#!/bin/sh
# TODO:
# - Check all variables to avoid root execution on unspecified places
debian_install_certs() {
# Source: https://fran.cr/instalar-firma-digital-costa-rica-gnu-linux-ubuntu-debian/
# Extraer fichero descargado
printf '\033[1mExtraer fichero...\033[0m\n' # DEBUG
(cd "$SAVE_DIR" && unzip -u "$SAVE_FILE" > /dev/null)
for cert in "$(find "$SAVE_DIR" -name "Certificados")"/* ; do
certname="${cert##*/}"
printf '%s' "$SUDO_PASSWORD" | sudo -Skp '' cp "$cert" /usr/local/share/ca-certificates/"${certname%.cer}.crt"
done
# Extraer módulo privativo
printf '\033[1mExtraer módulo privativo...\033[0m\n' # DEBUG
PACKAGE="$(find "$SAVE_DIR" -name "idprotectclient[-_]*.deb")"
PACKAGE_DIR="${PACKAGE%/*}"
PACKAGE="${PACKAGE##*/}"
(cd "$PACKAGE_DIR" && ar p "$PACKAGE" data.tar.gz | tar zx ./usr/lib/x64-athena/libASEP11.so)
printf '%s' "$SUDO_PASSWORD" | sudo -Skp '' cp -p "$PACKAGE_DIR"/usr/lib/x64-athena/libASEP11.so /usr/lib/x86_64-linux-gnu/
# Instalar componentes
printf '\033[1mPaquetería, certificados y módulos...\033[0m\n' # DEBUG
printf '%s' "$SUDO_PASSWORD" | sudo -Skp '' sh -c '
# --- Prerequisitos ---
apt install -y p11-kit pcscd binutils bubblewrap icedtea-netx > /dev/null
systemctl enable --now pcscd.socket > /dev/null
# --- Certificados ---
for file in /usr/local/share/ca-certificates/*.crt ; do openssl x509 -inform DER -in "$file" -out "$file.tmp" 2> /dev/null ; done
find /usr/local/share/ca-certificates/ -type f -empty -delete
for i in /usr/local/share/ca-certificates/*.tmp ; do mv "$i" "${i%.tmp}" ; done
update-ca-certificates --fresh > /dev/null
# --- Instalación del módulo PKCS#11 ---
mkdir -p /usr/lib/x64-athena
mkdir -p /Firma_Digital/LIBRERIAS
ln -sf /usr/lib/x86_64-linux-gnu/libASEP11.so /usr/lib/x64-athena/
ln -sf /usr/lib/x86_64-linux-gnu/libASEP11.so /usr/lib/
ln -sf /usr/lib/x86_64-linux-gnu/libASEP11.so /usr/local/lib/
ln -sf /usr/lib/x86_64-linux-gnu/libASEP11.so /Firma_Digital/LIBRERIAS/
ln -sf /usr/local/share/ca-certificates /Firma_Digital/CERTIFICADOS
'
# Archivos de configuración
printf '\033[1mConfigurando IDPClientDB...\033[0m\n' # DEBUG
printf '%s' "$SUDO_PASSWORD" | sudo -Skp '' sh -c "
mkdir -p /etc/Athena
echo \"
3BDC00FF8091FE1FC38073C821106600000000000000
FFFF00FFF0FFFFFFFFFFFFFFFFF0FF00000000000000
3BEA00008131FE450031C173C840000090007A
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
\" > /etc/Athena/IDPClientDB.xml
"
printf '\033[1mConfigurando p11-kit/modules...\033[0m\n' # DEBUG
printf '%s' "$SUDO_PASSWORD" | sudo -Skp '' sh -c "
mkdir -p /usr/share/p11-kit/modules
echo 'remote: |bwrap --unshare-all --dir /tmp --ro-bind /etc/Athena /etc/Athena --proc /proc --dev /dev --ro-bind /usr /usr --ro-bind /lib /lib --ro-bind /lib64 /lib64 --ro-bind /var/run/pcscd /var/run/pcscd --ro-bind /run/pcscd /run/pcscd p11-kit remote /usr/lib/x86_64-linux-gnu/libASEP11.so' > /usr/share/p11-kit/modules/firma-digital.module
"
printf '\033[1mConfigurando p11-kit update symlinks...\033[0m\n' # DEBUG
printf '%s' "$SUDO_PASSWORD" | sudo -Skp '' sh -c "
mkdir -p /usr/local/sbin
echo \"#!/bin/sh
FIREFOX_LIB=/usr/lib/firefox/libnssckbi.so
FIREFOX_ESR_LIB=/usr/lib/firefox-esr/libnssckbi.so
THUNDERBIRD_LIB=/usr/lib/thunderbird/libnssckbi.so
NSS_LIB=/usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
if [ -e \"\$FIREFOX_LIB\" ]
then
if ! [ -L \"\$FIREFOX_LIB\" ]
then
echo \"Firefox libnssckbi.so is not a symlink. Fixing...\"
mv -f \"\$FIREFOX_LIB\" \"\$FIREFOX_LIB\".bak
ln -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so \"\$FIREFOX_LIB\"
fi
fi
if [ -e \"\$FIREFOX_ESR_LIB\" ]
then
if ! [ -L \"\$FIREFOX_ESR_LIB\" ]
then
echo \"Firefox ESR libnssckbi.so is not a symlink. Fixing...\"
mv -f \"\$FIREFOX_ESR_LIB\" \"\$FIREFOX_ESR_LIB\".bak
ln -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so \"\$FIREFOX_ESR_LIB\"
fi
fi
if [ -e \"\$THUNDERBIRD_LIB\" ]
then
if ! [ -L \"\$THUNDERBIRD_LIB\" ]
then
echo \"Thunderbird libnssckbi.so is not a symlink. Fixing...\"
mv -f \"\$THUNDERBIRD_LIB\" \"\$THUNDERBIRD_LIB\".bak
ln -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so \"\$THUNDERBIRD_LIB\"
fi
fi
if [ -e \"\$NSS_LIB\" ]
then
if ! [ -L \"\$NSS_LIB\" ]
then
echo \"NSS libnssckbi.so is not a symlink. Fixing...\"
mv -f \"\$NSS_LIB\" \"\$NSS_LIB\".bak
ln -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so \"\$NSS_LIB\"
fi
fi\" > /usr/local/sbin/update-p11-kit-symlinks
chmod +x /usr/local/sbin/update-p11-kit-symlinks
"
printf '\033[1mConfigurando módulo mantenimiento systemd...\033[0m\n' # DEBUG
printf '%s' "$SUDO_PASSWORD" | sudo -Skp '' sh -c "
mkdir -p /etc/systemd/system
echo \"[Unit]
Description=mantenimiento de enlaces a p11-kit-proxy
[Service]
Type=oneshot
ExecStart=/usr/local/sbin/update-p11-kit-symlinks
[Install]
WantedBy=multi-user.target
\" > /etc/systemd/system/p11-kit-proxy-updater.service
systemctl enable --now p11-kit-proxy-updater.service > /dev/null
"
printf '\033[1mInstalando trust module pk11...\033[0m\n' # DEBUG
printf '%s' "$SUDO_PASSWORD" | sudo -Skp '' sh -c "
mkdir -p /etc/pkcs11/modules
echo 'disable-in:' > /etc/pkcs11/modules/p11-kit-trust.module
"
}
fedora_install_certs() {
# Source: https://fran.cr/instalar-firma-digital-costa-rica-gnu-linux-fedora/
# Extraer fichero descargado
printf '\033[1mExtraer fichero...\033[0m\n' # DEBUG
(cd "$SAVE_DIR" && unzip -u "$SAVE_FILE" > /dev/null)
printf '%s' "$SUDO_PASSWORD" | sudo -Skp '' cp -p "$(find "$SAVE_DIR" -name "Certificados")"/* /usr/share/pki/ca-trust-source/anchors/
printf '%s' "$SUDO_PASSWORD" | sudo -Skp '' update-ca-trust
# Extraer módulo privativo
printf '\033[1mExtraer módulo privativo...\033[0m\n' # DEBUG
PACKAGE="$(find "$SAVE_DIR" -name "idprotectclient[-_]*.rpm")"
PACKAGE_DIR="${PACKAGE%/*}"
PACKAGE="${PACKAGE##*/}"
(cd "$PACKAGE_DIR" && rpm2cpio "$PACKAGE" | cpio -dim ./usr/lib/x64-athena/libASEP11.so)
printf '%s' "$SUDO_PASSWORD" | sudo -Skp '' cp -p "$PACKAGE_DIR"/usr/lib/x64-athena/libASEP11.so /usr/lib64/
printf '%s' "$SUDO_PASSWORD" | sudo -Skp '' sh -c '
mkdir -p /usr/lib/x64-athena/
mkdir -p /Firma_Digital/LIBRERIAS/
ln -s /usr/lib64/libASEP11.so /usr/lib/x64-athena/
ln -s /usr/lib64/libASEP11.so /usr/lib/
ln -s /usr/lib64/libASEP11.so /usr/local/lib/
ln -s /usr/lib64/libASEP11.so /Firma_Digital/LIBRERIAS/
ln -s /usr/share/pki/ca-trust-source/anchors /Firma_Digital/CERTIFICADOS
'
# Archivos de configuración
printf '\033[1mConfigurando IDPClientDB...\033[0m\n' # DEBUG
printf '%s' "$SUDO_PASSWORD" | sudo -Skp '' sh -c "
mkdir -p /etc/Athena
echo \"
3BDC00FF8091FE1FC38073C821106600000000000000
FFFF00FFF0FFFFFFFFFFFFFFFFF0FF00000000000000
3BEA00008131FE450031C173C840000090007A
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
\" > /etc/Athena/IDPClientDB.xml
"
printf '\033[1mConfigurando p11-kit/modules...\033[0m\n' # DEBUG
printf '%s' "$SUDO_PASSWORD" | sudo -Skp '' sh -c "
mkdir -p /usr/share/p11-kit/modules
echo 'remote: |bwrap --unshare-all --dir /tmp --proc /proc --dev /dev --ro-bind /etc/Athena /etc/Athena --ro-bind /usr /usr --ro-bind /var/run/pcscd /var/run/pcscd --ro-bind /run/pcscd /run/pcscd --symlink /usr/lib64 /lib64 p11-kit remote /usr/lib64/libASEP11.so' > /usr/share/p11-kit/modules/firma-digital.module
"
}
install_certs() {
[ -z "$SUDO_PASSWORD" ] && return 1
[ -z "$SAVE_FILE" ] && return 1
SAVE_DIR="${SAVE_FILE%/*}"
if [ "$ID" = "macos" ] ; then
open "$SAVE_FILE" || return 1
elif [ "$ID" = "debian" ] ; then
debian_install_certs || return 1
elif [ "$ID" = "fedora" ] ; then
fedora_install_certs || return 1
elif [ "$ID" = "centos" ] ; then
echo
fi
}