free
/
freedombonee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Cerificate pinning

This commit is contained in:
Bob Mottram 2015-12-10 15:31:56 +00:00
parent 016b7ecd9e
commit 2a04c73d82
5 changed files with 96 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
man/freedombone-pin-cert.1.gz Normal file
View File

Binary file not shown.

37
src/freedombone
View File

@ -4325,7 +4325,7 @@ function configure_imap_client_certs {
if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
${PROJECT_NAME}-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH ${PROJECT_NAME}-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH
else else
${PROJECT_NAME}-addcert -e $DEFAULT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH ${PROJECT_NAME}-addcert -e $DEFAULT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --ca "" --dhkey $DH_KEYLENGTH
fi fi
fi fi
# CA configuration # CA configuration
@ -6767,14 +6767,6 @@ function install_wiki {
if [ -d /var/www/$WIKI_DOMAIN_NAME/htdocs ]; then if [ -d /var/www/$WIKI_DOMAIN_NAME/htdocs ]; then
rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs
fi fi
if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then
if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
${PROJECT_NAME}-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH
else
${PROJECT_NAME}-addcert -e $WIKI_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
fi
check_certificates $WIKI_DOMAIN_NAME
fi
ln -s /usr/share/dokuwiki /var/www/$WIKI_DOMAIN_NAME/htdocs ln -s /usr/share/dokuwiki /var/www/$WIKI_DOMAIN_NAME/htdocs
@ -7002,6 +6994,15 @@ function install_wiki {
echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then
if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
${PROJECT_NAME}-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH
else
${PROJECT_NAME}-addcert -e $WIKI_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
fi
check_certificates $WIKI_DOMAIN_NAME
fi
configure_php configure_php
nginx_ensite $WIKI_DOMAIN_NAME nginx_ensite $WIKI_DOMAIN_NAME
@ -7090,15 +7091,6 @@ function install_blog {
chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs
if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then
if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
${PROJECT_NAME}-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
else
${PROJECT_NAME}-addcert -e $FULLBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
fi
check_certificates $FULLBLOG_DOMAIN_NAME
fi
echo 'server {' > /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo 'server {' > /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo ' listen 80;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo ' listen 80;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo " root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo " root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
@ -7272,6 +7264,15 @@ function install_blog {
echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then
if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
${PROJECT_NAME}-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
else
${PROJECT_NAME}-addcert -e $FULLBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
fi
check_certificates $FULLBLOG_DOMAIN_NAME
fi
configure_php configure_php
# blog settings # blog settings

13
src/freedombone-addcert
View File

@ -205,7 +205,14 @@ if [ $LETSENCRYPT_HOSTNAME ]; then
ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem ln -s /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/certs/${LETSENCRYPT_HOSTNAME}.pem
cp /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/mycerts/${LETSENCRYPT_HOSTNAME}.pem cp /etc/letsencrypt/live/${LETSENCRYPT_HOSTNAME}/fullchain.pem /etc/ssl/mycerts/${LETSENCRYPT_HOSTNAME}.pem
systemctl start nginx systemctl start nginx
${PROJECT_NAME}-pin-cert $LETSENCRYPT_HOSTNAME
if [ ! "$?" = "0" ]; then
echo $"Certificate for $LETSENCRYPT_HOSTNAME could not be pinned"
exit 62878
fi
else else
CERTFILE=$HOSTNAME CERTFILE=$HOSTNAME
if [[ $ORGANISATION == "Freedombone-CA" ]]; then if [[ $ORGANISATION == "Freedombone-CA" ]]; then
@ -219,6 +226,12 @@ else
chmod 400 /etc/ssl/private/${CERTFILE}.key chmod 400 /etc/ssl/private/${CERTFILE}.key
chmod 640 /etc/ssl/certs/${CERTFILE}.crt chmod 640 /etc/ssl/certs/${CERTFILE}.crt
cp /etc/ssl/certs/${CERTFILE}.crt /etc/ssl/mycerts cp /etc/ssl/certs/${CERTFILE}.crt /etc/ssl/mycerts
${PROJECT_NAME}-pin-cert $CERTFILE
if [ ! "$?" = "0" ]; then
echo $"Certificate for $CERTFILE could not be pinned"
exit 62879
fi
fi fi
# generate DH params # generate DH params

60
src/freedombone-pin-cert Executable file
View File

@ -0,0 +1,60 @@
#!/bin/bash
#
# .---. . .
# | | |
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
#
# Freedom in the Cloud
#
# Performs certificate pinning (HPKP) on a given domain name
# License
# =======
#
# Copyright (C) 2015 Bob Mottram <bob@robotics.uk.to>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
PROJECT_NAME='freedombone'
export TEXTDOMAIN=${PROJECT_NAME}-pin-cert
export TEXTDOMAINDIR="/usr/share/locale"
DOMAIN_NAME=$1
KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key
SITE_FILENAME=/etc/nginx/sites-available/${DOMAIN_NAME}
if [ ! -f "$KEY_FILENAME" ]; then
echo $"No certificate found for $DOMAIN_NAME"
exit 1
fi
if [ ! -f "$SITE_FILENAME" ]; then
exit 0
fi
KEY_HASH=$(openssl rsa -in $KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
PIN_HEADER="add_header Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; max-age=5184000; includeSubDomains';"
if ! grep -q "add_header Public-Key-Pins" $SITE_FILENAME; then
sed -i "/add_header Access-Control-Allow-Origin.*/a $PIN_HEADER" $SITE_FILENAME
else
sed -i "s/add_header Public-Key-Pins.*/$PIN_HEADER/g" $SITE_FILENAME
fi
systemctl restart nginx
exit 0

4
src/freedombone-renew-cert
View File

@ -73,6 +73,8 @@ function renew_letsencrypt {
# Ensure that links are in place # Ensure that links are in place
ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key ln -s /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /etc/ssl/private/${HOSTNAME}.key
ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem ln -s /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /etc/ssl/certs/${HOSTNAME}.pem
${PROJECT_NAME}-pin-cert $HOSTNAME
} }
function renew_startssl { function renew_startssl {
@ -171,6 +173,8 @@ function renew_startssl {
echo $'Once you have retrieved the new public certificate paste it to:' echo $'Once you have retrieved the new public certificate paste it to:'
echo $"/etc/ssl/certs/$HOSTNAME.new.crt then run this command again." echo $"/etc/ssl/certs/$HOSTNAME.new.crt then run this command again."
echo '' echo ''
${PROJECT_NAME}-pin-cert $HOSTNAME
} }
while [[ $# > 1 ]] while [[ $# > 1 ]]