freedombone/src/freedombone-pin-cert

#!/bin/bash
#  _____               _           _
# |   __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
# |   __|  _| -_| -_| . | . |     | . | . |   | -_|
# |__|  |_| |___|___|___|___|_|_|_|___|___|_|_|___|
#
#                              Freedom in the Cloud
#
# Performs certificate pinning (HPKP) on a given domain name

# License
# =======
#
# Copyright (C) 2015-2018 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

PROJECT_NAME='freedombone'

export TEXTDOMAIN=${PROJECT_NAME}-pin-cert
export TEXTDOMAINDIR="/usr/share/locale"

WEBSITES_DIRECTORY=/etc/nginx/sites-available

# 90 days
PIN_MAX_AGE=7776000

function pin_all_certs {
    if [ ! -d $WEBSITES_DIRECTORY ]; then
        return
    fi

    cd $WEBSITES_DIRECTORY || exit 2468724684
    for file in $(dir -d "*") ; do
        if grep -q "Public-Key-Pins" "$file"; then
            DOMAIN_NAME=$file
            KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key
            if [ -f "$KEY_FILENAME" ]; then
                BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem
                if [ -f "$BACKUP_KEY_FILENAME" ]; then
                    KEY_HASH=$(openssl rsa -in "$KEY_FILENAME" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
                    BACKUP_KEY_HASH=$(openssl rsa -in "$BACKUP_KEY_FILENAME" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
                    if [ ${#BACKUP_KEY_HASH} -gt 5 ]; then

                        PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=${PIN_MAX_AGE}; includeSubDomains';"
                        sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" "$file"
                        echo $"Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH"
                    fi
                fi
            fi
        fi
    done
}

if [[ "$1" == "all" ]]; then
    pin_all_certs
    systemctl restart nginx
    exit 0
fi

DOMAIN_NAME=$1
REMOVE=$2
KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key
BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem
SITE_FILENAME=$WEBSITES_DIRECTORY/${DOMAIN_NAME}

if [ ! "${DOMAIN_NAME}" ]; then
    exit 0
fi

if [ ! -f "$SITE_FILENAME" ]; then
    exit 0
fi

if [[ $REMOVE == "remove" ]]; then
    if grep -q "Public-Key-Pins" "$SITE_FILENAME"; then
        sed -i "/Public-Key-Pins/d" "$SITE_FILENAME"
        echo $"Removed pinning for ${DOMAIN_NAME}"
        systemctl restart nginx
    fi
    exit 0
fi

if [ ! -f "$KEY_FILENAME" ]; then
    echo $"No private key certificate found for $DOMAIN_NAME"
    exit 1
fi

if [ ! -f "$BACKUP_KEY_FILENAME" ]; then
    echo $"No fullchain certificate found for $DOMAIN_NAME"
    exit 2
fi

KEY_HASH=$(openssl rsa -in "$KEY_FILENAME" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
BACKUP_KEY_HASH=$(openssl rsa -in "$BACKUP_KEY_FILENAME" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)

if [ ${#KEY_HASH} -lt 5 ]; then
    echo 'Pin hash unexpectedly short'
    exit 3
fi

if [ ${#BACKUP_KEY_HASH} -lt 5 ]; then
    echo 'Backup pin hash unexpectedly short'
    exit 4
fi

PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"
if ! grep -q "Public-Key-Pins" "$SITE_FILENAME"; then
    sed -i "/ssl_ciphers.*/a     add_header ${PIN_HEADER}" "$SITE_FILENAME"
else
    sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" "$SITE_FILENAME"
fi

systemctl restart nginx

if ! grep -q "add_header Public-Key-Pins" "$SITE_FILENAME"; then
    echo $'Pinning failed'
fi

echo "Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH"

exit 0
Cerificate pinning 2015-12-10 16:31:56 +01:00			`#!/bin/bash`
Update header logos 2018-04-08 14:30:21 +02:00			`# _____ _ _`
			`# \| __\|___ ___ ___ _\| \|___ _____\| \|_ ___ ___ ___`
			`# \| __\| _\| -_\| -_\| . \| . \| \| . \| . \| \| -_\|`
			`# \|__\| \|_\| \|___\|___\|___\|___\|_\|_\|_\|___\|___\|_\|_\|___\|`
Cerificate pinning 2015-12-10 16:31:56 +01:00			`#`
Update header logos 2018-04-08 14:30:21 +02:00			`# Freedom in the Cloud`
Cerificate pinning 2015-12-10 16:31:56 +01:00			`#`
			`# Performs certificate pinning (HPKP) on a given domain name`

			`# License`
			`# =======`
			`#`
Dates 2018-02-21 20:32:13 +01:00			`# Copyright (C) 2015-2018 Bob Mottram <bob@freedombone.net>`
Cerificate pinning 2015-12-10 16:31:56 +01:00			`#`
			`# This program is free software: you can redistribute it and/or modify`
Move to AGPLv3 license #63 2016-02-13 23:09:27 +01:00			`# it under the terms of the GNU Affero General Public License as published by`
Cerificate pinning 2015-12-10 16:31:56 +01:00			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
Move to AGPLv3 license #63 2016-02-13 23:09:27 +01:00			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU Affero General Public License for more details.`
Cerificate pinning 2015-12-10 16:31:56 +01:00			`#`
Move to AGPLv3 license #63 2016-02-13 23:09:27 +01:00			`# You should have received a copy of the GNU Affero General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`
Cerificate pinning 2015-12-10 16:31:56 +01:00
			`PROJECT_NAME='freedombone'`

			`export TEXTDOMAIN=${PROJECT_NAME}-pin-cert`
			`export TEXTDOMAINDIR="/usr/share/locale"`

Option to pin all tls certificates 2016-08-09 10:34:31 +02:00			`WEBSITES_DIRECTORY=/etc/nginx/sites-available`

Set maximum pinning age 2016-08-10 11:02:04 +02:00			`# 90 days`
			`PIN_MAX_AGE=7776000`

Option to pin all tls certificates 2016-08-09 10:34:31 +02:00			`function pin_all_certs {`
			`if [ ! -d $WEBSITES_DIRECTORY ]; then`
			`return`
			`fi`

Tidying 2018-03-02 20:17:02 +01:00			`cd $WEBSITES_DIRECTORY \|\| exit 2468724684`
			`for file in $(dir -d "*") ; do`
			`if grep -q "Public-Key-Pins" "$file"; then`
Option to pin all tls certificates 2016-08-09 10:34:31 +02:00			`DOMAIN_NAME=$file`
			`KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key`
Tidying 2018-03-02 20:17:02 +01:00			`if [ -f "$KEY_FILENAME" ]; then`
Option to pin all tls certificates 2016-08-09 10:34:31 +02:00			`BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem`
Tidying 2018-03-02 20:17:02 +01:00			`if [ -f "$BACKUP_KEY_FILENAME" ]; then`
			`KEY_HASH=$(openssl rsa -in "$KEY_FILENAME" -outform der -pubout \| openssl dgst -sha256 -binary \| openssl enc -base64)`
			`BACKUP_KEY_HASH=$(openssl rsa -in "$BACKUP_KEY_FILENAME" -outform der -pubout \| openssl dgst -sha256 -binary \| openssl enc -base64)`
Option to pin all tls certificates 2016-08-09 10:34:31 +02:00			`if [ ${#BACKUP_KEY_HASH} -gt 5 ]; then`

Set maximum pinning age 2016-08-10 11:02:04 +02:00			`PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=${PIN_MAX_AGE}; includeSubDomains';"`
Tidying 2018-03-02 20:17:02 +01:00			`sed -i "s\|Public-Key-Pins.*\|${PIN_HEADER}\|g" "$file"`
Option to remove pinning for a domain 2016-08-09 13:02:51 +02:00			`echo $"Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH"`
Option to pin all tls certificates 2016-08-09 10:34:31 +02:00			`fi`
			`fi`
			`fi`
			`fi`
			`done`
			`}`

Tidying 2018-03-02 20:17:02 +01:00			`if [[ "$1" == "all" ]]; then`
Option to pin all tls certificates 2016-08-09 10:34:31 +02:00			`pin_all_certs`
			`systemctl restart nginx`
			`exit 0`
			`fi`

Cerificate pinning 2015-12-10 16:31:56 +01:00			`DOMAIN_NAME=$1`
Option to remove pinning for a domain 2016-08-09 13:02:51 +02:00			`REMOVE=$2`
Cerificate pinning 2015-12-10 16:31:56 +01:00			`KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key`
Include backup pin for certificates 2016-08-08 21:23:27 +02:00			`BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem`
Option to pin all tls certificates 2016-08-09 10:34:31 +02:00			`SITE_FILENAME=$WEBSITES_DIRECTORY/${DOMAIN_NAME}`

Tidying 2018-03-02 20:17:02 +01:00			`if [ ! "${DOMAIN_NAME}" ]; then`
Option to remove pinning for a domain 2016-08-09 13:02:51 +02:00			`exit 0`
			`fi`

Option to pin all tls certificates 2016-08-09 10:34:31 +02:00			`if [ ! -f "$SITE_FILENAME" ]; then`
			`exit 0`
			`fi`
Cerificate pinning 2015-12-10 16:31:56 +01:00
Option to remove pinning for a domain 2016-08-09 13:02:51 +02:00			`if [[ $REMOVE == "remove" ]]; then`
Tidying 2018-03-02 20:17:02 +01:00			`if grep -q "Public-Key-Pins" "$SITE_FILENAME"; then`
			`sed -i "/Public-Key-Pins/d" "$SITE_FILENAME"`
Option to remove pinning for a domain 2016-08-09 13:02:51 +02:00			`echo $"Removed pinning for ${DOMAIN_NAME}"`
			`systemctl restart nginx`
			`fi`
			`exit 0`
			`fi`

Cerificate pinning 2015-12-10 16:31:56 +01:00			`if [ ! -f "$KEY_FILENAME" ]; then`
Include backup pin for certificates 2016-08-08 21:23:27 +02:00			`echo $"No private key certificate found for $DOMAIN_NAME"`
			`exit 1`
			`fi`

			`if [ ! -f "$BACKUP_KEY_FILENAME" ]; then`
			`echo $"No fullchain certificate found for $DOMAIN_NAME"`
Option to pin all tls certificates 2016-08-09 10:34:31 +02:00			`exit 2`
Cerificate pinning 2015-12-10 16:31:56 +01:00			`fi`

Tidying 2018-03-02 20:17:02 +01:00			`KEY_HASH=$(openssl rsa -in "$KEY_FILENAME" -outform der -pubout \| openssl dgst -sha256 -binary \| openssl enc -base64)`
			`BACKUP_KEY_HASH=$(openssl rsa -in "$BACKUP_KEY_FILENAME" -outform der -pubout \| openssl dgst -sha256 -binary \| openssl enc -base64)`
Cerificate pinning 2015-12-10 16:31:56 +01:00
Option to pin all tls certificates 2016-08-09 10:34:31 +02:00			`if [ ${#KEY_HASH} -lt 5 ]; then`
			`echo 'Pin hash unexpectedly short'`
			`exit 3`
			`fi`

			`if [ ${#BACKUP_KEY_HASH} -lt 5 ]; then`
			`echo 'Backup pin hash unexpectedly short'`
			`exit 4`
			`fi`

Fix pinning 2016-08-08 21:52:38 +02:00			`PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"`
Tidying 2018-03-02 20:17:02 +01:00			`if ! grep -q "Public-Key-Pins" "$SITE_FILENAME"; then`
			`sed -i "/ssl_ciphers.*/a add_header ${PIN_HEADER}" "$SITE_FILENAME"`
Cerificate pinning 2015-12-10 16:31:56 +01:00			`else`
Tidying 2018-03-02 20:17:02 +01:00			`sed -i "s\|Public-Key-Pins.*\|${PIN_HEADER}\|g" "$SITE_FILENAME"`
Cerificate pinning 2015-12-10 16:31:56 +01:00			`fi`

			`systemctl restart nginx`

Tidying 2018-03-02 20:17:02 +01:00			`if ! grep -q "add_header Public-Key-Pins" "$SITE_FILENAME"; then`
Insert in different location 2015-12-10 16:37:02 +01:00			`echo $'Pinning failed'`
			`fi`

echo pin hashes 2016-08-09 10:36:14 +02:00			`echo "Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH"`
Insert in different location 2015-12-10 16:37:02 +01:00
Cerificate pinning 2015-12-10 16:31:56 +01:00			`exit 0`