freedombone/src/freedombone-pin-cert

134 lines
4.2 KiB
Plaintext
Raw Permalink Normal View History

2015-12-10 16:31:56 +01:00
#!/bin/bash
2018-04-08 14:30:21 +02:00
# _____ _ _
# | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
# | __| _| -_| -_| . | . | | . | . | | -_|
# |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___|
2015-12-10 16:31:56 +01:00
#
2018-04-08 14:30:21 +02:00
# Freedom in the Cloud
2015-12-10 16:31:56 +01:00
#
# Performs certificate pinning (HPKP) on a given domain name
# License
# =======
#
2018-02-21 20:32:13 +01:00
# Copyright (C) 2015-2018 Bob Mottram <bob@freedombone.net>
2015-12-10 16:31:56 +01:00
#
# This program is free software: you can redistribute it and/or modify
2016-02-13 23:09:27 +01:00
# it under the terms of the GNU Affero General Public License as published by
2015-12-10 16:31:56 +01:00
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
2016-02-13 23:09:27 +01:00
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
2015-12-10 16:31:56 +01:00
#
2016-02-13 23:09:27 +01:00
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
2015-12-10 16:31:56 +01:00
PROJECT_NAME='freedombone'
export TEXTDOMAIN=${PROJECT_NAME}-pin-cert
export TEXTDOMAINDIR="/usr/share/locale"
2016-08-09 10:34:31 +02:00
WEBSITES_DIRECTORY=/etc/nginx/sites-available
2016-08-10 11:02:04 +02:00
# 90 days
PIN_MAX_AGE=7776000
2016-08-09 10:34:31 +02:00
function pin_all_certs {
if [ ! -d $WEBSITES_DIRECTORY ]; then
return
fi
2018-03-02 20:17:02 +01:00
cd $WEBSITES_DIRECTORY || exit 2468724684
for file in $(dir -d "*") ; do
if grep -q "Public-Key-Pins" "$file"; then
2016-08-09 10:34:31 +02:00
DOMAIN_NAME=$file
KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key
2018-03-02 20:17:02 +01:00
if [ -f "$KEY_FILENAME" ]; then
2016-08-09 10:34:31 +02:00
BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem
2018-03-02 20:17:02 +01:00
if [ -f "$BACKUP_KEY_FILENAME" ]; then
KEY_HASH=$(openssl rsa -in "$KEY_FILENAME" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
BACKUP_KEY_HASH=$(openssl rsa -in "$BACKUP_KEY_FILENAME" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
2016-08-09 10:34:31 +02:00
if [ ${#BACKUP_KEY_HASH} -gt 5 ]; then
2016-08-10 11:02:04 +02:00
PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=${PIN_MAX_AGE}; includeSubDomains';"
2018-03-02 20:17:02 +01:00
sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" "$file"
2016-08-09 13:02:51 +02:00
echo $"Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH"
2016-08-09 10:34:31 +02:00
fi
fi
fi
fi
done
}
2018-03-02 20:17:02 +01:00
if [[ "$1" == "all" ]]; then
2016-08-09 10:34:31 +02:00
pin_all_certs
systemctl restart nginx
exit 0
fi
2015-12-10 16:31:56 +01:00
DOMAIN_NAME=$1
2016-08-09 13:02:51 +02:00
REMOVE=$2
2015-12-10 16:31:56 +01:00
KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key
2016-08-08 21:23:27 +02:00
BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem
2016-08-09 10:34:31 +02:00
SITE_FILENAME=$WEBSITES_DIRECTORY/${DOMAIN_NAME}
2018-03-02 20:17:02 +01:00
if [ ! "${DOMAIN_NAME}" ]; then
2016-08-09 13:02:51 +02:00
exit 0
fi
2016-08-09 10:34:31 +02:00
if [ ! -f "$SITE_FILENAME" ]; then
exit 0
fi
2015-12-10 16:31:56 +01:00
2016-08-09 13:02:51 +02:00
if [[ $REMOVE == "remove" ]]; then
2018-03-02 20:17:02 +01:00
if grep -q "Public-Key-Pins" "$SITE_FILENAME"; then
sed -i "/Public-Key-Pins/d" "$SITE_FILENAME"
2016-08-09 13:02:51 +02:00
echo $"Removed pinning for ${DOMAIN_NAME}"
systemctl restart nginx
fi
exit 0
fi
2015-12-10 16:31:56 +01:00
if [ ! -f "$KEY_FILENAME" ]; then
2016-08-08 21:23:27 +02:00
echo $"No private key certificate found for $DOMAIN_NAME"
exit 1
fi
if [ ! -f "$BACKUP_KEY_FILENAME" ]; then
echo $"No fullchain certificate found for $DOMAIN_NAME"
2016-08-09 10:34:31 +02:00
exit 2
2015-12-10 16:31:56 +01:00
fi
2018-03-02 20:17:02 +01:00
KEY_HASH=$(openssl rsa -in "$KEY_FILENAME" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
BACKUP_KEY_HASH=$(openssl rsa -in "$BACKUP_KEY_FILENAME" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
2015-12-10 16:31:56 +01:00
2016-08-09 10:34:31 +02:00
if [ ${#KEY_HASH} -lt 5 ]; then
echo 'Pin hash unexpectedly short'
exit 3
fi
if [ ${#BACKUP_KEY_HASH} -lt 5 ]; then
echo 'Backup pin hash unexpectedly short'
exit 4
fi
2016-08-08 21:52:38 +02:00
PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"
2018-03-02 20:17:02 +01:00
if ! grep -q "Public-Key-Pins" "$SITE_FILENAME"; then
sed -i "/ssl_ciphers.*/a add_header ${PIN_HEADER}" "$SITE_FILENAME"
2015-12-10 16:31:56 +01:00
else
2018-03-02 20:17:02 +01:00
sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" "$SITE_FILENAME"
2015-12-10 16:31:56 +01:00
fi
systemctl restart nginx
2018-03-02 20:17:02 +01:00
if ! grep -q "add_header Public-Key-Pins" "$SITE_FILENAME"; then
2015-12-10 16:37:02 +01:00
echo $'Pinning failed'
fi
2016-08-09 10:36:14 +02:00
echo "Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH"
2015-12-10 16:37:02 +01:00
2015-12-10 16:31:56 +01:00
exit 0