mirror of
https://github.com/namecoin/ncdns
synced 2024-11-18 03:26:00 +00:00
68 lines
2.1 KiB
Go
68 lines
2.1 KiB
Go
package main
|
|
|
|
import (
|
|
"gopkg.in/hlandau/easyconfig.v1/cflag"
|
|
"gopkg.in/hlandau/easyconfig.v1"
|
|
"io/ioutil"
|
|
"encoding/json"
|
|
"log"
|
|
"github.com/namecoin/ncdns/tlsrestrict_chromium"
|
|
)
|
|
|
|
var (
|
|
flagGroup = cflag.NewGroup(nil, "tlsrestrict")
|
|
transportSecurityPathFlag = cflag.String(flagGroup, "chromium-ts-path", "", "Path to the TransportSecurity file in Chromium's profile folder. Make sure that no running instance of Chromium is using this profile folder; profile corruption could result otherwise.")
|
|
domainFlag = cflag.String(flagGroup, "domain", "bit.", "Block built-in CA's from signing for any subdomains of this fully-qualified domain name.")
|
|
)
|
|
|
|
func main() {
|
|
config := easyconfig.Configurator{
|
|
ProgramName: "tlsrestrict_chromium",
|
|
}
|
|
err := config.Parse(nil)
|
|
if err != nil {
|
|
log.Fatalf("Couldn't parse configuration: %s", err)
|
|
}
|
|
|
|
transportSecurityPath := transportSecurityPathFlag.Value()
|
|
domain := domainFlag.Value()
|
|
|
|
if transportSecurityPath == "" {
|
|
log.Fatalf("Missing required --tlsrestrict.chromium-ts-path parameter")
|
|
}
|
|
|
|
rawIn, err := ioutil.ReadFile(transportSecurityPath)
|
|
if err != nil {
|
|
log.Fatalf("Couldn't read file %s: %s", transportSecurityPath, err)
|
|
}
|
|
|
|
var data map[string]interface{}
|
|
|
|
err = json.Unmarshal(rawIn, &data)
|
|
if err != nil {
|
|
log.Fatalf("Couldn't parse file %s: %s", transportSecurityPath, err)
|
|
}
|
|
|
|
// Chromium's TransportSecurity database uses keys of the form base64(sha256(dnsPack(fqdn)))
|
|
domainDnsHashB64String, err := tlsrestrict_chromium.DnsHash(domain)
|
|
if err != nil {
|
|
log.Fatalf("Couldn't hash domain name %s: %s", domain, err)
|
|
}
|
|
|
|
data[domainDnsHashB64String], err = tlsrestrict_chromium.BlockAllCAs()
|
|
if err != nil {
|
|
log.Fatalf("Couldn't assign BlockAllCAs: %s", err)
|
|
}
|
|
|
|
rawOut, err := json.Marshal(data)
|
|
if err != nil {
|
|
log.Fatalf("Couldn't marshal data: %s", err)
|
|
}
|
|
|
|
// 0600 seems to be the default mode in Chromium on Fedora
|
|
err = ioutil.WriteFile(transportSecurityPath, rawOut, 0600)
|
|
if err != nil {
|
|
log.Fatalf("Couldn't write file %s: %s", transportSecurityPath, err)
|
|
}
|
|
}
|