[pve-devel] [PATCH proxmox-acme] plugin-caller: add missing methods from acme.sh

public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed

* [pve-devel] [PATCH proxmox-acme] plugin-caller: add missing methods from acme.sh
@ 2021-07-15 13:56 Stoiko Ivanov
  2021-07-16 15:59 ` [pve-devel] applied: " Thomas Lamprecht
  0 siblings, 1 reply; 2+ messages in thread
From: Stoiko Ivanov @ 2021-07-15 13:56 UTC (permalink / raw)
  To: pve-devel

As reported in our community forum [0] certain dns plugins use code
from `acme.sh`, which is currently not in our proxmox-acme.

I initially only added _sign and it's callees, but then though about
trying to get all missing methods somehow (only resethttp() was
missing in addition).

The heuristic used to get all missing methods was grepping for '\b_'
in all dns plugins and then removing:
* declarations in proxmox_acme (already present)
* methods declared in the plugins themselves
* $_.* (or ${_.*) - variable use
* comments

in shell:
```
present=$(awk 'BEGIN{ORS="|";} /^_/{ gsub(/\(\) {/, ""); print $0}' \
  src/proxmox-acme | | sed -r 's/\|$//')
local=$(awk 'BEGIN{ORS="|";} /^_/{ gsub(/\(\) {/, ""); print $0}' \
  src/acme.sh/dnsapi/dns*.sh | sed -r 's/\|$//')
grep '\b_' src/acme.sh/dnsapi/* | grep -Ev \
  "$present|$local|_[a-zA-Z0-9_-]+=|\\$\{?_|^src/acme.sh/dnsapi/.*sh:#"
```

[0] https://forum.proxmox.com/threads/proxmox-acme-with-transip-plugin-_sign-command-not-found.92582/

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
could not really test it - without transip account

 src/proxmox-acme | 114 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 114 insertions(+)

diff --git a/src/proxmox-acme b/src/proxmox-acme
index 4d249a7..9c55521 100644
--- a/src/proxmox-acme
+++ b/src/proxmox-acme
@@ -33,6 +33,11 @@ _digest() {
   fi
 }
 
+_usage() {
+  __red "$@" >&2
+  printf "\n" >&2
+}
+
 _upper_case() {
   # shellcheck disable=SC2018,SC2019
   tr 'a-z' 'A-Z'
@@ -108,6 +113,115 @@ _egrep_o() {
   fi
 }
 
+_h2b() {
+  if _exists xxd; then
+    if _contains "$(xxd --help 2>&1)" "assumes -c30"; then
+      if xxd -r -p -c 9999 2>/dev/null; then
+        return
+      fi
+    else
+      if xxd -r -p 2>/dev/null; then
+        return
+      fi
+    fi
+  fi
+
+  hex=$(cat)
+  ic=""
+  jc=""
+  _debug2 _URGLY_PRINTF "$_URGLY_PRINTF"
+  if [ -z "$_URGLY_PRINTF" ]; then
+    if [ "$_ESCAPE_XARGS" ] && _exists xargs; then
+      _debug2 "xargs"
+      echo "$hex" | _upper_case | sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/g' | xargs printf
+    else
+      for h in $(echo "$hex" | _upper_case | sed 's/\([0-9A-F]\{2\}\)/ \1/g'); do
+        if [ -z "$h" ]; then
+          break
+        fi
+        printf "\x$h%s"
+      done
+    fi
+  else
+    for c in $(echo "$hex" | _upper_case | sed 's/\([0-9A-F]\)/ \1/g'); do
+      if [ -z "$ic" ]; then
+        ic=$c
+        continue
+      fi
+      jc=$c
+      ic="$(_h_char_2_dec "$ic")"
+      jc="$(_h_char_2_dec "$jc")"
+      printf '\'"$(printf "%o" "$(_math "$ic" \* 16 + $jc)")""%s"
+      ic=""
+      jc=""
+    done
+  fi
+
+}
+
+#Usage: keyfile hashalg
+#Output: Base64-encoded signature value
+_sign() {
+  keyfile="$1"
+  alg="$2"
+  if [ -z "$alg" ]; then
+    _usage "Usage: _sign keyfile hashalg"
+    return 1
+  fi
+
+  _sign_openssl="${ACME_OPENSSL_BIN:-openssl} dgst -sign $keyfile "
+
+  if grep "BEGIN RSA PRIVATE KEY" "$keyfile" >/dev/null 2>&1 || grep "BEGIN PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
+    $_sign_openssl -$alg | _base64
+  elif grep "BEGIN EC PRIVATE KEY" "$keyfile" >/dev/null 2>&1; then
+    if ! _signedECText="$($_sign_openssl -sha$__ECC_KEY_LEN | ${ACME_OPENSSL_BIN:-openssl} asn1parse -inform DER)"; then
+      _err "Sign failed: $_sign_openssl"
+      _err "Key file: $keyfile"
+      _err "Key content:$(wc -l <"$keyfile") lines"
+      return 1
+    fi
+    _debug3 "_signedECText" "$_signedECText"
+    _ec_r="$(echo "$_signedECText" | _head_n 2 | _tail_n 1 | cut -d : -f 4 | tr -d "\r\n")"
+    _ec_s="$(echo "$_signedECText" | _head_n 3 | _tail_n 1 | cut -d : -f 4 | tr -d "\r\n")"
+    if [ "$__ECC_KEY_LEN" -eq "256" ]; then
+      while [ "${#_ec_r}" -lt "64" ]; do
+        _ec_r="0${_ec_r}"
+      done
+      while [ "${#_ec_s}" -lt "64" ]; do
+        _ec_s="0${_ec_s}"
+      done
+    fi
+    if [ "$__ECC_KEY_LEN" -eq "384" ]; then
+      while [ "${#_ec_r}" -lt "96" ]; do
+        _ec_r="0${_ec_r}"
+      done
+      while [ "${#_ec_s}" -lt "96" ]; do
+        _ec_s="0${_ec_s}"
+      done
+    fi
+    if [ "$__ECC_KEY_LEN" -eq "512" ]; then
+      while [ "${#_ec_r}" -lt "132" ]; do
+        _ec_r="0${_ec_r}"
+      done
+      while [ "${#_ec_s}" -lt "132" ]; do
+        _ec_s="0${_ec_s}"
+      done
+    fi
+    _debug3 "_ec_r" "$_ec_r"
+    _debug3 "_ec_s" "$_ec_s"
+    printf "%s" "$_ec_r$_ec_s" | _h2b | _base64
+  else
+    _err "Unknown key file format."
+    return 1
+  fi
+
+}
+
+#dummy function because proxmox-acme does not call inithttp
+_resethttp() {
+  :
+}
+
 # body  url [needbase64] [POST|PUT|DELETE] [ContentType]
 _post() {
   body="$1"
-- 
2.30.2





^ permalink raw reply	[flat|nested] 2+ messages in thread

* [pve-devel] applied: [PATCH proxmox-acme] plugin-caller: add missing methods from acme.sh
  2021-07-15 13:56 [pve-devel] [PATCH proxmox-acme] plugin-caller: add missing methods from acme.sh Stoiko Ivanov
@ 2021-07-16 15:59 ` Thomas Lamprecht
  0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2021-07-16 15:59 UTC (permalink / raw)
  To: Proxmox VE development discussion, Stoiko Ivanov

On 15.07.21 15:56, Stoiko Ivanov wrote:
> As reported in our community forum [0] certain dns plugins use code
> from `acme.sh`, which is currently not in our proxmox-acme.
> 
> I initially only added _sign and it's callees, but then though about
> trying to get all missing methods somehow (only resethttp() was
> missing in addition).
> 
> The heuristic used to get all missing methods was grepping for '\b_'
> in all dns plugins and then removing:
> * declarations in proxmox_acme (already present)
> * methods declared in the plugins themselves
> * $_.* (or ${_.*) - variable use
> * comments
> 
> in shell:
> ```
> present=$(awk 'BEGIN{ORS="|";} /^_/{ gsub(/\(\) {/, ""); print $0}' \
>   src/proxmox-acme | | sed -r 's/\|$//')
> local=$(awk 'BEGIN{ORS="|";} /^_/{ gsub(/\(\) {/, ""); print $0}' \
>   src/acme.sh/dnsapi/dns*.sh | sed -r 's/\|$//')
> grep '\b_' src/acme.sh/dnsapi/* | grep -Ev \
>   "$present|$local|_[a-zA-Z0-9_-]+=|\\$\{?_|^src/acme.sh/dnsapi/.*sh:#"
> ```
> 

what a bit of awk and grep can do, nice! ;-)

> [0] https://forum.proxmox.com/threads/proxmox-acme-with-transip-plugin-_sign-command-not-found.92582/
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> could not really test it - without transip account
> 
>  src/proxmox-acme | 114 +++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 114 insertions(+)
> 
>

applied, thanks!




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-07-16 16:00 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-15 13:56 [pve-devel] [PATCH proxmox-acme] plugin-caller: add missing methods from acme.sh Stoiko Ivanov
2021-07-16 15:59 ` [pve-devel] applied: " Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal