-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathob_gen
executable file
·347 lines (323 loc) · 10.4 KB
/
ob_gen
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2023 Robin Vobruba <[email protected]>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
# See the output of "$0 -h" for details.
# Exit immediately on each error and unset variable;
# see: https://vaneyckt.io/posts/safer_bash_scripts_with_set_euxo_pipefail/
set -Eeuo pipefail
#set -Eeu
APP_NAME="OSH-Tool - Open Badge (2.0) generator"
SCRIPT_PATH="$(readlink -f "${BASH_SOURCE[0]}")"
SCRIPT_DIR="$(dirname "$SCRIPT_PATH")"
SCRIPT_NAME="$(basename "$SCRIPT_PATH")"
OUT_DIR_DEFAULT="build"
REQUIRED_TOOLS=("jq" "bc" "sed" "awk" "repvar" "obadgen" "openssl")
IMGS_VECTOR_LOCAL_BASE="$SCRIPT_DIR/resources/media/img"
IMGS_BINARY_LOCAL_BASE="$SCRIPT_DIR/resources/assets/media/img"
# parameters
# repo="$(pwd)"
out_dir="$OUT_DIR_DEFAULT"
force=false
example=false
IMG_EXT="svg"
IMGS_LOCAL_BASE="$IMGS_VECTOR_LOCAL_BASE"
function print_help() {
echo -e "$APP_NAME - Generates an Open Badge for our compliance sample"
echo -e "for a project using our CI osh-tool report hosting template."
echo -e "By default, all output goes into a single folder: '$OUT_DIR_DEFAULT'"
echo
echo -e "Usage:"
echo -e " $SCRIPT_NAME [OPTION...]"
echo -e "Options:"
# echo -e " -C, --repo [PATH]"
# echo -e " Defines the path to the repo to check (default: '.')"
echo -e " -o, --output-dir [PATH]"
echo -e " Where to write the resulting Open Badge and JSON assertion to"
echo -e " (default: '$OUT_DIR_DEFAULT')"
echo -e " --project-report [JSON-FILE]"
echo -e " Where to find the locally stored osh-tool JSON report"
echo -e " --project-name [JSON-FILE]"
echo -e " Where to find the locally stored osh-tool JSON report"
echo -e " --project-report [JSON-FILE]"
echo -e " Where to find the locally stored osh-tool JSON report"
echo -e " --example"
echo -e " Use example data from an osh-tool of the OHLOOM project"
echo -e " --png"
echo -e " Use PNG instead of the default SVG for the bage format"
echo -e " -f, --force"
echo -e " Forces overwriting the signign certificate/key, if it already exists"
echo -e " -h, --help"
echo -e " Print this usage help and exit"
echo
}
# Process command line arguments
while [[ $# -gt 0 ]]
do
arg="$1"
shift # $2 -> $1, $3 -> $2, ...
case "$arg" in
# -C|--repo)
# repo="$1"
# shift
# ;;
-o|--output-dir)
out_dir="$1"
shift
;;
--project-report)
OSH_TOOL_REPORT_JSON="$1"
shift
;;
--project-name)
PROJECT_NAME="$1"
shift
;;
--project-url)
RECIPIENT_URL="$1"
shift
;;
--project-hosting-url)
PROJECT_HOSTING_BASE_URL="$1"
shift
;;
--example)
example=true
;;
--png)
IMG_EXT="png"
IMGS_LOCAL_BASE="$IMGS_BINARY_LOCAL_BASE"
;;
-f|--force)
force=true
;;
-h|--help)
print_help
exit 0
;;
*) # non-/unknown option
>&2 echo "Unknown flag: '$arg'"
exit 1
;;
esac
done
# Check if all required tools are available
MISSING_TOOLS=()
for tool in "${REQUIRED_TOOLS[@]}"
do
if ! which "$tool" > /dev/null
then
MISSING_TOOLS+=("$tool")
fi
done
if ! [ "${#MISSING_TOOLS[@]}" -eq 0 ]
then
>&2 echo "ERROR: These required tools are not available in PATH: ${MISSING_TOOLS[*]}"
exit 2
fi
if $example
then
if [ -n "${PROJECT_NAME+x}" ] || [ -n "${RECIPIENT_URL+x}" ] || [ -n "${PROJECT_HOSTING_BASE_URL+x}" ]
then
>&2 echo "ERROR: You may not use --example with any of --project-report, --project-name, --project-url, --project-hosting-url"
exit 3
fi
PROJECT_NAME="OHLOOM"
RECIPIENT_URL="https://gitlab.com/OSEGermany/ohloom"
PROJECT_HOSTING_BASE_URL="https://osegermany.gitlab.io/ohloom"
if [ -z ${OSH_TOOL_REPORT_JSON+x} ]
then
OSH_TOOL_REPORT_JSON_URL="$PROJECT_HOSTING_BASE_URL/osh-report.json"
OSH_TOOL_REPORT_JSON="$out_dir/$(basename "$OSH_TOOL_REPORT_JSON_URL")"
wget \
--quiet \
-O "$OSH_TOOL_REPORT_JSON" \
"$OSH_TOOL_REPORT_JSON_URL"
fi
fi
if [ -z "${OSH_TOOL_REPORT_JSON+x}" ] || [ -z "${PROJECT_NAME+x}" ] || [ -z "${RECIPIENT_URL+x}" ] || [ -z "${PROJECT_HOSTING_BASE_URL+x}" ]
then
>&2 echo "ERROR: Please use either --example or all of --project-report, --project-name, --project-url, --project-hosting-url."
exit 4
fi
mkdir -p "$out_dir"
# TODO Choose one of these two - really, we need URL though for the projects; right?
RECIPIENT_TYPE="url"
# RECIPIENT_TYPE="email"
if [ "$RECIPIENT_TYPE" = "url" ]
then
RECIPIENT_IDENTITY_CLEAR="$RECIPIENT_URL"
elif [ "$RECIPIENT_TYPE" = "email" ]
then
RECIPIENT_IDENTITY_CLEAR="[email protected]" # TODO FIXME Use a real value
else
>&2 echo "ERROR: Not yet supported recipient type: '$RECIPIENT_TYPE'!"
exit 5
fi
VARIABLES_FILE="$out_dir/assertion-gen.vars.txt"
OB_HOSTING_BASE="https://raw.githubusercontent.com/hoijui/osh-tool/master/resources/open-badge-examples/compliance-signed"
OB_LOCAL_BASE="$SCRIPT_DIR/resources/open-badge-examples/compliance-signed"
KEY_FILE_BASE="$OB_LOCAL_BASE/issuer-key"
PRIV_KEY_PEM="$KEY_FILE_BASE.x509.priv.pem"
PRIV_KEY_DER="$KEY_FILE_BASE.x509.priv.der"
CERT="$KEY_FILE_BASE.x509.cert.pem"
PUB_KEY="$KEY_FILE_BASE.x509.pub.pem"
KEY_JSON="$KEY_FILE_BASE.json"
KEY_ID="$OB_HOSTING_BASE/$(basename "$KEY_JSON")"
# TODO Choose one of these two
# TODO FIXME Currently, `ring` (the rust library we use for parsing keys) failes loading ECDSA keys generated with OpenSSL, while it works with those generated by the rust library `rcgen`. OpenSSL itsself seems to do fine with both ... :/
# ALG="es256"
ALG="rs256"
KEY_VALIDITY_DAYS="730"
RECIPIENT_SALT="dfvnk097t6iubasr$RANDOM"
OSH_TOOL_REPORT_JSON_URL="$PROJECT_HOSTING_BASE_URL/osh-report.json"
OSH_TOOL_REPORT_HTML_URL="$PROJECT_HOSTING_BASE_URL/osh-report.html"
OSH_TOOL_REPORT_MD_URL="$PROJECT_HOSTING_BASE_URL/osh-report.md"
COMPLIANCE_FACTOR_MIN="0.8"
COMPLIANCE_FACTOR="$(jq --raw-output '.stats.ratings.compliance.factor' < "$OSH_TOOL_REPORT_JSON")"
COMPLIANCE_BADGE_URL=$(jq --raw-output '.stats.ratings.compliance.badgeUrl' < "$OSH_TOOL_REPORT_JSON")
COMPLIANCE_BADGE="$out_dir/compliance-badge-raw.svg"
wget \
--quiet \
-O "$COMPLIANCE_BADGE" \
"$COMPLIANCE_BADGE_URL"
ASSERTION_TEMPLATE_PATH="$OB_LOCAL_BASE/assertion-TEMPLATE.json"
ASSERTION_FILE_PATH="$out_dir/assertion-gen.json"
ASSERTION_HOSTING_URL="$PROJECT_HOSTING_BASE_URL/$(basename "$ASSERTION_FILE_PATH")"
SAMPLE_BAGDE_IMAGE="$IMGS_LOCAL_BASE/osh-tool-sample-badge-signed.$IMG_EXT"
# TODO Choose one of these two
#SOURCE_IMAGE="$COMPLIANCE_BADGE"
SOURCE_IMAGE="$SAMPLE_BAGDE_IMAGE"
BAKED_IMAGE="$out_dir/assertion-gen-baked.$IMG_EXT"
BAKED_IMAGE_URL="$PROJECT_HOSTING_BASE_URL/$(basename "$BAKED_IMAGE")"
if (( $(echo "$COMPLIANCE_FACTOR < $COMPLIANCE_FACTOR_MIN" | bc -l) ))
then
>&2 echo -e "ERROR: Project reached an osh-tool compliance factor of $COMPLIANCE_FACTOR,\nbut at least $COMPLIANCE_FACTOR_MIN is required.\n-> Assertion not granted!"
return 1
fi
cat > "$VARIABLES_FILE" << EOF
ISSUER_ID="$OB_HOSTING_BASE/issuer.json"
KEY_ID="$KEY_ID"
BADGE_CLASS_ID="$OB_HOSTING_BASE/badge-class.json"
ASSERTION_ID="$ASSERTION_HOSTING_URL"
PROJECT_NAME="$PROJECT_NAME"
RECIPIENT_TYPE="$RECIPIENT_TYPE"
RECIPIENT_SALT="$RECIPIENT_SALT"
RECIPIENT_IDENTITY_HASH="sha256\\\$$(printf '%s%s' "$RECIPIENT_IDENTITY_CLEAR" "$RECIPIENT_SALT" | sha256sum - | sed -e 's/ .*//')"
BAKED_IMAGE_URL="$BAKED_IMAGE_URL"
EVIDENCE_1='"'"$OSH_TOOL_REPORT_JSON_URL"'"'
EVIDENCE_2='"'"$OSH_TOOL_REPORT_HTML_URL"'"'
EVIDENCE_3='"'"$OSH_TOOL_REPORT_MD_URL"'"'
DATE_ISSUED_ON="$(date --iso-8601=seconds)"
DATE_EXPIRES="$(date --iso-8601=seconds --date="2099-12-30")"
COMPLIANCE_PERCENT="$(jq --raw-output '.stats.ratings.compliance.percent' < "$OSH_TOOL_REPORT_JSON")"
EOF
#EVIDENCE_4="{ \"compliance-factor\": \"$COMPLIANCE_FACTOR\" }"
if $force || ! [ -e "$PRIV_KEY_DER" ]
then
if [ "$ALG" = "rs256" ]
then
pkeyopt="rsa_keygen_bits:4096"
ossl_sub_cmd="rsa"
elif [ "$ALG" = "es256" ]
then
pkeyopt="ec_paramgen_curve:prime256v1"
# pkeyopt="ec_param_enc:explicit"
ossl_sub_cmd="ec"
else
>&2 echo "ERROR: Not yet supported algorithm (pre): '$ALG'!"
exit 3
fi
create_together=false
if $create_together
then
# Generate the certificate and provate key used for signing
openssl req \
-new \
-x509 \
-subj "/C=DE/ST=Berlin/L=Berlin/O=OSEG/OU=SW-Dev/CN=ose-germany.de/[email protected]" \
-sha256 \
-nodes \
-pkeyopt "$pkeyopt" \
-newkey "$ossl_sub_cmd" \
-keyform PEM \
-keyout "$PRIV_KEY_PEM" \
-days "$KEY_VALIDITY_DAYS" \
-outform PEM \
-out "$CERT"
# Converts the private key from PEM to DER
# NOTE Doing it that way,
# because I was not able to get OpenSSL
# to directly create the private key in DER format
# in the previous step.
openssl "$ossl_sub_cmd" \
-inform PEM \
-in "$PRIV_KEY_PEM" \
-outform DER \
-out "$PRIV_KEY_DER"
else
if [ "$ALG" = "rs256" ]
then
openssl genpkey \
-algorithm RSA \
-outform DER \
-out "$PRIV_KEY_DER" \
-pkeyopt "$pkeyopt"
elif [ "$ALG" = "es256" ]
then
# openssl ecparam \
# -genkey \
# -outform DER \
# -out "$PRIV_KEY_DER" \
# -name prime256v1
# # pkeyopt="ec_param_enc:explicit"
openssl genpkey \
-algorithm EC \
-outform DER \
-out "$PRIV_KEY_DER" \
-pkeyopt ec_paramgen_curve:P-256 \
-pkeyopt ec_param_enc:explicit
else
>&2 echo "ERROR: Not yet supported algorithm (gen): '$ALG'!"
exit 4
fi
openssl req \
-new \
-keyform DER \
-key "$PRIV_KEY_DER" \
-sha256 \
-x509 \
-subj "/C=DE/ST=Berlin/L=Berlin/O=OSEG/OU=SW-Dev/CN=ose-germany.de/[email protected]" \
-nodes \
-days "$KEY_VALIDITY_DAYS" \
-out "$CERT"
fi
# Extract the public key from the above generated private-key
openssl "$ossl_sub_cmd" \
-inform DER \
-in "$PRIV_KEY_DER" \
-pubout \
-outform PEM \
-out "$PUB_KEY"
# Sets the publicKeyPem property
# in an Open Badge 2.0 CryptographicKey JSON-LD file
pkp_val=$(awk 1 ORS='\\\\n' "$PUB_KEY")
pkp_line=$(printf ' "publicKeyPem": "%s"\n' "$pkp_val")
sed -i -e 's|.*"publicKeyPem":.*|'"$pkp_line"'|' "$KEY_JSON"
fi
repvar \
--variables-file "$VARIABLES_FILE" \
< "$ASSERTION_TEMPLATE_PATH" \
> "$ASSERTION_FILE_PATH"
# Signs and bakes the assertion to $BAKED_IMAGE
# PRIV_KEY_DER="/home/hoijui/Projects/OSEG/repos/obadgen/res/ob-ents/issuer-key.priv.der"
echo
echo "PRIV_KEY_DER='$PRIV_KEY_DER'"
echo "ALG='$ALG'"
echo
obadgen \
--assertion "$ASSERTION_FILE_PATH" \
--signing-algorithm "$ALG" \
--key "$PRIV_KEY_DER" \
--source-image "$SOURCE_IMAGE" \
--baked "$BAKED_IMAGE"