37,10 +38,11 @@ RUN a2ensite mgr.cacert.localhost ; \ a2enmod rewrite ; \ a2enmod ssl ; \ cd /usr/local/share/ca-certificates ; \ - curl -O http://www.cacert.org/certs/root_X0F.crt ; \ - curl -O http://www.cacert.org/certs/class3_X0E.crt ; \ + curl --silent --remote-name http://www.cacert.org/certs/root_X0F.crt ; \ + curl --silent --remote-name http://www.cacert.org/certs/class3_X0E.crt ; \ update-ca-certificates EXPOSE 443 +ENTRYPOINT ["/usr/local/bin/dumb-init", "--"] CMD ["/usr/local/bin/apache-mgr-foreground"] diff --git a/webdb.Dockerfile b/webdb.Dockerfile index 5e3e5bd..fd3ff3d 100644 --- a/webdb.Dockerfile +++ b/webdb.Dockerfile @@ -37,9 +37,10 @@ RUN apt-get update \ wamerican \ whois \ && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -STOPSIGNAL SIGWINCH + && rm -rf /var/lib/apt/lists/* \ + && curl --silent --location --output /usr/local/bin/dumb-init \ + https://github.com/Yelp/dumb-init/releases/download/v1.2.4/dumb-init_1.2.4_x86_64 \ + && chmod +x /usr/local/bin/dumb-init COPY docker/apache-webdb-foreground /usr/local/bin/ COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt @@ -64,11 +65,12 @@ RUN a2ensite www.cacert.localhost ; \ a2enmod ssl ; \ ln -s /etc/php5/mods-available/cacert.ini /etc/php5/apache2/conf.d/20-cacert.ini ; \ cd /usr/local/share/ca-certificates ; \ - curl -O http://www.cacert.org/certs/root_X0F.crt ; \ - curl -O http://www.cacert.org/certs/class3_X0E.crt ; \ + curl --silent --remote-name http://www.cacert.org/certs/root_X0F.crt ; \ + curl --silent --remote-name http://www.cacert.org/certs/class3_X0E.crt ; \ update-ca-certificates EXPOSE 80 EXPOSE 443 +ENTRYPOINT ["/usr/local/bin/dumb-init", "--"] CMD ["/usr/local/bin/apache-webdb-foreground"] From 7681876e106b689425e36af6e1b21919cba72f1c Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sun, 27 Dec 2020 20:07:19 +0100 Subject: [PATCH 7/9] Fix Perl::Critic warnings in server.pl --- .editorconfig | 4 +--- signer.Dockerfile | 1 + 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.editorconfig b/.editorconfig index 0ae10fe..ef61af0 100644 --- a/.editorconfig +++ b/.editorconfig @@ -34,9 +34,7 @@ ij_css_use_double_quotes = true ij_css_value_alignment = do_not_align [{*.pl,*.pm}] -indent_size = 2 -tab_width = 2 -ij_continuation_indent_size = 2 +ij_continuation_indent_size = 4 ij_perl5_align_attributes = false ij_perl5_align_comments_on_consequent_lines = true ij_perl5_align_consecutive_assignments = 0 diff --git a/signer.Dockerfile b/signer.Dockerfile index 448dff2..6e4a0ab 100644 --- a/signer.Dockerfile +++ b/signer.Dockerfile @@ -7,6 +7,7 @@ RUN apt-get update \ libdevice-serialport-perl \ libdigest-sha-perl \ libfile-counterfile-perl \ + libreadonly-perl \ openssl \ perl \ socat \ From dc9bef99483676f83455444535625c8035f35ebe Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Mon, 28 Dec 2020 11:09:46 +0100 Subject: [PATCH 8/9] Implement perl::critic suggestions in client.pl This commit implements refactorings to partially satisfy perl::critic. The refactored code requires the Readonly Perl library. --- signer_client.Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/signer_client.Dockerfile b/signer_client.Dockerfile index b0d4ab3..663cd69 100644 --- a/signer_client.Dockerfile +++ b/signer_client.Dockerfile @@ -12,6 +12,7 @@ RUN apt-get update \ libdbi-perl \ libdevice-serialport-perl \ libfile-counterfile-perl \ + libreadonly-perl \ openssl \ perl \ socat \ From 5c924ee206b8d49b7208ef2dca21a80c48640ac5 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Mon, 28 Dec 2020 20:12:15 +0100 Subject: [PATCH 9/9] Install libemail-mime-perl in signer_client image --- docker-compose.yml | 1 - signer_client.Dockerfile | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index e09ed8c..67cab0e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -95,7 +95,6 @@ services: environment: MYSQL_WEBDB_HOSTNAME: db MYSQL_WEBDB_DATABASE: cacert - CSR_DIRECTORY: /srv/certs/csr CRT_DIRECTORY: /srv/certs/crt CRL_DIRECTORY: /srv/certs/crl SMTP_HOST: smtp diff --git a/signer_client.Dockerfile b/signer_client.Dockerfile index 663cd69..577c018 100644 --- a/signer_client.Dockerfile +++ b/signer_client.Dockerfile @@ -11,6 +11,7 @@ RUN apt-get update \ libdbd-mysql-perl \ libdbi-perl \ libdevice-serialport-perl \ + libemail-mime-perl \ libfile-counterfile-perl \ libreadonly-perl \ openssl \