Merge pull request #23 from AdilElFarissi/master

Implementation of a basic PEM encoded to OpenSim compatible PKCS12 certificates converter.

.gitattributes

@@ -18,3 +18,4 @@
 *.ogg binary
 *.dll binary
 *.exe binary
+*.cs text eol=crlf

OpenSim/Data/MySQL/Resources/RegionStore.migrations

@@ -566,4 +566,4 @@ ALTER TABLE `regionsettings` ADD COLUMN `TerrainPBR1` varchar(36) NOT NULL DEFAU
 ALTER TABLE `regionsettings` ADD COLUMN `TerrainPBR2` varchar(36) NOT NULL DEFAULT '00000000-0000-0000-0000-000000000000';
 ALTER TABLE `regionsettings` ADD COLUMN `TerrainPBR3` varchar(36) NOT NULL DEFAULT '00000000-0000-0000-0000-000000000000';
 ALTER TABLE `regionsettings` ADD COLUMN `TerrainPBR4` varchar(36) NOT NULL DEFAULT '00000000-0000-0000-0000-000000000000';
-COMMIT;
+COMMIT;

OpenSim/Data/PGSQL/PGSQLMuteListData.cs

@@ -69,4 +69,4 @@ namespace OpenSim.Data.PGSQL
             }
         }
     }
-}
+}

OpenSim/Data/PGSQL/Resources/MuteListStore.migrations

@@ -14,4 +14,4 @@ CREATE TABLE IF NOT EXISTS MuteList (
     CONSTRAINT unique_agent_2 UNIQUE ("AgentID", "MuteId", "MuteName")
 );
 
-COMMIT;
+COMMIT;

OpenSim/Framework/Util.cs

@@ -1421,7 +1421,7 @@ namespace OpenSim.Framework
                 }
             }
 
-            return $"{Convert.ToHexString(iv)}:{Convert.ToHexString(encryptedText).ToLower()}";
+            return $"{Convert.ToHexString(iv)}:{Convert.ToHexString(encryptedText)}";
         }
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
@@ -1550,6 +1550,53 @@ namespace OpenSim.Framework
             }
         }
 
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void ConvertPemToPKCS12(string certFileName, string fullChainPath, string privateKeyPath)
+        {
+            ConvertPemToPKCS12Certificate(certFileName, fullChainPath, privateKeyPath, null);
+        }
+        
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void ConvertPemToPKCS12(string certFileName, string fullChainPath, string privateKeyPath, string outputPassword)
+        {
+            ConvertPemToPKCS12Certificate(certFileName, fullChainPath, privateKeyPath, outputPassword);
+        }
+
+        /// <summary>
+        /// Convert or renew .pem certificate to PKCS12 .pfx and .p12 usable by OpenSim.
+        /// the parameters are set in the startup section of OpenSim.ini
+        /// </summary>
+        /// <param name="certFileName">The output certificate file name.</param>
+        /// <param name="certPath">The path of fullchain.pem. If your CA don't provide 
+        /// the fullchain file, you can set the cert.pem instead.</param>
+        /// <param name="keyPath">The path of the private key (privkey.pem).</param>
+        /// <param name="certPassword">The output certificates password.</param>
+        private static void ConvertPemToPKCS12Certificate(string certFileName, string certPath, string keyPath, string outputPassword)
+        {
+            if(string.IsNullOrEmpty(certPath) || string.IsNullOrEmpty(keyPath)){
+                m_log.ErrorFormat("[UTIL]: Missing or invalid fullchain.pem / privkey.pem path!.");
+                return;
+            }
+            // Create the SSL folder and sub folders if not exists.
+            if (!Directory.Exists("SSL\\ssl\\"))
+                Directory.CreateDirectory("SSL\\ssl\\");
+
+            // Convert .pem (like Let's Encrypt files) to X509Certificate2 certificate.
+            X509Certificate2 certificate = X509Certificate2.CreateFromPemFile(certPath, keyPath);
+
+            // Export and store the .pfx and .p12 certificates in SSL\ssl\.
+            byte[] pfxCertBytes = string.IsNullOrEmpty(outputPassword)
+                                ? certificate.Export(X509ContentType.Pfx)
+                                : certificate.Export(X509ContentType.Pfx, outputPassword);
+            File.WriteAllBytes($"SSL\\ssl\\{certFileName}.pfx", pfxCertBytes);
+
+                byte[] p12CertBytes = string.IsNullOrEmpty(outputPassword) 
+                                    ? certificate.Export(X509ContentType.Pkcs12) 
+                                    : certificate.Export(X509ContentType.Pkcs12, outputPassword);
+                File.WriteAllBytes($"SSL\\ssl\\{certFileName}.p12", p12CertBytes);
+            
+        }
+
         public static int fast_distance2d(int x, int y)
         {
             x = Math.Abs(x);

OpenSim/Region/Application/OpenSimBase.cs

@@ -367,6 +367,16 @@ namespace OpenSim
                     );
                 }
             }
+
+            if(startupConfig.GetBoolean("EnableCertConverter", false))
+            {
+                 Util.ConvertPemToPKCS12(
+                    string.IsNullOrEmpty(startupConfig.GetString("outputCertName")) ? "letsencrypt" : startupConfig.GetString("outputCertName"),
+                    string.IsNullOrEmpty(startupConfig.GetString("PemCertPublicKey")) ? string.Empty : startupConfig.GetString("PemCertPublicKey"),
+                    string.IsNullOrEmpty(startupConfig.GetString("PemCertPrivateKey")) ? string.Empty : startupConfig.GetString("PemCertPrivateKey"),
+                    string.IsNullOrEmpty(startupConfig.GetString("outputCertPassword")) ? string.Empty : startupConfig.GetString("outputCertPassword")
+                );
+            }
             
             if(m_networkServersInfo.HttpUsesSSL)
             {

OpenSim/Region/ScriptEngine/Shared/Api/Implementation/OSSL_Api.cs

@@ -6549,7 +6549,7 @@ namespace OpenSim.Region.ScriptEngine.Shared.Api
                 OSSLShoutError("osAESEncrypt: Failed to encrypt!");
                 return LSL_String.Empty;
             }
-            return ret.ToString();
+            return ret.ToString().ToLower();
         }
 
         public LSL_String osAESDecrypt(string secret, string encryptedText)
@@ -6577,7 +6577,7 @@ namespace OpenSim.Region.ScriptEngine.Shared.Api
                 OSSLShoutError("osAESEncryptTo: Failed to encrypt!");
                 return LSL_String.Empty;
             }
-            return ret.ToString();
+            return ret.ToString().ToLower();
         }
 
         public LSL_String osAESDecryptFrom(string secret, string encryptedText, string ivString)

bin/OpenSim.ini.example

@@ -309,12 +309,37 @@
     ;; default is false
     ; TelehubAllowLandmark = false
 
+    
+    ;; Let's Encrypt and others ".pem" certificates converter settings.
+    ;; Enabling this feature will automatically convert the CA .pem certificates to
+    ;; OpenSim compatible PKCS12 .p12 and .pfx certificates on every server startup.
+    ;; The resulting certificates are stored in the bin\SSL\ssl folder.
+    ;# {EnableCertConverter} {} {Enable pem to pkcs12 certificates converter} {true false} false
+    EnableCertConverter = false
+
+    ;; Set the absolute path of the "fullchain.pem". If your CA don't provide this file,
+    ;; you can use the "cert.pem" instead.
+    ;# {PemCertPublicKey} {} {Set the path of the public key .pem} {} ""
+    PemCertPublicKey = ""
+
+    ;; Set the absolute path of the pem private key "privkey.pem".
+    ;# {PemCertPrivateKey} {} {Set the path of the private key .pem} {} ""
+    PemCertPrivateKey = ""
+
+    ;; Set the name of the resulting .p12 and .pfx.
+    ;# {outputCertName} {} {Set the name of the resulting .p12 and .pfx} {} "letsencrypt"
+    outputCertName = "letsencrypt"
+
+    ;; Set the .p12 and .pfx password.
+    ;# {outputCertPassword} {} {Set the .p12 and .pfx password} {} ""
+    outputCertPassword = ""
+
 
     ;; SSL selfsigned certificate settings.
     ;; Enable selfsigned certificate creation for local and external use. When set to true, will create a folder SSL\ and 2 sub folders SSL\ssl\ and SSL\src\.
     ;; Next creates and store an RSA private key in SSL\src\ and the derived selfsigned certificate in SSL\ssl\ folder.
     ;;Is also possible to renew the certificate on every server restart if CertRenewOnStartup is set to true.
-    ;# {EnbleSelfsignedCertSupport} {} {Enable selfsigned certificate creation and renew} {true false} false
+    ;# {EnableSelfsignedCertSupport} {} {Enable selfsigned certificate creation and renew} {true false} false
     EnableSelfsignedCertSupport = false
 
     ;; Renew the selfsigned certificate on every server startup ?

bin/OpenSimDefaults.ini

@@ -399,6 +399,33 @@
     ; routing and land at the landmark coordinates when set to true
     ; default is false
     ; TelehubAllowLandmark = false
+
+    ; #
+    ; # Let's Encrypt and others ".pem" certificates converter settings.
+    ; #  
+
+    ;; Enabling this feature will automatically convert the CA .pem certificates to
+    ;; OpenSim compatible PKCS12 .p12 and .pfx certificates on every server startup.
+    ;; The resulting certificates are stored in the bin\SSL\ssl folder.
+    ;# {EnableCertConverter} {} {Enable pem to pkcs12 certificates converter} {true false} false
+    EnableCertConverter = false
+
+    ;; Set the absolute path of the "fullchain.pem". If your CA don't provide this file,
+    ;; you can use the "cert.pem" instead.
+    ;# {PemCertPublicKey} {} {Set the path of the public key .pem} {} ""
+    PemCertPublicKey = ""
+
+    ;; Set the absolute path of the pem private key "privkey.pem".
+    ;# {PemCertPrivateKey} {} {Set the path of the private key .pem} {} ""
+    PemCertPrivateKey = ""
+
+    ;; Set the name of the resulting .p12 and .pfx.
+    ;# {outputCertName} {} {Set the name of the resulting .p12 and .pfx} {} "letsencrypt"
+    outputCertName = "letsencrypt"
+
+    ;; Set the .p12 and .pfx password.
+    ;# {outputCertPassword} {} {Set the .p12 and .pfx password} {} ""
+    outputCertPassword = ""
     
     ; #
     ; # SSL selfsigned certificate settings.