mkcert/truststore_nss.go

// Copyright 2018 The mkcert Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package main

import (
	"log"
	"os"
	"os/exec"
	"path/filepath"
	"runtime"
	"strings"
)

var (
	hasNSS       bool
	hasCertutil  bool
	certutilPath string
	nssDBs       = []string{
		filepath.Join(os.Getenv("HOME"), ".pki/nssdb"),
		filepath.Join(os.Getenv("HOME"), "snap/chromium/current/.pki/nssdb"), // Snapcraft
		"/etc/pki/nssdb", // CentOS 7
	}
	firefoxPaths = []string{
		"/usr/bin/firefox", "/Applications/Firefox.app",
		"/Applications/Firefox Developer Edition.app",
		"/Applications/Firefox Nightly.app",
		"C:\\Program Files\\Mozilla Firefox",
	}
)

func init() {
	allPaths := append(append([]string{}, nssDBs...), firefoxPaths...)
	for _, path := range allPaths {
		if pathExists(path) {
			hasNSS = true
			break
		}
	}

	switch runtime.GOOS {
	case "darwin":
		switch {
		case binaryExists("certutil"):
			certutilPath, _ = exec.LookPath("certutil")
			hasCertutil = true
		case binaryExists("/usr/local/opt/nss/bin/certutil"):
			// Check the default Homebrew path, to save executing Ruby. #135
			certutilPath = "/usr/local/opt/nss/bin/certutil"
			hasCertutil = true
		default:
			out, err := exec.Command("brew", "--prefix", "nss").Output()
			if err == nil {
				certutilPath = filepath.Join(strings.TrimSpace(string(out)), "bin", "certutil")
				hasCertutil = pathExists(certutilPath)
			}
		}

	case "linux":
		if hasCertutil = binaryExists("certutil"); hasCertutil {
			certutilPath, _ = exec.LookPath("certutil")
		}
	}
}

func (m *mkcert) checkNSS() bool {
	if !hasCertutil {
		return false
	}
	success := true
	if m.forEachNSSProfile(func(profile string) {
		err := exec.Command(certutilPath, "-V", "-d", profile, "-u", "L", "-n", m.caUniqueName()).Run()
		if err != nil {
			success = false
		}
	}) == 0 {
		success = false
	}
	return success
}

func (m *mkcert) installNSS() bool {
	if m.forEachNSSProfile(func(profile string) {
		cmd := exec.Command(certutilPath, "-A", "-d", profile, "-t", "C,,", "-n", m.caUniqueName(), "-i", filepath.Join(m.CAROOT, rootName))
		out, err := cmd.CombinedOutput()
		fatalIfCmdErr(err, "certutil -A", out)
	}) == 0 {
		log.Printf("ERROR: no %s security databases found", NSSBrowsers)
		return false
	}
	if !m.checkNSS() {
		log.Printf("Installing in %s failed. Please report the issue with details about your environment at https://github.com/FiloSottile/mkcert/issues/new 👎", NSSBrowsers)
		log.Printf("Note that if you never started %s, you need to do that at least once.", NSSBrowsers)
		return false
	}
	return true
}

func (m *mkcert) uninstallNSS() {
	m.forEachNSSProfile(func(profile string) {
		err := exec.Command(certutilPath, "-V", "-d", profile, "-u", "L", "-n", m.caUniqueName()).Run()
		if err != nil {
			return
		}
		cmd := exec.Command(certutilPath, "-D", "-d", profile, "-n", m.caUniqueName())
		out, err := cmd.CombinedOutput()
		fatalIfCmdErr(err, "certutil -D", out)
	})
}

func (m *mkcert) forEachNSSProfile(f func(profile string)) (found int) {
	profiles, _ := filepath.Glob(FirefoxProfile)
	profiles = append(profiles, nssDBs...)
	for _, profile := range profiles {
		if stat, err := os.Stat(profile); err != nil || !stat.IsDir() {
			continue
		}
		if pathExists(filepath.Join(profile, "cert9.db")) {
			f("sql:" + profile)
			found++
		} else if pathExists(filepath.Join(profile, "cert8.db")) {
			f("dbm:" + profile)
			found++
		}
	}
	return
}
Fix and add missing license headers 2019-06-01 13:58:20 +00:00			`// Copyright 2018 The mkcert Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

Add Firefox support Fixes #6 2018-06-28 05:29:20 +00:00			`package main`

			`import (`
			`"log"`
			`"os"`
			`"os/exec"`
			`"path/filepath"`
Add debugging output for #12 2018-07-04 00:48:31 +00:00			`"runtime"`
Add Firefox support Fixes #6 2018-06-28 05:29:20 +00:00			`"strings"`
			`)`

			`var (`
Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 02:26:37 +00:00			`hasNSS bool`
Add Firefox support Fixes #6 2018-06-28 05:29:20 +00:00			`hasCertutil bool`
			`certutilPath string`
truststore_nss: support multiple NSS databases This adds support for Snap's Chromium, and and CentOS 7. Fixes #116 Fixes #120 Closes #121 2019-06-01 15:01:09 +00:00			`nssDBs = []string{`
			`filepath.Join(os.Getenv("HOME"), ".pki/nssdb"),`
			`filepath.Join(os.Getenv("HOME"), "snap/chromium/current/.pki/nssdb"), // Snapcraft`
			`"/etc/pki/nssdb", // CentOS 7`
			`}`
			`firefoxPaths = []string{`
			`"/usr/bin/firefox", "/Applications/Firefox.app",`
Add support for Firefox Developer Edition This also fixes a bug where we wouldn't install to Chrome on Linux if Firefox wasn't also present. Closes #48 Updates #51 2018-08-13 01:11:34 +00:00			`"/Applications/Firefox Developer Edition.app",`
Add "Firefox Nightly.app" support on macOS (#102) 2019-01-08 17:22:13 +00:00			`"/Applications/Firefox Nightly.app",`
Offer a less confusing warning about Firefox on Windows 2018-08-13 01:44:02 +00:00			`"C:\\Program Files\\Mozilla Firefox",`
truststore_nss: support multiple NSS databases This adds support for Snap's Chromium, and and CentOS 7. Fixes #116 Fixes #120 Closes #121 2019-06-01 15:01:09 +00:00			`}`
			`)`

			`func init() {`
			`allPaths := append(append([]string{}, nssDBs...), firefoxPaths...)`
			`for _, path := range allPaths {`
			`if pathExists(path) {`
			`hasNSS = true`
			`break`
			`}`
Add support for Firefox Developer Edition This also fixes a bug where we wouldn't install to Chrome on Linux if Firefox wasn't also present. Closes #48 Updates #51 2018-08-13 01:11:34 +00:00			`}`
Add Firefox support Fixes #6 2018-06-28 05:29:20 +00:00
Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 02:26:37 +00:00			`switch runtime.GOOS {`
			`case "darwin":`
truststore_darwin: check the default Homebrew path for certutil "mkcert localhost" went from 2.125s to 0.552s, a 4x speedup. Fixes #135 2019-08-16 22:13:31 +00:00			`switch {`
			`case binaryExists("certutil"):`
Cleanup path logics with pathExists and binaryExists 2019-06-01 13:55:58 +00:00			`certutilPath, _ = exec.LookPath("certutil")`
truststore_darwin: check the default Homebrew path for certutil "mkcert localhost" went from 2.125s to 0.552s, a 4x speedup. Fixes #135 2019-08-16 22:13:31 +00:00			`hasCertutil = true`
			`case binaryExists("/usr/local/opt/nss/bin/certutil"):`
			`// Check the default Homebrew path, to save executing Ruby. #135`
			`certutilPath = "/usr/local/opt/nss/bin/certutil"`
			`hasCertutil = true`
			`default:`
Cleanup path logics with pathExists and binaryExists 2019-06-01 13:55:58 +00:00			`out, err := exec.Command("brew", "--prefix", "nss").Output()`
			`if err == nil {`
			`certutilPath = filepath.Join(strings.TrimSpace(string(out)), "bin", "certutil")`
			`hasCertutil = pathExists(certutilPath)`
nss: use certutil from $PATH if found on macOS (#71) Fixes #70 Thanks to @hostep for testing and fixing the patch. 2018-08-25 21:52:43 +00:00			`}`
Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 02:26:37 +00:00			`}`

			`case "linux":`
Cleanup path logics with pathExists and binaryExists 2019-06-01 13:55:58 +00:00			`if hasCertutil = binaryExists("certutil"); hasCertutil {`
			`certutilPath, _ = exec.LookPath("certutil")`
			`}`
Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 02:26:37 +00:00			`}`
Add Firefox support Fixes #6 2018-06-28 05:29:20 +00:00			`}`

Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 02:26:37 +00:00			`func (m *mkcert) checkNSS() bool {`
Add Firefox support Fixes #6 2018-06-28 05:29:20 +00:00			`if !hasCertutil {`
			`return false`
			`}`
			`success := true`
Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 02:26:37 +00:00			`if m.forEachNSSProfile(func(profile string) {`
Add Firefox support Fixes #6 2018-06-28 05:29:20 +00:00			`err := exec.Command(certutilPath, "-V", "-d", profile, "-u", "L", "-n", m.caUniqueName()).Run()`
			`if err != nil {`
			`success = false`
			`}`
			`}) == 0 {`
			`success = false`
			`}`
			`return success`
			`}`

Avoid printing a success message on error Updates #51 2018-08-13 00:32:34 +00:00			`func (m *mkcert) installNSS() bool {`
Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 02:26:37 +00:00			`if m.forEachNSSProfile(func(profile string) {`
Add Firefox support Fixes #6 2018-06-28 05:29:20 +00:00			`cmd := exec.Command(certutilPath, "-A", "-d", profile, "-t", "C,,", "-n", m.caUniqueName(), "-i", filepath.Join(m.CAROOT, rootName))`
			`out, err := cmd.CombinedOutput()`
			`fatalIfCmdErr(err, "certutil -A", out)`
			`}) == 0 {`
Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 02:26:37 +00:00			`log.Printf("ERROR: no %s security databases found", NSSBrowsers)`
Avoid printing a success message on error Updates #51 2018-08-13 00:32:34 +00:00			`return false`
Add Firefox support Fixes #6 2018-06-28 05:29:20 +00:00			`}`
Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 02:26:37 +00:00			`if !m.checkNSS() {`
			`log.Printf("Installing in %s failed. Please report the issue with details about your environment at https://github.com/FiloSottile/mkcert/issues/new 👎", NSSBrowsers)`
			`log.Printf("Note that if you never started %s, you need to do that at least once.", NSSBrowsers)`
Avoid printing a success message on error Updates #51 2018-08-13 00:32:34 +00:00			`return false`
Add Firefox support Fixes #6 2018-06-28 05:29:20 +00:00			`}`
Avoid printing a success message on error Updates #51 2018-08-13 00:32:34 +00:00			`return true`
Add Firefox support Fixes #6 2018-06-28 05:29:20 +00:00			`}`

Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 02:26:37 +00:00			`func (m *mkcert) uninstallNSS() {`
			`m.forEachNSSProfile(func(profile string) {`
Add Firefox support Fixes #6 2018-06-28 05:29:20 +00:00			`err := exec.Command(certutilPath, "-V", "-d", profile, "-u", "L", "-n", m.caUniqueName()).Run()`
			`if err != nil {`
			`return`
			`}`
			`cmd := exec.Command(certutilPath, "-D", "-d", profile, "-n", m.caUniqueName())`
			`out, err := cmd.CombinedOutput()`
			`fatalIfCmdErr(err, "certutil -D", out)`
			`})`
			`}`

Add support for Chrome/Chromium on Linux Fixes #11 Closes #15 2018-07-04 02:26:37 +00:00			`func (m *mkcert) forEachNSSProfile(f func(profile string)) (found int) {`
Add Firefox support Fixes #6 2018-06-28 05:29:20 +00:00			`profiles, _ := filepath.Glob(FirefoxProfile)`
truststore_nss: support multiple NSS databases This adds support for Snap's Chromium, and and CentOS 7. Fixes #116 Fixes #120 Closes #121 2019-06-01 15:01:09 +00:00			`profiles = append(profiles, nssDBs...)`
Add Firefox support Fixes #6 2018-06-28 05:29:20 +00:00			`for _, profile := range profiles {`
truststore: check if profile is a directory before joining cert*.db (#33) 2018-07-04 16:59:33 +00:00			`if stat, err := os.Stat(profile); err != nil \|\| !stat.IsDir() {`
			`continue`
			`}`
Cleanup path logics with pathExists and binaryExists 2019-06-01 13:55:58 +00:00			`if pathExists(filepath.Join(profile, "cert9.db")) {`
Add Firefox support Fixes #6 2018-06-28 05:29:20 +00:00			`f("sql:" + profile)`
			`found++`
Cleanup path logics with pathExists and binaryExists 2019-06-01 13:55:58 +00:00			`} else if pathExists(filepath.Join(profile, "cert8.db")) {`
firefox: prefer cert9.db and skip cert8.db when found (#13) Fixes #12 (again) 2018-07-12 17:47:05 +00:00			`f("dbm:" + profile)`
			`found++`
Add Firefox support Fixes #6 2018-06-28 05:29:20 +00:00			`}`
			`}`
			`return`
			`}`