remove scripts for SSL certificates, update README

.circleci/config.yml

@@ -17,61 +17,6 @@ aliases:
       - equal: [ main, << pipeline.git.branch >> ]
       - equal: [ master, << pipeline.git.branch >> ]
 commands:
-  prepare_certificates:
-    description: "This command prepares SSL certificates in the Certificates directory."
-    steps:
-      - unless:
-          condition:
-            *should_sign
-          steps:
-            - run:
-                # This generates files similar to the ones we get from our certificate provider.
-                # That way we effectively test the `convert-certificates.sh` script even on non-signed builds.
-                name: Generate mock SSL certificates
-                working_directory: ./Certificates
-                shell: bash
-                command: ./mock-certificates.sh
-      - when:
-          condition:
-            *should_sign
-          steps:
-            - run:
-                name: Import from CI context
-                working_directory: ./Certificates
-                shell: bash
-                command: |
-                  set -e
-                  function decodeToFile () {
-                    if [ -z "$1" ]; then
-                      echo "Missing or invalid filename"
-                      return 1
-                    fi
-                    if [ -z "$2" ]; then
-                      echo "Missing environment variable contents for file: $1"
-                      return 2
-                    fi
-                    echo "$2" | base64 --decode > "$1"
-                  }
-                  echo "Importing SSL certificate"
-                  mkdir -p in
-                  decodeToFile in/device-manager_scratch_mit_edu.crt "${SDM_CERT}"
-                  decodeToFile in/device-manager_scratch_mit_edu.ca-bundle "${SDM_CERT_CA_BUNDLE}"
-                  decodeToFile in/device-manager.scratch.mit.edu.key "${SDM_CERT_KEY}"
-                  echo "Importing OS-specific information (OSTYPE=${OSTYPE})"
-                  if [[ "$OSTYPE" == "darwin"* ]]; then
-                    decodeToFile macos-certs-scratch-foundation.p12 "${CSC_MACOS}"
-                  fi
-      - run:
-          # The certificate files we get from our provider aren't quite in the format that Scratch Link wants, which
-          # is actually different on macOS vs. Windows, so this script converts the files as needed. We could convert
-          # the files before putting them into the CI context, but that means documenting the conversion steps
-          # somewhere outside this repository. Converting them as part of the build prep process means we can not only
-          # document but also regularly test the steps as part of this repository, with the added bonus that this
-          # build process can be independent of other builds which use the same context.
-          name: Convert SSL certificates
-          working_directory: ./Certificates
-          shell: bash
-          command: ./convert-certificates.sh
   build_windows_sln:
     parameters:
       SignedBuild:

.gitignore

@@ -1,12 +1,3 @@
-*.ca-bundle
-*.cer
-*.crt
-*.der
-*.enc
-*.key
-*.p7b
-*.pem
-*.pfx
 .idea/
 .vscode/
 [._]DS_Store

Certificates/.gitignore

@@ -1,4 +0,0 @@
-in/
-mock/
-out/
-temp/

Certificates/README.md

@@ -1,6 +0,0 @@
-# Scratch Link digital certificates
-
-The certificates to be used for WSS communication should be placed here. These certificates are not to be committed
-into the repository.
-
-See `convert-certificates.sh` for details on preparing certificates for both Mac and Windows.

Certificates/convert-certificates.sh

@@ -1,62 +0,0 @@
-#!/bin/bash
-set -e
-
-######
-
-# Inputs: certificate files in the "in" or "mock" directory.
-# - If you're a member of the Scratch team and need the real certificates, ask cwillisf or colbygk.
-# - Otherwise run "mock-certificates.sh" which will generate files in the "mock" directory.
-
-# Output: various files in the "out" directory
-
-# A few intermediate files are created in the "temp" directory as well
-# TODO: learn better openssl-fu and avoid the intermediate files (maybe)
-
-######
-
-# https://xkcd.com/221/
-# see also roll.sh
-IV="B5E41DCC5B4D6FCD1C1E028430B921E6"
-KEY="D897EB08E0E9DE8F0B77AD423502AFA51372F8DAB0CBBE650C1A1CBD5B1090D9"
-
-# $1: input file
-# $2: output file
-function encryptFile () {
-	# the '-p' causes OpenSSL to output the key & iv
-	# the 'sed' command reformats them for easier use in scratch-link code
-	openssl enc -nosalt -p -aes-256-cbc -K "$KEY" -iv "$IV" -in "$1" -out "$2" | \
-		sed "s/\([0-9A-Fa-f][0-9A-Fa-f]\)/0x\1,/g"
-}
-
-mkdir -p temp out
-
-if [ -r "in/device-manager.scratch.mit.edu.key" ]; then
-	SDM_CERT_DIR="in"
-	echo "Converting from real certificates"
-else
-	SDM_CERT_DIR="mock"
-	echo "Converting from mock certificates"
-fi
-
-# Windows wants a single PFX containing the certificate along with its private key
-openssl pkcs12 \
-	-inkey "${SDM_CERT_DIR}/device-manager.scratch.mit.edu.key" \
-	-in "${SDM_CERT_DIR}/device-manager_scratch_mit_edu.crt" \
-	-name "Scratch Link & Scratch Device Manager" \
-	-passout pass:Scratch \
-	-export -out temp/scratch-device-manager.pfx
-
-encryptFile temp/scratch-device-manager.pfx out/scratch-device-manager.pfx.enc
-
-# Perfect on Mac wants a single PEM containing the certificate and key along with the whole CA chain
-# Using grep this way enforces newlines between files
-grep -h ^ \
-	"${SDM_CERT_DIR}/device-manager_scratch_mit_edu.crt" \
-	"${SDM_CERT_DIR}/device-manager_scratch_mit_edu.ca-bundle" \
-	"${SDM_CERT_DIR}/device-manager.scratch.mit.edu.key" \
-	| tr -d '\r' \
-	> temp/scratch-device-manager.pem
-
-encryptFile temp/scratch-device-manager.pem out/scratch-device-manager.pem.enc
-
-ls -l out/

Certificates/mock-certificates.sh

@@ -1,96 +0,0 @@
-#!/bin/bash
-set -e
-
-function display_info () {
-	echo "*****"
-	echo "This script generates self-signed certificates for the purposes of testing Scratch Link."
-	echo "These certificates may not work with a normal browser configuration and should not be used for release builds."
-	echo "Please do not commit these self-signed files!"
-	echo "*****"
-}
-
-# Disable path mangling in MSYS on Windows
-export MSYS_NO_PATHCONV=1
-export MSYS2_ARG_CONV_EXCL="*"
-
-# Usage: prep_openssl path/to/destination/directory
-function prep_openssl () {
-	mkdir -p "$1"/{certs,crl,newcerts,private}
-	echo 1000 > "$1"/serial
-	touch "$1"/{index.txt,index.txt.attr}
-	cat > "$1"/openssl.conf <<-EOF
-		[ ca ]
-		default_ca = CA_default
-
-		[ CA_default ]
-		dir = '$1'
-		certs = $1/certs
-		crl_dir = $1/crl
-		database = $1/index.txt
-		new_certs_dir = $1/newcerts
-		certificate = $1/certificate-authority.pem
-		serial = $1/serial
-		crl = $1/crl.pem
-		private_key = $1/private/ca.key.pem
-		RANDFILE = $1/.rnd
-		nameopt = default_ca
-		certopt = default_ca
-		policy = policy_match
-		default_days = 3650
-
-		[ policy_match ]
-		countryName = optional
-		stateOrProvinceName = optional
-		organizationName = optional
-		organizationalUnitName = optional
-		commonName = supplied
-		emailAddress = optional
-
-		[ req ]
-		distinguished_name = req_distinguished_name
-
-		[ req_distinguished_name ]
-
-		[ req_ca ]
-		subjectKeyIdentifier = hash
-		keyUsage = critical, keyCertSign, cRLSign
-		basicConstraints = critical, CA:TRUE
-
-		[ req_int ]
-		authorityKeyIdentifier = keyid
-		subjectKeyIdentifier = hash
-		keyUsage = critical, digitalSignature, keyCertSign, cRLSign
-		basicConstraints = critical, CA:TRUE, pathlen:0
-		extendedKeyUsage = serverAuth, clientAuth
-		certificatePolicies = 2.5.29.32.0, 2.23.140.1.2.1
-
-		[ req_cert ]
-		authorityKeyIdentifier = keyid
-		subjectKeyIdentifier = hash
-		keyUsage = critical, digitalSignature, keyEncipherment
-		basicConstraints = critical, CA:FALSE
-		extendedKeyUsage = serverAuth, clientAuth
-		certificatePolicies = 1.3.6.1.4.1.6449.1.2.2.7, 2.23.140.1.2.1
-		subjectAltName = DNS:device-manager.scratch.mit.edu, DNS:www.device-manager.scratch.mit.edu
-		EOF
-}
-
-function generate_all () {
-	prep_openssl mock/ca
-	openssl genrsa -out mock/ca/private/ca.key 4096
-	openssl req -config mock/ca/openssl.conf -new -x509 -sha384 -extensions req_ca -subj "/CN=mock-ca" -key mock/ca/private/ca.key -out mock/ca/certificate-authority.cer
-
-	prep_openssl mock/intermediate
-	openssl genrsa -out mock/intermediate/private/intermediate.key 2048
-	openssl req -config mock/intermediate/openssl.conf -new -sha384 -key mock/intermediate/private/intermediate.key -out mock/intermediate/certs/intermediate.csr -subj "/CN=mock-intermediate"
-	openssl ca -batch -config mock/ca/openssl.conf -md sha384 -extensions req_int -notext -keyfile mock/ca/private/ca.key -cert mock/ca/certificate-authority.cer -in mock/intermediate/certs/intermediate.csr -out mock/intermediate/intermediate.cer
-
-	cat mock/intermediate/intermediate.cer mock/ca/certificate-authority.cer > mock/device-manager_scratch_mit_edu.ca-bundle
-
-	mkdir -p mock/scratch-device-manager
-	openssl req -config mock/intermediate/openssl.conf -new -keyout mock/device-manager.scratch.mit.edu.key -newkey rsa:2048 -subj "/OU=Domain Control Validated/OU=PositiveSSL/CN=device-manager.scratch.mit.edu" -nodes -out mock/scratch-device-manager/scratch-device-manager.request
-	openssl ca -batch -config mock/intermediate/openssl.conf -md sha256 -extensions req_cert -keyfile mock/intermediate/private/intermediate.key -cert mock/intermediate/intermediate.cer -out mock/device-manager_scratch_mit_edu.crt -infiles mock/scratch-device-manager/scratch-device-manager.request
-}
-
-generate_all
-display_info

Certificates/roll.sh

@@ -1,3 +0,0 @@
-#!/bin/bash
-echo "IV=\"`hexdump -n 16 -e '4/4 "%08X"' /dev/random`\""
-echo "KEY=\"`hexdump -n 32 -e '8/4 "%08X"' /dev/random`\""

README.md

@@ -33,23 +33,14 @@ thorough documentation.
 Please use [markdownlint](https://www.npmjs.com/package/markdownlint) to check documentation changes before submitting
 a pull request.
 
-### Certificates
+### Secure WebSockets
 
-**These steps are necessary regardless of platform.**
+Previous versions of Scratch Link used Secure WebSockets (`wss://`) to communicate with Scratch. This is no longer the
+case: new versions of Scratch Link use regular WebSockets (`ws://`). It is no longer necessary to prepare an SSL
+certificate for Scratch Link.
 
-Scratch Link provides Secure WebSocket (WSS) communication and uses digital certificates to do so. These certificates
-are **not** provided in this repository.
-
-To prepare certificates for Scratch Link development, run the following commands. These commands should be run from a
-`bash` prompt (or `zsh`, etc.), which on Windows means using something like [Cygwin](https://www.cygwin.com/) or
-[WSL](https://docs.microsoft.com/en-us/windows/wsl/install-win10).
-
-1. `cd Certificates`
-2. Run `./mock-certificates.sh` to generate self-signed certificates.
-3. Run `./convert-certificates.sh` to prepare the certificates for use by Scratch Link.
-
-If you are a member of the Scratch team and need the real certificates,
-see `Certificates/convert-certificates.sh` for details.
+This change causes an incompatibility with some browsers, including Safari. An upcoming version of Scratch Link will
+resolve this incompatibility.
 
 ### macOS
 
@@ -70,7 +61,7 @@ The build is primarily controlled through `make`:
   1. Compile Scratch Link code using `swift build`
   2. Create an app bundle at `dist/Scratch Link.app`
   3. Copy all necessary frameworks and dylibs into the app bundle
-  4. Generate and/or copy other resources into the app bundle (certificates, icons, etc.)
+  4. Generate and/or copy other resources, such as icons, into the app bundle
 * Build PKG installers with `make dist`, which runs both of these:
   * Build a PKG for the Mac App Store with `make dist-mas`
   * Build a PKG for non-Store distribution ("Developer ID") with `make dist-devid`