[clinton/scripts.git] / ca-install

#!/bin/bash
#
# Install a signed certificate, placing a complimentary copy in the
# member's homedir.  Also grant member domtool permissions for the
# certificate.
#
# If the certificate comes from the member's home directory, then
# don't place an extra copy there.
#
# Run this on deleuze as an admin.
#
# Usage: ca-install member domain cert-file.pem [key-file.pem]

function usage () {
    echo "Usage: ca-install member domain cert-file.pem [key-file.pem]"
    exit 1
}

# Check arguments
if test -n "$5"; then
    echo "Error: Too many arguments."
    usage
elif test -z "$3"; then
    echo "Error: Not enough arguments."
    usage
else
    MEMBER=$1
    DOMAIN=$2
    CERT=$3
    KEY=$4
fi

WEBSERVER=mire.hcoop.net

function verify_cert () {
    if test -z "$2" || test -n "$3"; then
        echo "Bad programming."
        exit 1
    fi
    local CERT=$1
    local KEY=$2
    local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
    if test $(echo "$MOD1" | wc -c) -lt 500; then
        echo "Error: Bad x509 part in certificate."
        exit 1
    fi
    local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1)
    if test $(echo "$MOD2" | wc -c) -lt 500; then
        echo "Error: Bad RSA part in certificate or key."
        exit 1
    fi
    if test "$MOD1" != "$MOD2"; then
        echo "Error: x509 and RSA parts in certificate do not match."
        exit 1
    fi
}

# Make sure we run this from deleuze
if test "$(hostname -s)" != "deleuze"; then
    echo "Error: This script must be run from deleuze."
    exit 1
fi

# Sanity-check some paths
if test ! -f "$CERT"; then
    echo "Error: Nonexistent or unreadable cert $CERT."
    exit 1
fi
if test -n "$KEY" && test ! -f "$KEY"; then
    echo "Error: Nonexistent or unreadable key $KEY."
    exit 1
fi    

# Check for valid username
if ! getent passwd "$MEMBER" > /dev/null; then
    echo "Error: Invalid user \"$MEMBER\"."
    exit 1
fi

# Figure out destination for complimentary copy
APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem
MEMBERHOME=$(getent passwd $MEMBER | cut -d':' -f 6)
if test -n "$KEY"; then
    DEST="$(dirname $KEY)/$DOMAIN.pem"
else
    DEST=
fi

# Perform complimentary copy
if test -z "$DEST"; then
    echo "No key specified, so skipping complimentary copy."
elif echo "$CERT" | grep "^$MEMBERHOME" > /dev/null; then
    echo "Member already has a cert, skipping the complimentary copy."
elif test -f "$DEST"; then
    echo "Not overwriting existing file $DEST."
else
    echo "Copying signed certificate to member's home directory ..."
    cp "$CERT" "$DEST"
    chown $MEMBER:nogroup "$DEST"
fi
echo

# Determine whether we need to concatenate a private key
if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev/null; then
    KEY=
else
    if test -z "$KEY"; then
        echo "Error: No RSA private key is included with this certificate."
        exit 1
    fi
fi

# Verify certificate and key
echo "Validating certificate ..."
if test -z "$KEY"; then
    verify_cert "$CERT" "$CERT"
else
    verify_cert "$CERT" "$KEY"
fi
echo "Certificate passed validatation."
echo

# Copy complete certificate to webserver
if test -z "$KEY"; then
    echo "Installing certificate to Apache SSL directory ..."
    < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
else
    echo "Installing certificate and key to Apache SSL directory ..."
    cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
fi
echo

# Grant Domtool permissions
echo "Granting member Domtool permissions for the certificate ..."
domtool-admin grant $MEMBER cert "$APACHE_DEST"
echo

# Tell admin what to do
echo "Done.  Tell $MEMBER that the certificate is available for use at"
echo "  $APACHE_DEST"
Commit	Line	Data
b7068ae3	1	#!/bin/bash
4c237a24	2	#
4c237a24	3	# Install a signed certificate, placing a complimentary copy in the
b7068ae3	4	# member's homedir. Also grant member domtool permissions for the
b7068ae3	5	# certificate.
4c237a24	6	#
b7068ae3	7	# If the certificate comes from the member's home directory, then
b7068ae3	8	# don't place an extra copy there.
4c237a24	9	#
	10	# Run this on deleuze as an admin.
	11	#
b7068ae3	12	# Usage: ca-install member domain cert-file.pem [key-file.pem]
	13
	14	function usage () {
	15	echo "Usage: ca-install member domain cert-file.pem [key-file.pem]"
	16	exit 1
	17	}
4c237a24	18
	19	# Check arguments
	20	if test -n "$5"; then
b7068ae3	21	echo "Error: Too many arguments."
b7068ae3	22	usage
4c237a24	23	elif test -z "$3"; then
b7068ae3	24	echo "Error: Not enough arguments."
b7068ae3	25	usage
4c237a24	26	else
b7068ae3	27	MEMBER=$1
4c237a24	28	DOMAIN=$2
	29	CERT=$3
	30	KEY=$4
	31	fi
	32
b7068ae3	33	WEBSERVER=mire.hcoop.net
	34
	35	function verify_cert () {
	36	if test -z "$2" \|\| test -n "$3"; then
	37	echo "Bad programming."
	38	exit 1
	39	fi
	40	local CERT=$1
	41	local KEY=$2
	42	local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
	43	if test $(echo "$MOD1" \| wc -c) -lt 500; then
	44	echo "Error: Bad x509 part in certificate."
	45	exit 1
	46	fi
	47	local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1)
	48	if test $(echo "$MOD2" \| wc -c) -lt 500; then
	49	echo "Error: Bad RSA part in certificate or key."
	50	exit 1
	51	fi
	52	if test "$MOD1" != "$MOD2"; then
	53	echo "Error: x509 and RSA parts in certificate do not match."
	54	exit 1
	55	fi
	56	}
	57
	58	# Make sure we run this from deleuze
	59	if test "$(hostname -s)" != "deleuze"; then
	60	echo "Error: This script must be run from deleuze."
	61	exit 1
	62	fi
	63
4c237a24	64	# Sanity-check some paths
b7068ae3	65	if test ! -f "$CERT"; then
b7068ae3	66	echo "Error: Nonexistent or unreadable cert $CERT."
4c237a24	67	exit 1
4c237a24	68	fi
b7068ae3	69	if test -n "$KEY" && test ! -f "$KEY"; then
b7068ae3	70	echo "Error: Nonexistent or unreadable key $KEY."
4c237a24	71	exit 1
	72	fi
	73
b7068ae3	74	# Check for valid username
	75	if ! getent passwd "$MEMBER" > /dev/null; then
	76	echo "Error: Invalid user \"$MEMBER\"."
	77	exit 1
	78	fi
	79
4c237a24	80	# Figure out destination for complimentary copy
4c237a24	81	APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem
b7068ae3	82	MEMBERHOME=$(getent passwd $MEMBER \| cut -d':' -f 6)
4c237a24	83	if test -n "$KEY"; then
b7068ae3	84	DEST="$(dirname $KEY)/$DOMAIN.pem"
4c237a24	85	else
	86	DEST=
	87	fi
	88
	89	# Perform complimentary copy
	90	if test -z "$DEST"; then
b7068ae3	91	echo "No key specified, so skipping complimentary copy."
	92	elif echo "$CERT" \| grep "^$MEMBERHOME" > /dev/null; then
	93	echo "Member already has a cert, skipping the complimentary copy."
	94	elif test -f "$DEST"; then
	95	echo "Not overwriting existing file $DEST."
4c237a24	96	else
b7068ae3	97	echo "Copying signed certificate to member's home directory ..."
	98	cp "$CERT" "$DEST"
	99	chown $MEMBER:nogroup "$DEST"
4c237a24	100	fi
	101	echo
	102
	103	# Determine whether we need to concatenate a private key
b7068ae3	104	if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev/null; then
4c237a24	105	KEY=
	106	else
	107	if test -z "$KEY"; then
b7068ae3	108	echo "Error: No RSA private key is included with this certificate."
4c237a24	109	exit 1
	110	fi
	111	fi
	112
b7068ae3	113	# Verify certificate and key
b7068ae3	114	echo "Validating certificate ..."
4c237a24	115	if test -z "$KEY"; then
b7068ae3	116	verify_cert "$CERT" "$CERT"
4c237a24	117	else
b7068ae3	118	verify_cert "$CERT" "$KEY"
	119	fi
	120	echo "Certificate passed validatation."
	121	echo
	122
	123	# Copy complete certificate to webserver
	124	if test -z "$KEY"; then
	125	echo "Installing certificate to Apache SSL directory ..."
	126	< "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
	127	else
	128	echo "Installing certificate and key to Apache SSL directory ..."
	129	cat "$CERT" "$KEY" \| ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
4c237a24	130	fi
	131	echo
	132
	133	# Grant Domtool permissions
b7068ae3	134	echo "Granting member Domtool permissions for the certificate ..."
	135	domtool-admin grant $MEMBER cert "$APACHE_DEST"
	136	echo
	137
	138	# Tell admin what to do
	139	echo "Done. Tell $MEMBER that the certificate is available for use at"
	140	echo " $APACHE_DEST"