| 1 | #!/bin/bash |
| 2 | # |
| 3 | # Install a signed certificate, placing a complimentary copy in the |
| 4 | # member's homedir. Also grant member domtool permissions for the |
| 5 | # certificate. |
| 6 | # |
| 7 | # If the certificate comes from the member's home directory, then |
| 8 | # don't place an extra copy there. |
| 9 | # |
| 10 | # Run this on deleuze as an admin. |
| 11 | # |
| 12 | # Usage: ca-install member domain cert-file.pem [key-file.pem] |
| 13 | |
| 14 | function usage () { |
| 15 | echo "Usage: ca-install member domain cert-file.pem [key-file.pem]" |
| 16 | exit 1 |
| 17 | } |
| 18 | |
| 19 | # Check arguments |
| 20 | if test -n "$5"; then |
| 21 | echo "Error: Too many arguments." |
| 22 | usage |
| 23 | elif test -z "$3"; then |
| 24 | echo "Error: Not enough arguments." |
| 25 | usage |
| 26 | else |
| 27 | MEMBER=$1 |
| 28 | DOMAIN=$2 |
| 29 | CERT=$3 |
| 30 | KEY=$4 |
| 31 | fi |
| 32 | |
| 33 | WEBSERVER=mire.hcoop.net |
| 34 | |
| 35 | function verify_cert () { |
| 36 | if test -z "$2" || test -n "$3"; then |
| 37 | echo "Bad programming." |
| 38 | exit 1 |
| 39 | fi |
| 40 | local CERT=$1 |
| 41 | local KEY=$2 |
| 42 | local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1) |
| 43 | if test $(echo "$MOD1" | wc -c) -lt 500; then |
| 44 | echo "Error: Bad x509 part in certificate." |
| 45 | exit 1 |
| 46 | fi |
| 47 | local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1) |
| 48 | if test $(echo "$MOD2" | wc -c) -lt 500; then |
| 49 | echo "Error: Bad RSA part in certificate or key." |
| 50 | exit 1 |
| 51 | fi |
| 52 | if test "$MOD1" != "$MOD2"; then |
| 53 | echo "Error: x509 and RSA parts in certificate do not match." |
| 54 | exit 1 |
| 55 | fi |
| 56 | } |
| 57 | |
| 58 | # Make sure we run this from deleuze |
| 59 | if test "$(hostname -s)" != "deleuze"; then |
| 60 | echo "Error: This script must be run from deleuze." |
| 61 | exit 1 |
| 62 | fi |
| 63 | |
| 64 | # Sanity-check some paths |
| 65 | if test ! -f "$CERT"; then |
| 66 | echo "Error: Nonexistent or unreadable cert $CERT." |
| 67 | exit 1 |
| 68 | fi |
| 69 | if test -n "$KEY" && test ! -f "$KEY"; then |
| 70 | echo "Error: Nonexistent or unreadable key $KEY." |
| 71 | exit 1 |
| 72 | fi |
| 73 | |
| 74 | # Check for valid username |
| 75 | if ! getent passwd "$MEMBER" > /dev/null; then |
| 76 | echo "Error: Invalid user \"$MEMBER\"." |
| 77 | exit 1 |
| 78 | fi |
| 79 | |
| 80 | # Figure out destination for complimentary copy |
| 81 | APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem |
| 82 | MEMBERHOME=$(getent passwd $MEMBER | cut -d':' -f 6) |
| 83 | if test -n "$KEY"; then |
| 84 | DEST="$(dirname $KEY)/$DOMAIN.pem" |
| 85 | else |
| 86 | DEST= |
| 87 | fi |
| 88 | |
| 89 | # Perform complimentary copy |
| 90 | if test -z "$DEST"; then |
| 91 | echo "No key specified, so skipping complimentary copy." |
| 92 | elif echo "$CERT" | grep "^$MEMBERHOME" > /dev/null; then |
| 93 | echo "Member already has a cert, skipping the complimentary copy." |
| 94 | elif test -f "$DEST"; then |
| 95 | echo "Not overwriting existing file $DEST." |
| 96 | else |
| 97 | echo "Copying signed certificate to member's home directory ..." |
| 98 | cp "$CERT" "$DEST" |
| 99 | chown $MEMBER:nogroup "$DEST" |
| 100 | fi |
| 101 | echo |
| 102 | |
| 103 | # Determine whether we need to concatenate a private key |
| 104 | if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev/null; then |
| 105 | KEY= |
| 106 | else |
| 107 | if test -z "$KEY"; then |
| 108 | echo "Error: No RSA private key is included with this certificate." |
| 109 | exit 1 |
| 110 | fi |
| 111 | fi |
| 112 | |
| 113 | # Verify certificate and key |
| 114 | echo "Validating certificate ..." |
| 115 | if test -z "$KEY"; then |
| 116 | verify_cert "$CERT" "$CERT" |
| 117 | else |
| 118 | verify_cert "$CERT" "$KEY" |
| 119 | fi |
| 120 | echo "Certificate passed validatation." |
| 121 | echo |
| 122 | |
| 123 | # Copy complete certificate to webserver |
| 124 | if test -z "$KEY"; then |
| 125 | echo "Installing certificate to Apache SSL directory ..." |
| 126 | < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null |
| 127 | else |
| 128 | echo "Installing certificate and key to Apache SSL directory ..." |
| 129 | cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null |
| 130 | fi |
| 131 | echo |
| 132 | |
| 133 | # Grant Domtool permissions |
| 134 | echo "Granting member Domtool permissions for the certificate ..." |
| 135 | domtool-admin grant $MEMBER cert "$APACHE_DEST" |
| 136 | echo |
| 137 | |
| 138 | # Tell admin what to do |
| 139 | echo "Done. Tell $MEMBER that the certificate is available for use at" |
| 140 | echo " $APACHE_DEST" |