Fix SSL connections on Firefox 54+ (qzind#201)

* Fix SSL connections on Firefox 54+
Closes qzind#200

Author: tresf

ant/apple/apple-keygen.sh.in

@@ -7,241 +7,208 @@
 #    2. Exports public certificate from Java Keystore                                    #
 #    3. Imports into Apple OS X Trusted Root Certs                                       #
 #                                                                                        #
-#       Note:  If [sslcert] and [sslkey] are specified, import to browser/OS is omitted. #
+#       Note:  If [trustedcert] and [trustedkey] are specified, import to browser/OS is  #
+#              omitted.                                                                  #
 #                                                                                        #
 #  Depends:                                                                              #
 #    java                                                                                #
 #                                                                                        #
 #  Optional:                                                                             #
-#    openssl - Required if providing [sslcert], [sslkey] parameters                      #
+#    openssl - Required if providing [trustedcert], [trustedkey] parameters              #
 #                                                                                        #
 #  Usage:                                                                                #
-#    $ ./${apple.keygen.name} "install" [hostname] [sslcert] [sslkey]                    #
+#    $ ./${apple.keygen.name} "install" [hostname] [trustedcert] [trustedkey]            #
 #    $ ./${apple.keygen.name} "uninstall"                                                #
 #                                                                                        #
 ##########################################################################################
 
-# Random password hash
-password=$(cat /dev/urandom | env LC_CTYPE=C tr -dc 'a-z0-9' | fold -w ${jks.passlength} | head -n 1)
-
-# Check for java
-${apple.jvmver} > /dev/null 2>&1
-fallback=$?
+# Handle CN=${ssl.cn} override
+cnoverride="$2"
 
-#
 # Handle trusted ssl certificate
 if [[ -n $3 && -n $4 ]]; then
-    sslcertpath="$3"
-    sslkeypath="$4"
-    makekeystore="${ssl.convert}"
-else
-    makekeystore="${jks.command}"
-fi
-
-
-makedercert="${der.command}"
-installdir="${apple.installdir}"
-
-# Substitution variables (!storepass, !keypass, !install, etc)
-install="${jks.install}"
-storepass="${jks.storepass}"
-keypass="${jks.keypass}"
-keystore="${jks.keystore}"
-dercert="${der.cert}"
-props="${jks.properties}"
-keytool="${jks.keytool}"
-keytoolfallback="${apple.jvmfallback}/${jks.keytool}"
-
-# Keystore generation variable substitutions
-keystorepath=$(echo "$keystore" | sed -e "s|$install|$installdir|g")
-makekeystore=$(echo "$makekeystore" | sed -e "s|$storepass|$password|g")
-makekeystore=$(echo "$makekeystore" | sed -e "s|$keypass|$password|g")
-makekeystore=$(echo "$makekeystore" | sed -e "s|$keystore|$keystorepath|g")
-
-
-if [ $fallback -eq 0 ]; then
-    # Prefix with java_home --exec
-	makekeystore="${apple.jvmcmd} $makekeystore"
-else
-    # Fallback on Internet Plug-Ins version if needed
-	makekeystore=$(echo "$makekeystore" | sed -e "s|$keytool|$keytoolfallback|g")
+    trustedcertpath="$3"
+    trustedkeypath="$4"
 fi
 
-# Cert export variable substitutions
-dercertpath=$(echo "$dercert" | sed -e "s|$install|$installdir|g")
-makedercert=$(echo "$makedercert" | sed -e "s|$storepass|$password|g")
-makedercert=$(echo "$makedercert" | sed -e "s|$keypass|$password|g")
-makedercert=$(echo "$makedercert" | sed -e "s|$keystore|$keystorepath|g")
-makedercert=$(echo "$makedercert" | sed -e "s|$dercert|$dercertpath|g")
+# Random password hash
+password=$(cat /dev/urandom | env LC_CTYPE=C tr -dc 'a-z0-9' | fold -w ${ssl.passlength} | head -n 1)
 
-if [ $fallback -eq 0 ]; then
+if ${apple.jvmver} > /dev/null 2>&1; then
     # Prefix with java_home --exec
-	makedercert="${apple.jvmcmd} $makedercert"
+    keytoolcmd="${apple.jvmcmd} keytool"
 else
     # Fallback on Internet Plug-Ins version if needed
-	makedercert=$(echo "$makedercert" | sed -e "s|$keytool|$keytoolfallback|g")
-fi
-
-# // Handle "community" mode, custom signing auth cert
-if [ -n "${build.type}" ]; then
-    authcert="${authcert.install}"
-    authcertpath=$(echo "$authcert" | sed -e "s|$install|$installdir|g")
+    keytoolcmd="${apple.jvmfallback}/keytool"
 fi
 
+# Check for IPv4 address
+function ip4 {
+    if [[ $1 =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+        return 0
+    fi
+    return 1
+}
 
-# Property file containing jks signing info
-propspath=$(echo "$props" | sed -e "s|$install|$installdir|g")
-
-# Convert trusted SSL cert to jks
-function create_pkcs12 {
-    echo "Creating PKCS12 keypair..."
-    keypair="${ssl.keypair}"
-    sslcert="${ssl.cert}"
-    sslkey="${ssl.key}"
-    generated="${ssl.command}"
-
-    keypairpath=$(echo "$keypair" | sed -e "s|$install|$installdir|g")
-    generated=$(echo "$generated" | sed -e "s|$keypair|$keypairpath|g")
-    generated=$(echo "$generated" | sed -e "s|$sslcert|$sslcertpath|g")
-    generated=$(echo "$generated" | sed -e "s|$sslkey|$sslkeypath|g")
-    generated=$(echo "$generated" | sed -e "s|$keypass|$password|g")
-
-    makekeystore=$(echo "$makekeystore" | sed -e "s|$keypair|$keypairpath|g")
-
-    eval "$generated" > /dev/null 2>&1
-    check_exists "$keypairpath"
-
-    if [ $? -ne 0 ]; then
-        echo "Error creating PKCS12 keypair from $sslcertpath, $sslkeypath to $keypairpath"
-        echo -e "${bash.failure}\n"
-        exit 1
+# Replace all install-time variables
+function replace_vars {
+    cmd=$(echo "$1" | sed -e "s|\"keytool\"|$keytoolcmd|g")
+
+    # Handle CN=${ssl.cn} override
+    if [ -n "$cnoverride" ]; then
+        cmd=$(echo "$cmd" | sed -e "s|CN=${ssl.cn},|CN=$cnoverride,|g")
+        if ip4 "$cnoverride"; then
+            cmd=$(echo "$cmd" | sed -e "s|san=dns:${ssl.cn},|san=ip:$cnoverride,|g")
+        else
+            cmd=$(echo "$cmd" | sed -e "s|san=dns:${ssl.cn},|san=dns:$cnoverride,|g")
+        fi
+        # Remove dangling san
+        cmd=$(echo "$cmd" | sed -e "s|,dns:${ssl.cnalt}||g")
     fi
 
-    # Remove lingering self-signed certs
-    rm "$dercertpath" > /dev/null 2>&1
+    cmd=$(echo "$cmd" | sed -e "s|\!install|${apple.installdir}|g")
+    cmd=$(echo "$cmd" | sed -e "s|\!storepass|$password|g")
+    cmd=$(echo "$cmd" | sed -e "s|\!keypass|$password|g")
+    cmd=$(echo "$cmd" | sed -e "s|\!sslcert|$trustedcertpath|g")
+    cmd=$(echo "$cmd" | sed -e "s|\!sslkey|$trustedkeypath|g")
 
+    echo "$cmd"
     return 0
 }
 
+# Handle "community" mode, custom signing auth cert
+if [ -n '${build.type}' ]; then
+    authcertpath=$(echo "${authcert.install}" | sed -e "s|\!install|${apple.installdir}|g")
+fi
+
 # Write out the secure websocket properties file
 function write_properties {
-    echo "Writing properties file..."
-    echo "wss.alias=${jks.alias}" > "$propspath"
+    propspath=$(echo "$1" | sed -e "s|\!install|${apple.installdir}|g")
+    keystorepath=$(echo "${ssl.jks}" | sed -e "s|\!install|${apple.installdir}|g")
+    echo "wss.alias=${ssl.alias}" > "$propspath"
     echo "wss.keystore=$keystorepath" >> "$propspath"
     echo "wss.keypass=$password" >> "$propspath"
     echo "wss.storepass=$password" >> "$propspath"
-    echo "wss.host=${jks.host}" >> "$propspath"
+    echo "wss.host=${ssl.host}" >> "$propspath"
     if [ -n "$authcertpath" ]; then
         echo "authcert.override=$authcertpath" >> "$propspath"
     fi
     echo "" >> "$propspath"
-    check_exists  "$propspath"
+    check_exists "$propspath"
     return $?
 }
 
-# Check to see if file exists
+# Delete a file if exists
+function delete_file {
+    testfile=$(echo "$1" | sed -e "s|\!install|${apple.installdir}|g")
+    rm -f "$testfile" > /dev/null 2>&1
+    return 0
+}
+
+# Check to see if file exists with optional message
 function check_exists {
-    if [ -e "$1" ]; then
-        echo -e "${bash.success}\n"
+    testfile=$(echo "$1" | sed -e "s|\!install|${apple.installdir}|g")
+    if [ -e "$testfile" ]; then
+        if [ -n "$2" ]; then
+            echo -e "${bash.success} $2 $testfile"
+        else
+            echo -e "${bash.success} $testfile"
+        fi
         return 0
     fi
-    echo -e "${bash.failure}\n"
+    echo -e "${bash.failure} $testfile"
     return 1
 }
 
 # Remove all matching system certificates
 function remove_certs {
-	hash=$(security find-certificate -e "${vendor.email}" -Z |grep ^SHA-1|rev|cut -d' ' -f1|rev)
-	if [ -n "$hash" ]; then
-		security delete-certificate -Z "$hash" > /dev/null 2>&1
-		# Recurse on self
-		remove_certs
-		return 0
+    if security find-certificate -e "${vendor.email}" -Z  > /dev/null 2>&1; then
+        echo -e "${bash.success} Found certificate matching ${vendor.email}"
+        hash=$(security find-certificate -e "${vendor.email}" -Z |grep ^SHA-1|rev|cut -d' ' -f1|rev)
+        if [ -n "$hash" ]; then
+            # Remove and recurse
+            security delete-certificate -Z "$hash" > /dev/null 2>&1 && remove_certs
+        fi
+    else
+        echo -e "${bash.success} No more matching certificates found"
 	fi
-	# No certs found, exit
-	return 1
+
+    return 0
 }
 
-# Check for IPv4 address
-function ip4 {
-    if [[ $1 =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
-        return 0
+# Runs a steps, optionally checks for a file
+# e.g: run_step "Description" "ls -al *.txt > ./out" "./out"
+function run_step {
+    if eval "$(replace_vars "$2") > /dev/null 2>&1"; then
+        if [ -z "$3" ]; then
+            echo -e "${bash.success} $1"
+            return 0
+        elif check_exists "$3" "$1"; then
+            return 0
+        else
+            return 1
+        fi
     fi
+    echo -e "${bash.failure}\n"
     return 1
 }
 
-# Handle CN=${jks.cn} override
-if [ -n "$2" ]; then
-    cname="CN=${jks.cn},"
-    newcname="CN=$2,"
-    san="san=dns:${jks.cn},"
-    newsan="san=dns:$2,"
-    newipsan="san=ip:$2,"
-    cnalt=",dns:${jks.cnalt}"
-    newcnalt=""
-
-    makekeystore=$(echo "$makekeystore" | sed -e "s|$cname|$newcname|g")
-    if ip4 "$2"; then
-        makekeystore=$(echo "$makekeystore" | sed -e "s|$san|$newipsan|g")
-    else
-        makekeystore=$(echo "$makekeystore" | sed -e "s|$san|$newsan|g")
-    fi
-    makekeystore=$(echo "$makekeystore" | sed -e "s|$cnalt|$newcnalt|g")
-fi
-
 #
 # Uninstall mode
 #
 if [ "$1" == "uninstall" ]; then
-    echo "Removing installed certificates (warnings are safe to ignore)..."
+    echo -e "\nRemoving installed certificates..."
 	remove_certs
-	echo -e "${bash.success}\n"
+	echo -e "\n[Finished ${apple.keygen.name}]\n"
     exit 0
 fi
 
 #
 # Install mode
 #
 
-# Delete old keystore, if exists
-rm -f "$keystorepath" > /dev/null 2>&1
+# Delete old files if exist
+delete_file "${ssl.jks}"
+delete_file "${ssl.crt}"
 
 # Handle trusted ssl certificate, if specified
-if [ -n "$sslcertpath" ]; then
-    create_pkcs12
-    echo "Creating keystore for secure websockets..."
-    eval "$makekeystore" > /dev/null 2>&1
-    check_exists "$keystorepath"
-    write_properties
-    status=$?
-    echo "Finished"
-    exit $status
+if [ -n "$trustedcertpath" ]; then
+    echo -e "\nCreating keystore for secure websockets..."
+    run_step "\nConverting to PKCS12 keypair" "${trusted.command}" "${trusted.keypair}"
+    run_step "\nConverting to jks format" "${trusted.convert}" "${ssl.jks}"
+    write_properties "${ssl.properties}" || exit 1
+    echo -e "\n[Finished ${apple.keygen.name}]\n"
+    exit 0
 fi
 
 # Handle self-signed certificate
-echo "Creating keystore for secure websockets..."
-eval "$makekeystore" > /dev/null 2>&1
-check_exists "$keystorepath"
-
-echo "Converting keystore to native certificate..."
-eval "$makedercert" > /dev/null 2>&1
-check_exists "$dercertpath"
-
-write_properties
-
-echo "Removing old certificates (warnings are safe to ignore)..."
+echo -e "\nCreating keystore for secure websockets..."
+# Delete old files if exist
+delete_file "${ca.jks}"
+delete_file "${ca.crt}"
+delete_file "${ssl.csr}"
+
+run_step "Creating a CA keypair" "${ca.jkscmd}" "${ca.jks}" || exit 1
+run_step "Exporting CA certificate" "${ca.crtcmd}" "${ca.crt}" || exit 1
+run_step "Creating an SSL keypair" "${ssl.jkscmd}" "${ssl.jks}" || exit 1
+run_step "Creating an SSL CSR" "${ssl.jkscsr}" "${ssl.csr}" || exit 1
+run_step "Issuing SSL certificate from CA" "${ssl.crtcmd}" "${ssl.crt}" || exit 1
+run_step "Importing CA certificate into SSL keypair" "${ssl.importca}" "" || exit 1
+run_step "Importing chained SSL certificate into SSL keypair" "${ssl.importssl}" "" || exit 1
+
+echo -e "\nWriting properties file..."
+write_properties "${ssl.properties}" || exit 1
+
+echo -e "\nRemoving installed certificates..."
 remove_certs
-echo -e "${bash.success}\n"
-
-echo "Installing certificate..."
 
 # Install new certificate
-security add-trusted-cert -d -r "${apple.keygen.store}" -k "${apple.keychain}" "$dercertpath"
-if [ $? -eq 0 ]; then
-    echo -e "${bash.success}\n"
-else
-    echo -e "${bash.failure}\n"
-fi
+run_step "Installing certificate" "${apple.keygen.install}" "" || exit 1
+
+echo -e "\nCleaning up..."
+delete_file "${ca.jks}"
+delete_file "${ssl.csr}"
+delete_file "${ssl.crt}"
 
-echo "Finished"
+echo -e "\n[Finished ${apple.keygen.name}]\n"
 exit 0

ant/apple/apple.properties

@@ -14,6 +14,7 @@ apple.keygen.store=trustRoot
 apple.keygen.name=apple-keygen.sh
 apple.keygen.in=${basedir}/ant/apple/${apple.keygen.name}.in
 apple.keygen.out=${dist.dir}/auth/${apple.keygen.name}
+apple.keygen.install=security add-trusted-cert -d -r \\"${apple.keygen.store}\\" -k \\"${apple.keychain}\\" \\"${ca.crt}\\"
 apple.jvmver=/usr/libexec/java_home -v ${javac.target}+
 apple.jvmcmd=${apple.jvmver} --exec
 apple.jvmfallback=/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin

ant/firefox/firefox-cert.sh.in

@@ -76,29 +76,22 @@ else
     echo -e "${bash.success} $ffdir"
 fi
 
-
-# Substitution variables (!install, etc)
-install="${jks.install}"
-cname="${jks.cn}"
-dercert="${der.cert}"
-prefs="${firefoxprefs.install}"
-config="${firefoxconfig.install}"
-
-# Handle CN=${jks.cn} override
+# Handle CN=${ssl.cn} override
+cname="${ssl.cn}"
 if [ -n "$2" ]; then
     cname="$2"
 fi
 
 # Perform substitutions
-dercertpath=$(echo "$dercert" | sed -e "s|$install|$installdir|g")
-prefspath=$(echo "$prefs" | sed -e "s|$install|$installdir|g")
-configpath=$(echo "$config" | sed -e "s|$install|$installdir|g")
+dercertpath=$(echo "${ca.crt}" | sed -e "s|\!install|$installdir|g")
+prefspath=$(echo "${firefoxprefs.install}" | sed -e "s|\!install|$installdir|g")
+configpath=$(echo "${firefoxconfig.install}" | sed -e "s|\!install|$installdir|g")
 
 #
 # Uninstall mode
 #
 if [ "$1" == "uninstall" ]; then
-    echo "Searching for ${project.name} AutoConfig..."
+    echo -e "\nSearching for ${project.name} AutoConfig..."
     if [ -f "$bindir/${firefoxconfig.name}" ]; then
         echo -e "${bash.success} Check Firefox config exists"
         cp "$configpath" "$bindir/${firefoxconfig.name}"
@@ -123,6 +116,7 @@ if [ "$1" == "uninstall" ]; then
     else
         echo -e "${bash.skipped} ${project.name} AutoConfig not found"
     fi
+    echo -e "\n[Finished ${firefoxcert.name}]\n"
     exit 0
 fi
 
@@ -195,5 +189,6 @@ else
 	exit 1
 fi
 
+echo -e "\n[Finished ${firefoxcert.name}]\n"
 exit 0
 

ant/firefox/firefox-config.cfg.in

@@ -1,9 +1,16 @@
 //##############################################################################
 //#     Firefox AutoConfig for ${project.name} Software ${vendor.website}                  #
 //##############################################################################
+//# Copyright (C) 2017 Tres Finocchiaro, QZ Industries, LLC                    #
+//#                                                                            #
+//# LGPL 2.1 This is free software.  This software and source code are         #
+//# released under the "LGPL 2.1 License".  A copy of this license should be   #
+//# distributed with this software. http://www.gnu.org/licenses/lgpl-2.1.html  #
+//#                                                                            #
 //# NOTE:  This certificate is unique and private to THIS PC ONLY.  It was     #
 //# created on-the-fly at install time for secure websockets to function with  #
 //# ${project.name} software.                                                          #
+//#                                                                            #
 //# For questions please visit ${vendor.website}/support                           #
 //##############################################################################
 

ant/linux/linux-installer.sh.in

@@ -9,17 +9,18 @@
 #    4. Installs certificate to OS using certutil                                        #
 #    5. Installs certificate into Firefox (if installed)                                 #
 #                                                                                        #
-#       Note:  If [sslcert] and [sslkey] are specified, import to browser/OS is omitted. #
+#       Note:  If [trustedcert] and [trustedkey] are specified, import to browser/OS is  #
+#              omitted.                                                                  #
 #                                                                                        #
 #  Depends:                                                                              #
 #    java, certutil                                                                      #
 #                                                                                        #
 #  Optional:                                                                             #
-#    openssl - Required if providing [sslcert], [sslkey] parameters                      #
+#    openssl - Required if providing [trustedcert], [trustedkey] parameters              #
 #                                                                                        #
 #  Usage:                                                                                #
 #    $ chmod +x ${linux.installer.name}                                                       #
-#    $ sudo ./${linux.installer.name} [noprompt] [hostname] [sslcert] [sslkey]                #
+#    $ sudo ./${linux.installer.name} [noprompt] [hostname] [trustedcert] [trustedkey]        #
 #                                                                                        #
 ##########################################################################################
 
@@ -31,8 +32,8 @@ fi
 
 noprompt="$1"
 cname="$2"
-sslcert="$3"
-sslkey="$4"
+trustedcert="$3"
+trustedkey="$4"
 mask=755
 destdir="${linux.installdir}"
 shortcut="/usr/share/applications/${project.filename}.desktop"
@@ -159,9 +160,9 @@ fi
 
 progress_dialog 70 "Generating certificate..."
 chmod $mask "$destdir/auth/${linux.keygen.name}"  > /dev/null 2>&1
-"$destdir/auth/${linux.keygen.name}" "$cname" "$sslcert" "$sslkey"
+"$destdir/auth/${linux.keygen.name}" "$cname" "$trustedcert" "$trustedkey"
 
-if [[ -n $sslcert && -n $sslkey ]]; then
+if [[ -n $trustedcert && -n $trustedkey ]]; then
     progress_dialog 75 "Skipping OS/browser cert import..."
 else
     progress_dialog 75 "Importing Firefox locator..."
@@ -191,6 +192,7 @@ chmod -R $mask "${destdir}"
 progress_dialog 92 "Installing usb/udev rules..."
 rm -f "/lib/udev/rules.d/${linux.udev.name}" > /dev/null 2>&1
 mv "$destdir/${linux.udev.name}" "/lib/udev/rules.d/${linux.udev.name}" > /dev/null 2>&1
+udevadm control --reload-rules > /dev/null 2>&1
 
 cd "${destdir}"
 progress_dialog 95 "Installation complete... Starting ${project.name}..."

ant/linux/linux-keygen.sh.in

@@ -1,52 +1,36 @@
 #!/bin/bash
 ##########################################################################################
-#                             ${project.name} Linux KeyGen Util                                  #
+#                             ${project.name} Linux KeyGen Utility                               #
 ##########################################################################################
 #  Description:                                                                          #
-#     1. Creates a self-signed Java Keystore for jetty wss://localhost or [hostname]     #
-#     2. Exports public certificate from Java Keystore
-#
-#     Note:  If [sslcert] and [sslkey] are specified, import to browser/OS is omitted.   #
+#    1. Creates a self-signed Java Keystore for jetty wss://localhost or [hostname]      #
+#    2. Exports public certificate from Java Keystore                                    #
+#                                                                                        #
+#       Note:  If [trustedcert] and [trustedkey] are specified, import to browser/OS is  #
+#              omitted.                                                                  #
 #                                                                                        #
 #  Depends:                                                                              #
 #    java                                                                                #
 #                                                                                        #
 #  Optional:                                                                             #
-#    openssl - Required if providing [sslcert], [sslkey] parameters                      #
+#    openssl - Required if providing [trustedcert], [trustedkey] parameters              #
 #                                                                                        #
 #  Usage:                                                                                #
-#    $ ./${linux.keygen.name} [hostname] [sslcert] [sslkey]                                   #
+#    $ ./${linux.keygen.name} [hostname] [trustedcert] [trustedkey]                           #
 #                                                                                        #
 ##########################################################################################
 
-# Random password hash
-password=$(cat /dev/urandom | env LC_CTYPE=C tr -dc 'a-z0-9' | fold -w ${jks.passlength} | head -n 1)
+# Handle CN=${ssl.cn} override
+cnoverride="$1"
 
 # Handle trusted ssl certificate
 if [[ -n $2 && -n $3 ]]; then
-    sslcertpath="$2"
-    sslkeypath="$3"
-    makekeystore="${ssl.convert}"
-else
-    makekeystore="${jks.command}"
+    trustedcertpath="$2"
+    trustedkeypath="$3"
 fi
 
-makedercert="${der.command}"
-installdir="${linux.installdir}"
-
-# Substitution variables (!storepass, !keypass, !install, etc)
-install="${jks.install}"
-storepass="${jks.storepass}"
-keypass="${jks.keypass}"
-keystore="${jks.keystore}"
-dercert="${der.cert}"
-props="${jks.properties}"
-
-# Keystore generation variable substitutions
-keystorepath="${keystore/$install/$installdir}"
-makekeystore="${makekeystore/$storepass/$password}"
-makekeystore="${makekeystore/$keypass/$password}"
-makekeystore="${makekeystore/$keystore/$keystorepath}"
+# Random password hash
+password=$(cat /dev/urandom | env LC_CTYPE=C tr -dc 'a-z0-9' | fold -w ${ssl.passlength} | head -n 1)
 
 # Check for IPv4 address
 function ip4 {
@@ -56,124 +40,130 @@ function ip4 {
     return 1
 }
 
-# Handle CN=${jks.cn} override
-if [ -n "$1" ]; then
-    cname="CN=${jks.cn},"
-    newcname="CN=$1,"
-    san="san=dns:${jks.cn},"
-    newsan="san=dns:$1,"
-    newipsan="san=ip:$1,"
-    cnalt=",dns:${jks.cnalt}"
-    newcnalt=""
-
-    makekeystore="${makekeystore/$cname/$newcname}"
-    if ip4 "$1"; then
-        makekeystore="${makekeystore/$san/$newipsan}"
-    else
-        makekeystore="${makekeystore/$san/$newsan}"
+# Replace all install-time variables
+function replace_vars {
+    # TODO: OpenSUSE as well as some others don't have keytool in $PATH
+    cmd=$(echo "$1" | sed -e "s|\"keytool\"|keytool|g")
+
+    # Handle CN=${ssl.cn} override
+    if [ -n "$cnoverride" ]; then
+        cmd=$(echo "$cmd" | sed -e "s|CN=${ssl.cn},|CN=$cnoverride,|g")
+        if ip4 "$cnoverride"; then
+            cmd=$(echo "$cmd" | sed -e "s|san=dns:${ssl.cn},|san=ip:$cnoverride,|g")
+        else
+            cmd=$(echo "$cmd" | sed -e "s|san=dns:${ssl.cn},|san=dns:$cnoverride,|g")
+        fi
+        # Remove dangling san
+        cmd=$(echo "$cmd" | sed -e "s|,dns:${ssl.cnalt}||g")
     fi
-    makekeystore="${makekeystore/$cnalt/$newcnalt}"
-fi
 
-# Cert export variable substitutions
-dercertpath="${dercert/$install/$installdir}"
-makedercert="${makedercert/$storepass/$password}"
-makedercert="${makedercert/$keypass/$password}"
-makedercert="${makedercert/$keystore/$keystorepath}"
-makedercert="${makedercert/$dercert/$dercertpath}"
-
-# // Handle "community" mode, custom signing auth cert
-if [ -n "${build.type}" ]; then
-    authcert="${authcert.install}"
-    authcertpath="${authcert/$install/$installdir}"
-fi
-
-# Property file containing jks signing info
-propspath="${props/$install/$installdir}"
-
-# Convert trusted SSL cert to jks
-function create_pkcs12 {
-    echo "Creating PKCS12 keypair..."
-    keypair="${ssl.keypair}"
-    sslcert="${ssl.cert}"
-    sslkey="${ssl.key}"
-    generated="${ssl.command}"
-
-    keypairpath="${keypair/$install/$installdir}"
-    generated="${generated/$keypair/$keypairpath}"
-    generated="${generated/$sslcert/$sslcertpath}"
-    generated="${generated/$sslkey/$sslkeypath}"
-    generated="${generated/$keypass/$password}"
-
-    makekeystore="${makekeystore/$keypair/$keypairpath}"
-    makekeystore="${makekeystore/$keypass/$password}" # second ${jks.keypass}
-
-    eval "$generated" > /dev/null 2>&1
-    check_exists "$keypairpath"
-
-    if [ $? -ne 0 ]; then
-        echo "Error creating PKCS12 keypair from $sslcertpath, $sslkeypath to $keypairpath"
-        echo -e "${bash.failure}\n"
-        exit 1
-    fi
-
-    # Remove lingering self-signed certs
-    rm "$dercertpath" > /dev/null 2>&1
+    cmd=$(echo "$cmd" | sed -e "s|\!install|${linux.installdir}|g")
+    cmd=$(echo "$cmd" | sed -e "s|\!storepass|$password|g")
+    cmd=$(echo "$cmd" | sed -e "s|\!keypass|$password|g")
+    cmd=$(echo "$cmd" | sed -e "s|\!sslcert|$trustedcertpath|g")
+    cmd=$(echo "$cmd" | sed -e "s|\!sslkey|$trustedkeypath|g")
 
+    echo "$cmd"
     return 0
 }
 
+# Handle "community" mode, custom signing auth cert
+if [ -n "${build.type}" ]; then
+    authcertpath=$(echo "${authcert.install}" | sed -e "s|\!install|${linux.installdir}|g")
+fi
+
 # Write out the secure websocket properties file
 function write_properties {
-    echo "Writing properties file..."
-    echo "wss.alias=${jks.alias}" > "$propspath"
+    propspath=$(echo "$1" | sed -e "s|\!install|${linux.installdir}|g")
+    keystorepath=$(echo "${ssl.jks}" | sed -e "s|\!install|${linux.installdir}|g")
+    echo "wss.alias=${ssl.alias}" > "$propspath"
     echo "wss.keystore=$keystorepath" >> "$propspath"
     echo "wss.keypass=$password" >> "$propspath"
     echo "wss.storepass=$password" >> "$propspath"
-    echo "wss.host=${jks.host}" >> "$propspath"
+    echo "wss.host=${ssl.host}" >> "$propspath"
     if [ -n "$authcertpath" ]; then
         echo "authcert.override=$authcertpath" >> "$propspath"
     fi
     echo "" >> "$propspath"
-    check_exists  "$propspath"
+    check_exists "$propspath"
     return $?
 }
 
-# Check to see if file exists
+# Delete a file if exists
+function delete_file {
+    testfile=$(echo "$1" | sed -e "s|\!install|${linux.installdir}|g")
+    rm -f "$testfile" > /dev/null 2>&1
+    return 0
+}
+
+# Check to see if file exists with optional message
 function check_exists {
-    if [ -e "$1" ]; then
-        echo -e "${bash.success}\n"
+    testfile=$(echo "$1" | sed -e "s|\!install|${linux.installdir}|g")
+    if [ -e "$testfile" ]; then
+        if [ -n "$2" ]; then
+            echo -e "${bash.success} $2 $testfile"
+        else
+            echo -e "${bash.success} $testfile"
+        fi
         return 0
     fi
-    echo -e "${bash.failure}\n"
+    echo -e "${bash.failure} $testfile"
     return 1
 }
 
+# Runs a steps, optionally checks for a file
+# e.g: run_step "Description" "ls -al *.txt > ./out" "./out"
+function run_step {
+    if eval "$(replace_vars "$2") > /dev/null 2>&1"; then
+        if [ -z "$3" ]; then
+            echo -e "${bash.success} $1"
+            return 0
+        elif check_exists "$3" "$1"; then
+            return 0
+        else
+            return 1
+        fi
+    fi
+    echo -e "${bash.failure}\n"
+    return 1
+}
 
-# Delete old keystore, if exists
-rm -f "$keystorepath" > /dev/null 2>&1
+# Delete old files if exist
+delete_file "${ssl.jks}"
+delete_file "${ssl.crt}"
 
 # Handle trusted ssl certificate, if specified
-if [ -n "$sslcertpath" ]; then
-    create_pkcs12
-    echo "Creating keystore for secure websockets..."
-    eval "$makekeystore" > /dev/null 2>&1
-    check_exists "$keystorepath"
-    write_properties
-    status=$?
-    echo "Finished"
-    exit $status
+if [ -n "$trustedcertpath" ]; then
+    echo -e "\nCreating keystore for secure websockets..."
+    run_step "\nConverting to PKCS12 keypair" "${trusted.command}" "${trusted.keypair}"
+    run_step "\nConverting to jks format" "${trusted.convert}" "${ssl.jks}"
+    write_properties "${ssl.properties}" || exit 1
+    echo -e "\n[Finished ${linux.keygen.name}]\n"
+    exit 0
 fi
 
-echo "Creating keystore for secure websockets..."
-eval "$makekeystore" > /dev/null 2>&1
-check_exists "$keystorepath"
-
-echo "Converting keystore to native certificate..."
-eval "$makedercert" > /dev/null 2>&1
-check_exists "$dercertpath"
-
-write_properties
-status=$?
-echo "Finished"
-exit $status
+# Handle self-signed certificate
+echo -e "\nCreating keystore for secure websockets..."
+# Delete old files if exist
+delete_file "${ca.jks}"
+delete_file "${ca.crt}"
+delete_file "${ssl.csr}"
+
+run_step "Creating a CA keypair" "${ca.jkscmd}" "${ca.jks}" || exit 1
+run_step "Exporting CA certificate" "${ca.crtcmd}" "${ca.crt}" || exit 1
+run_step "Creating an SSL keypair" "${ssl.jkscmd}" "${ssl.jks}" || exit 1
+run_step "Creating an SSL CSR" "${ssl.jkscsr}" "${ssl.csr}" || exit 1
+run_step "Issuing SSL certificate from CA" "${ssl.crtcmd}" "${ssl.crt}" || exit 1
+run_step "Importing CA certificate into SSL keypair" "${ssl.importca}" "" || exit 1
+run_step "Importing chained SSL certificate into SSL keypair" "${ssl.importssl}" "" || exit 1
+
+echo -e "\nWriting properties file..."
+write_properties "${ssl.properties}" || exit 1
+
+echo -e "\nCleaning up..."
+delete_file "${ca.jks}"
+delete_file "${ssl.csr}"
+delete_file "${ssl.crt}"
+
+echo -e "\n[Finished ${linux.keygen.name}]\n"
+exit 0

ant/self-sign.properties

@@ -0,0 +1,55 @@
+# Platform-independent info used at install time for wss:// signing
+# Values prefixed with an !exclamation-mark can't be determined until install time
+ssl.cn=localhost
+ssl.cnalt=localhost.qz.io
+ssl.city=Canastota
+ssl.state=NY
+ssl.country=US
+ssl.company=QZ Industries\\\\, LLC
+ssl.validity=7305
+
+ssl.dname=\\"CN=${ssl.cn}, EMAILADDRESS=${vendor.email}, OU=${ssl.company}, O=${ssl.company}, L=${ssl.city}, S=${ssl.state}, C=${ssl.country}\\"
+ssl.properties=!install/${project.filename}.properties
+ssl.host=0.0.0.0
+ssl.passlength=10
+
+ca.jks=!install/auth/root-ca.jks
+ca.crt=!install/auth/root-ca.crt
+ca.alias=root-ca
+ca.jkscmd=\\"keytool\\" -genkeypair -noprompt -alias ${ca.alias} -keyalg RSA -keysize 2048 -dname ${ssl.dname} -validity ${ssl.validity} -keystore \\"${ca.jks}\\" -keypass !keypass -storepass !storepass -ext ku:critical=cRLSign,keyCertSign -ext bc:critical=ca:true,pathlen:1
+ca.crtcmd=\\"keytool\\" -exportcert -alias root-ca -keystore \\"${ca.jks}\\" -keypass !keypass -storepass !storepass -file \\"${ca.crt}\\" -rfc -ext ku:critical=cRLSign,keyCertSign -ext bc:critical=ca:true,pathlen:1
+
+ssl.jks=!install/auth/${project.filename}.jks
+ssl.crt=!install/auth/${project.filename}.crt
+ssl.csr=!install/auth/${project.filename}.csr
+ssl.alias=${project.filename}
+ssl.jkscmd=\\"keytool\\" -genkeypair -noprompt -alias ${ssl.alias} -keyalg RSA -keysize 2048 -dname ${ssl.dname} -validity ${ssl.validity} -keystore \\"${ssl.jks}\\" -storepass !storepass -keypass !keypass -ext ku:critical=digitalSignature,keyEncipherment -ext eku=serverAuth,clientAuth -ext san=dns:${ssl.cn},dns:${ssl.cnalt} -ext bc:critical=ca:false
+ssl.jkscsr=\\"keytool\\" -certreq -keyalg RSA -alias ${ssl.alias} -file \\"${ssl.csr}\\" -keystore \\"${ssl.jks}\\" -keypass !keypass -storepass !storepass
+ssl.crtcmd=\\"keytool\\" -keypass !keypass -storepass !storepass -validity ${ssl.validity} -keystore \\"${ca.jks}\\" -gencert -alias ${ca.alias} -infile \\"${ssl.csr}\\" -ext ku:critical=digitalSignature,keyEncipherment -ext eku=serverAuth,clientAuth -ext san=dns:${ssl.cn},dns:${ssl.cnalt} -ext bc:critical=ca:false -rfc -outfile \\"${ssl.crt}\\"
+ssl.importca=\\"keytool\\" -noprompt -import -trustcacerts -alias ${ca.alias} -file \\"${ca.crt}\\" -keystore \\"${ssl.jks}\\" -keypass !keypass -storepass !storepass
+ssl.importssl=\\"keytool\\" -noprompt -import -trustcacerts -alias ${ssl.alias} -file \\"${ssl.crt}\\" -keystore \\"${ssl.jks}\\" -keypass !keypass -storepass !storepass
+
+firefoxconfig.name=firefox-config.cfg
+firefoxconfig.in=${basedir}/ant/firefox/${firefoxconfig.name}.in
+firefoxconfig.out=${dist.dir}/auth/firefox/${firefoxconfig.name}
+firefoxconfig.install=!install/auth/firefox/${firefoxconfig.name}
+
+firefoxprefs.name=firefox-prefs.js
+firefoxprefs.in=${basedir}/ant/firefox/${firefoxprefs.name}.in
+firefoxprefs.out=${dist.dir}/auth/firefox/${firefoxprefs.name}
+firefoxprefs.install=!install/auth/firefox/${firefoxprefs.name}
+
+firefoxcert.name=firefox-cert.sh
+firefoxcert.in=${basedir}/ant/firefox/${firefoxcert.name}.in
+firefoxcert.out=${dist.dir}/auth/firefox/${firefoxcert.name}
+
+locator.name=locator.sh
+locator.in=${basedir}/ant/firefox/${locator.name}.in
+locator.out=${dist.dir}/auth/firefox/${locator.name}
+
+# Trusted SSL installs only
+trusted.crt=!sslcert
+trusted.jks=!sslkey
+trusted.keypair=!install/auth/${project.filename}.p12
+trusted.command=openssl pkcs12 -export -in \\"${trusted.crt}\\" -inkey \\"${trusted.jks}\\" -out \\"${trusted.keypair}\\" -name ${ssl.alias} -passout pass:!keypass
+trusted.convert=\\"keytool\\" -importkeystore -deststorepass !storepass -destkeypass !keypass -destkeystore \\"${ssl.jks}\\" -srckeystore \\"${trusted.keypair}\\" -srcstoretype PKCS12 -srcstorepass !storepass -alias ${ssl.alias}

ant/ssl.properties

@@ -6,6 +6,8 @@ windows.keygen.name=windows-keygen.js
 windows.keygen.in=${basedir}/ant/windows/${windows.keygen.name}.in
 windows.keygen.out=${dist.dir}/auth/${windows.keygen.name}
 windows.keygen.tool=certutil.exe
+windows.keygen.install=${windows.keygen.tool} -addstore -f \\"${windows.keygen.store}\\" \\"${ca.crt}\\"
+windows.keygen.uninstall=${windows.keygen.tool} -delstore \\"${windows.keygen.store}\\" \\"!match\\"
 
 windows.nsis.addons=${basedir}/ant/windows/nsis
 windows.packager.in=${basedir}/ant/windows/windows-packager.nsi.in

ant/windows/windows-keygen.js.in

@@ -179,7 +179,7 @@
     -->
     <target name="prepackage">
         <echo>Processing self-signing variables</echo>
-        <property file="ant/self-sign.properties"/>
+        <property file="ant/ssl.properties"/>
 
         <echo>Creating Firefox certificate config files</echo>
         <copy file="${firefoxconfig.in}" tofile="${firefoxconfig.out}" >

ant/windows/windows.properties

@@ -27,10 +27,10 @@ public class LinuxCertificate {
     private static String nssdb = "sql:" + System.getenv("HOME") + "/.pki/nssdb";
 
     private static String getCertificatePath() {
-        // We assume that if the keystore is "qz-tray.jks", the cert must be "qz-tray.crt"
+        // We assume that if the keystore is "qz-tray.jks", the cert must be "root-ca.crt"
         Properties sslProperties = DeployUtilities.loadTrayProperties();
         if (sslProperties != null) {
-            return sslProperties.getProperty("wss.keystore").replaceAll("\\.jks$", ".crt");
+            return sslProperties.getProperty("wss.keystore").replace(Constants.PROPS_FILE + ".jks", "root-ca.crt");
         }
 
         return null;