From 8ac9692667c636f7a4b2183f96271216e267c946 Mon Sep 17 00:00:00 2001 From: tresf Date: Mon, 24 Apr 2017 13:53:22 -0400 Subject: [PATCH] Add Chrome 58, Firefox ESR support Cert was missing subjectAltName for newer Chrome versions. Firefox ESR uses different registry keys. --- ant/apple/apple-keygen.sh.in | 2 + ant/linux/linux-keygen.sh.in | 3 ++ ant/self-sign.properties | 3 +- ant/windows/windows-keygen.js.in | 63 +++++++++++++++++++------------- 4 files changed, 45 insertions(+), 26 deletions(-) diff --git a/ant/apple/apple-keygen.sh.in b/ant/apple/apple-keygen.sh.in index fb27359..1089e78 100644 --- a/ant/apple/apple-keygen.sh.in +++ b/ant/apple/apple-keygen.sh.in @@ -97,6 +97,8 @@ function remove_certs { if [ -n "$2" ]; then cname="${jks.cn}" makekeystore=$(echo "$makekeystore" | sed -e "s|$cname|$2|g") + san=" -ext san=dns:${jks.cn},dns:${jks.cnalt}" + makekeystore=$(echo "$makekeystore" | sed -e "s|$san||g") fi # diff --git a/ant/linux/linux-keygen.sh.in b/ant/linux/linux-keygen.sh.in index 2fd5021..212d782 100644 --- a/ant/linux/linux-keygen.sh.in +++ b/ant/linux/linux-keygen.sh.in @@ -39,7 +39,10 @@ makekeystore="${makekeystore/$keystore/$keystorepath}" if [ -n "$1" ]; then cname="CN=${jks.cn}," override="CN=$1," + san=" -ext san=dns:${jks.cn},dns:${jks.cnalt}" + blank="" makekeystore="${makekeystore/$cname/$override}" + makekeystore="${makekeystore/$san/$blank}" fi # Cert export variable substitutions diff --git a/ant/self-sign.properties b/ant/self-sign.properties index fe9325a..6e9e061 100644 --- a/ant/self-sign.properties +++ b/ant/self-sign.properties @@ -1,6 +1,7 @@ # Platform-independent info used at install time for wss:// signing # Values prefixed with an !exclamation-mark can't be determined until install time jks.cn=localhost +jks.cnalt=localhost.qz.io jks.city=Canastota jks.state=NY jks.country=US @@ -18,7 +19,7 @@ jks.host=0.0.0.0 jks.keystore=${jks.install}/auth/${build.socket.name}.jks jks.keytool=keytool -jks.command=\\"${jks.keytool}\\" -genkey -noprompt -alias ${jks.alias} -keyalg RSA -keysize 2048 -dname \\"CN=${jks.cn}, EMAILADDRESS=${vendor.email}, OU=${jks.company}, O=${jks.company}, L=${jks.city}, S=${jks.state}, C=${jks.country}\\" -validity ${jks.validity} -keystore \\"${jks.keystore}\\" -storepass ${jks.storepass} -keypass ${jks.keypass} +jks.command=\\"${jks.keytool}\\" -genkey -noprompt -alias ${jks.alias} -keyalg RSA -keysize 2048 -dname \\"CN=${jks.cn}, EMAILADDRESS=${vendor.email}, OU=${jks.company}, O=${jks.company}, L=${jks.city}, S=${jks.state}, C=${jks.country}\\" -validity ${jks.validity} -keystore \\"${jks.keystore}\\" -storepass ${jks.storepass} -keypass ${jks.keypass} -ext san=dns:${jks.cn},dns:${jks.cnalt} der.cert=${jks.install}/auth/${build.socket.name}.crt der.command=\\"${jks.keytool}\\" -exportcert -alias ${jks.alias} -keystore \\"${jks.keystore}\\" -storepass ${jks.storepass} -keypass ${jks.keypass} -file \\"${der.cert}\\" -rfc diff --git a/ant/windows/windows-keygen.js.in b/ant/windows/windows-keygen.js.in index bd5dbe2..b2ecae5 100644 --- a/ant/windows/windows-keygen.js.in +++ b/ant/windows/windows-keygen.js.in @@ -43,9 +43,10 @@ var qzInstall = getArg(0, getRegValue("HKLM\\Software\\${socket.name}\\")); var installMode = getArg(1, "install"); var cn = getArg(2, "${jks.cn}"); var firefoxPortable = getArg(3, null); +var firefoxInstall; if (installMode == "install") { - var javaKey, jreHome, keyTool, keyStore, password, derCert, firefoxInstall; + var javaKey, jreHome, keyTool, keyStore, password, derCert; if (createJavaKeystore()) { try { installWindowsCertificate(); } catch (err) { installWindowsXPCertificate(); } @@ -55,13 +56,10 @@ if (installMode == "install") { "The installer will continue, but ${socket.name} will not function with Firefox until this conflict is resolved.", "Firefox AutoConfig Warning"); } else { - if (firefoxInstall) { - installFirefoxCertificate(); - } + installFirefoxCertificate(); } } } else { - var firefoxInstall; try { deleteWindowsCertificate(); } catch (err) { deleteWindowsXPCertificate(); } deleteFirefoxCertificate(); @@ -86,24 +84,27 @@ function deleteFile(filePath) { * Generates a random string to be used as a password */ function pw() { - var text = ""; + if (password) { + return password; + } + password = ""; var chars = "abcdefghijklmnopqrstuvwxyz0123456789"; for( var i=0; i < parseInt("${jks.passlength}"); i++ ) { - text += chars.charAt(Math.floor(Math.random() * chars.length)); - } - return text; + password += chars.charAt(Math.floor(Math.random() * chars.length)); + } + return password; } /** * Reads a registry value, taking 32-bit/64-bit architecture into consideration */ -function getRegValue(path) { +function getRegValue(path) { // If 64-bit OS, try 32-bit registry first var arch = ""; if (shell.ExpandEnvironmentStrings("ProgramFiles(x86)")) { path = path.replace("\\Software\\", "\\Software\\Wow6432Node\\"); } - + var regValue = ""; try { regValue = shell.RegRead(path); @@ -134,8 +135,9 @@ function verifyExec(cmd, msg) { /** * Replaces "!install" with proper location, usually "C:\Program Files\", fixes forward slashes */ -function fixPath(append) { - return append.replace("${jks.install}", qzInstall).replace(/\//g, "\\"); +function fixPath(path) { + var removeTrailing = qzInstall.replace(/\\$/, "").replace(/\/$/, ""); + return path.replace("${jks.install}", removeTrailing).replace(/\//g, "\\"); } /** @@ -216,19 +218,18 @@ function createJavaKeystore() { die("Can't find ${socket.name} installation path. Secure websockets will not work.", "${windows.err.install}"); } - keyStore = fixPath("${jks.keystore}"); - password = pw(); // random password hash var makeKeyStore = "${jks.command}" - .replace("${jks.keytool}", keyTool) - .replace("${jks.keystore}", keyStore) - .replace("${jks.storepass}", password) - .replace("${jks.keypass}", password); + .replace("${jks.keytool}", keyTool) + .replace("${jks.keystore}", keyStore) + .replace("${jks.storepass}", pw()) + .replace("${jks.keypass}", pw()); // Handle CN=${jks.cn} override if (cn != "${jks.cn}") { makeKeyStore = makeKeyStore.replace("CN=${jks.cn},", "CN=" + cn + ","); + makeKeyStore = makeKeyStore.replace(" -ext san=dns:${jks.cn},dns:${jks.cnalt}", ""); } deleteFile(keyStore); // remove old, if exists @@ -239,8 +240,8 @@ function createJavaKeystore() { var file = fso.OpenTextFile(fixPath("${jks.properties}"), 2, true); file.WriteLine("wss.alias=" + "${jks.alias}"); file.WriteLine("wss.keystore=" + keyStore.replace(/\\/g, "\\\\")); - file.WriteLine("wss.keypass=" + password); - file.WriteLine("wss.storepass=" + password); + file.WriteLine("wss.keypass=" + pw()); + file.WriteLine("wss.storepass=" + pw()); file.WriteLine("wss.host=${jks.host}"); file.Close(); @@ -254,8 +255,8 @@ function installWindowsCertificate() { var makeDerCert = "${der.command}" .replace("${jks.keytool}", keyTool) .replace("${jks.keystore}", keyStore) - .replace("${jks.storepass}", password) - .replace("${jks.keypass}", password) + .replace("${jks.storepass}", pw()) + .replace("${jks.keypass}", pw()) .replace("${der.cert}", derCert); deleteFile(derCert); // remove old, if exists @@ -300,8 +301,16 @@ function getFirefoxInstall() { var firefoxKey = "HKLM\\Software\\Mozilla\\Mozilla Firefox"; var firefoxVer = getRegValue(firefoxKey + "\\"); if (!firefoxVer) { - debug(" - [skipped] Firefox was not detected"); - return false; + // Look for Extended Support Release + firefoxVer = getRegValue(firefoxKey + " ESR\\"); + if (firefoxVer) { + firefoxVer += " ESR"; + debug(" - [success] Found Firefox " + firefoxVer); + } + else { + debug(" - [skipped] Firefox was not detected"); + return false; + } } else { debug(" - [success] Found Firefox " + firefoxVer); } @@ -397,6 +406,10 @@ function deleteFirefoxCertificate() { * Install certificate for Mozilla Firefox browser, which utilizes its own cert database */ function installFirefoxCertificate() { + if (!firefoxInstall) { + debug("Skipping Firefox cert install..."); + return; + } debug("Registering with Firefox..."); var firefoxCfg = firefoxInstall + "\\..\\${firefoxconfig.name}";