b7068ae3 |
1 | #!/bin/bash |
4c237a24 |
2 | # |
3 | # Install a signed certificate, placing a complimentary copy in the |
139a90c8 |
4 | # member's homedir. Validation is done on the certificate before |
5 | # allowing it to be installed. Also grant member domtool permissions |
6 | # for the certificate. |
4c237a24 |
7 | # |
b7068ae3 |
8 | # If the certificate comes from the member's home directory, then |
9 | # don't place an extra copy there. |
4c237a24 |
10 | # |
11 | # Run this on deleuze as an admin. |
12 | # |
b7068ae3 |
13 | # Usage: ca-install member domain cert-file.pem [key-file.pem] |
14 | |
15 | function usage () { |
16 | echo "Usage: ca-install member domain cert-file.pem [key-file.pem]" |
17 | exit 1 |
18 | } |
4c237a24 |
19 | |
20 | # Check arguments |
21 | if test -n "$5"; then |
b7068ae3 |
22 | echo "Error: Too many arguments." |
23 | usage |
4c237a24 |
24 | elif test -z "$3"; then |
b7068ae3 |
25 | echo "Error: Not enough arguments." |
26 | usage |
4c237a24 |
27 | else |
b7068ae3 |
28 | MEMBER=$1 |
4c237a24 |
29 | DOMAIN=$2 |
30 | CERT=$3 |
31 | KEY=$4 |
32 | fi |
33 | |
b7068ae3 |
34 | WEBSERVER=mire.hcoop.net |
35 | |
36 | function verify_cert () { |
37 | if test -z "$2" || test -n "$3"; then |
38 | echo "Bad programming." |
39 | exit 1 |
40 | fi |
41 | local CERT=$1 |
42 | local KEY=$2 |
43 | local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1) |
44 | if test $(echo "$MOD1" | wc -c) -lt 500; then |
45 | echo "Error: Bad x509 part in certificate." |
46 | exit 1 |
47 | fi |
48 | local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1) |
49 | if test $(echo "$MOD2" | wc -c) -lt 500; then |
50 | echo "Error: Bad RSA part in certificate or key." |
51 | exit 1 |
52 | fi |
53 | if test "$MOD1" != "$MOD2"; then |
54 | echo "Error: x509 and RSA parts in certificate do not match." |
55 | exit 1 |
56 | fi |
57 | } |
58 | |
59 | # Make sure we run this from deleuze |
60 | if test "$(hostname -s)" != "deleuze"; then |
61 | echo "Error: This script must be run from deleuze." |
62 | exit 1 |
63 | fi |
64 | |
4c237a24 |
65 | # Sanity-check some paths |
b7068ae3 |
66 | if test ! -f "$CERT"; then |
67 | echo "Error: Nonexistent or unreadable cert $CERT." |
4c237a24 |
68 | exit 1 |
69 | fi |
b7068ae3 |
70 | if test -n "$KEY" && test ! -f "$KEY"; then |
71 | echo "Error: Nonexistent or unreadable key $KEY." |
4c237a24 |
72 | exit 1 |
73 | fi |
74 | |
b7068ae3 |
75 | # Check for valid username |
76 | if ! getent passwd "$MEMBER" > /dev/null; then |
77 | echo "Error: Invalid user \"$MEMBER\"." |
78 | exit 1 |
79 | fi |
80 | |
4c237a24 |
81 | # Figure out destination for complimentary copy |
82 | APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem |
b7068ae3 |
83 | MEMBERHOME=$(getent passwd $MEMBER | cut -d':' -f 6) |
4c237a24 |
84 | if test -n "$KEY"; then |
b7068ae3 |
85 | DEST="$(dirname $KEY)/$DOMAIN.pem" |
4c237a24 |
86 | else |
87 | DEST= |
88 | fi |
89 | |
90 | # Perform complimentary copy |
91 | if test -z "$DEST"; then |
b7068ae3 |
92 | echo "No key specified, so skipping complimentary copy." |
93 | elif echo "$CERT" | grep "^$MEMBERHOME" > /dev/null; then |
94 | echo "Member already has a cert, skipping the complimentary copy." |
95 | elif test -f "$DEST"; then |
96 | echo "Not overwriting existing file $DEST." |
4c237a24 |
97 | else |
b7068ae3 |
98 | echo "Copying signed certificate to member's home directory ..." |
99 | cp "$CERT" "$DEST" |
100 | chown $MEMBER:nogroup "$DEST" |
4c237a24 |
101 | fi |
102 | echo |
103 | |
104 | # Determine whether we need to concatenate a private key |
b7068ae3 |
105 | if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev/null; then |
4c237a24 |
106 | KEY= |
107 | else |
108 | if test -z "$KEY"; then |
b7068ae3 |
109 | echo "Error: No RSA private key is included with this certificate." |
4c237a24 |
110 | exit 1 |
111 | fi |
112 | fi |
113 | |
b7068ae3 |
114 | # Verify certificate and key |
115 | echo "Validating certificate ..." |
4c237a24 |
116 | if test -z "$KEY"; then |
b7068ae3 |
117 | verify_cert "$CERT" "$CERT" |
4c237a24 |
118 | else |
b7068ae3 |
119 | verify_cert "$CERT" "$KEY" |
120 | fi |
121 | echo "Certificate passed validatation." |
122 | echo |
123 | |
124 | # Copy complete certificate to webserver |
125 | if test -z "$KEY"; then |
126 | echo "Installing certificate to Apache SSL directory ..." |
127 | < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null |
128 | else |
129 | echo "Installing certificate and key to Apache SSL directory ..." |
130 | cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null |
4c237a24 |
131 | fi |
132 | echo |
133 | |
134 | # Grant Domtool permissions |
b7068ae3 |
135 | echo "Granting member Domtool permissions for the certificate ..." |
136 | domtool-admin grant $MEMBER cert "$APACHE_DEST" |
137 | echo |
138 | |
139 | # Tell admin what to do |
140 | echo "Done. Tell $MEMBER that the certificate is available for use at" |
141 | echo " $APACHE_DEST" |