From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH proxmox-acme] plugin-caller: add missing methods from acme.sh
Date: Thu, 15 Jul 2021 15:56:57 +0200 [thread overview]
Message-ID: <20210715135657.3424178-1-s.ivanov@proxmox.com> (raw)
As reported in our community forum [0] certain dns plugins use code
from `acme.sh`, which is currently not in our proxmox-acme.
I initially only added _sign and it's callees, but then though about
trying to get all missing methods somehow (only resethttp() was
missing in addition).
The heuristic used to get all missing methods was grepping for '\b_'
in all dns plugins and then removing:
* declarations in proxmox_acme (already present)
* methods declared in the plugins themselves
* $_.* (or ${_.*) - variable use
* comments
in shell:
```
present=$(awk 'BEGIN{ORS="|";} /^_/{ gsub(/\(\) {/, ""); print $0}' \
src/proxmox-acme | | sed -r 's/\|$//')
local=$(awk 'BEGIN{ORS="|";} /^_/{ gsub(/\(\) {/, ""); print $0}' \
src/acme.sh/dnsapi/dns*.sh | sed -r 's/\|$//')
grep '\b_' src/acme.sh/dnsapi/* | grep -Ev \
"$present|$local|_[a-zA-Z0-9_-]+=|\\$\{?_|^src/acme.sh/dnsapi/.*sh:#"
```
[0] https://forum.proxmox.com/threads/proxmox-acme-with-transip-plugin-_sign-command-not-found.92582/
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
could not really test it - without transip account
src/proxmox-acme | 114 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 114 insertions(+)
diff --git a/src/proxmox-acme b/src/proxmox-acme
index 4d249a7..9c55521 100644
--- a/src/proxmox-acme
+++ b/src/proxmox-acme
@@ -33,6 +33,11 @@ _digest() {
fi
}
+_usage() {
+ __red "$@" >&2
+ printf "\n" >&2
+}
+
_upper_case() {
# shellcheck disable=SC2018,SC2019
tr 'a-z' 'A-Z'
@@ -108,6 +113,115 @@ _egrep_o() {
fi
}
+_h2b() {
+ if _exists xxd; then
+ if _contains "$(xxd --help 2>&1)" "assumes -c30"; then
+ if xxd -r -p -c 9999 2>/dev/null; then
+ return
+ fi
+ else
+ if xxd -r -p 2>/dev/null; then
+ return
+ fi
+ fi
+ fi
+
+ hex=$(cat)
+ ic=""
+ jc=""
+ _debug2 _URGLY_PRINTF "$_URGLY_PRINTF"
+ if [ -z "$_URGLY_PRINTF" ]; then
+ if [ "$_ESCAPE_XARGS" ] && _exists xargs; then
+ _debug2 "xargs"
+ echo "$hex" | _upper_case | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/g' | xargs printf
+ else
+ for h in $(echo "$hex" | _upper_case | sed 's/\([0-9A-F]\{2\}\)/ \1/g'); do
+ if [ -z "$h" ]; then
+ break
+ fi
+ printf "\x$h%s"
+ done
+ fi
+ else
+ for c in $(echo "$hex" | _upper_case | sed 's/\([0-9A-F]\)/ \1/g'); do
+ if [ -z "$ic" ]; then
+ ic=$c
+ continue
+ fi
+ jc=$c
+ ic="$(_h_char_2_dec "$ic")"
+ jc="$(_h_char_2_dec "$jc")"
+ printf '\'"$(printf "%o" "$(_math "$ic" \* 16 + $jc)")""%s"
+ ic=""
+ jc=""
+ done
+ fi
+
+}
+
+#Usage: keyfile hashalg
+#Output: Base64-encoded signature value
+_sign() {
+ keyfile="$1"
+ alg="$2"
+ if [ -z "$alg" ]; then
+ _usage "Usage: _sign keyfile hashalg"
+ return 1
+ fi
+
+ _sign_openssl="${ACME_OPENSSL_BIN:-openssl} dgst -sign $keyfile "
+
+ if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || grep "BEGIN PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
+ $_sign_openssl -$alg | _base64
+ elif grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
+ if ! _signedECText="$($_sign_openssl -sha$__ECC_KEY_LEN | ${ACME_OPENSSL_BIN:-openssl} asn1parse -inform DER)"; then
+ _err "Sign failed: $_sign_openssl"
+ _err "Key file: $keyfile"
+ _err "Key content:$(wc -l <"$keyfile") lines"
+ return 1
+ fi
+ _debug3 "_signedECText" "$_signedECText"
+ _ec_r="$(echo "$_signedECText" | _head_n 2 | _tail_n 1 | cut -d : -f 4 | tr -d "\r\n")"
+ _ec_s="$(echo "$_signedECText" | _head_n 3 | _tail_n 1 | cut -d : -f 4 | tr -d "\r\n")"
+ if [ "$__ECC_KEY_LEN" -eq "256" ]; then
+ while [ "${#_ec_r}" -lt "64" ]; do
+ _ec_r="0${_ec_r}"
+ done
+ while [ "${#_ec_s}" -lt "64" ]; do
+ _ec_s="0${_ec_s}"
+ done
+ fi
+ if [ "$__ECC_KEY_LEN" -eq "384" ]; then
+ while [ "${#_ec_r}" -lt "96" ]; do
+ _ec_r="0${_ec_r}"
+ done
+ while [ "${#_ec_s}" -lt "96" ]; do
+ _ec_s="0${_ec_s}"
+ done
+ fi
+ if [ "$__ECC_KEY_LEN" -eq "512" ]; then
+ while [ "${#_ec_r}" -lt "132" ]; do
+ _ec_r="0${_ec_r}"
+ done
+ while [ "${#_ec_s}" -lt "132" ]; do
+ _ec_s="0${_ec_s}"
+ done
+ fi
+ _debug3 "_ec_r" "$_ec_r"
+ _debug3 "_ec_s" "$_ec_s"
+ printf "%s" "$_ec_r$_ec_s" | _h2b | _base64
+ else
+ _err "Unknown key file format."
+ return 1
+ fi
+
+}
+
+#dummy function because proxmox-acme does not call inithttp
+_resethttp() {
+ :
+}
+
# body url [needbase64] [POST|PUT|DELETE] [ContentType]
_post() {
body="$1"
--
2.30.2
next reply other threads:[~2021-07-15 13:57 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-15 13:56 Stoiko Ivanov [this message]
2021-07-16 15:59 ` [pve-devel] applied: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210715135657.3424178-1-s.ivanov@proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox