-#!/bin/sh
-#
-# Install a signed certificate, placing a complimentary copy in the
-# user's homedir. Also grant user domtool permissions.
-#
-# If the certificate comes from the USER's home directory, then don't
-# place an extra copy there.
-#
-# Run this on deleuze as an admin.
-#
-# Usage: ca-install user domain cert-file.pem [key-file.pem]
-
-# Check arguments
-if test -n "$5"; then
- echo "Error: Too many arguments"
- exit 1
-elif test -z "$3"; then
- echo "Error: Not enough arguments"
- exit 1
-else
- USER=$1
- DOMAIN=$2
- CERT=$3
- KEY=$4
-fi
-
-# Sanity-check some paths
-if test ! -f $CERT; then
- echo "Error: Nonexistent or unreadable cert $CERT"
- exit 1
-fi
-if test -n "$KEY" && test ! -f $KEY; then
- echo "Error: Nonexistent or unreadable key $KEY"
- exit 1
-fi
-
-# Figure out destination for complimentary copy
-APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem
-USERHOME=$(getent passwd $USER | cut -d':' -f 6)
-if test -n "$KEY"; then
- DEST=$(dirname $KEY)/$DOMAIN.pem
-else
- DEST=
-fi
-
-# Perform complimentary copy
-if test -z "$DEST"; then
- echo "No key specified, so skipping complimentary copy"
-elif echo "$CERT" | grep "^$USERHOME" > /dev/null; then
- echo "User already has a cert, skipping the complimentary copy"
-elif test -f $DEST; then
- echo "Not overwriting existing file $DEST"
-else
- echo "Copying signed certificate to user's home directory ..."
- cp $CERT $DEST
- chown $USER:nogroup $DEST
-fi
-echo
-
-# Determine whether we need to concatenate a private key
-if grep "^-----BEGIN RSA PRIVATE KEY-----" $CERT > /dev/null; then
- KEY=
-else
- if test -z "$KEY"; then
- echo "Error: No private key is included with this certificate"
- exit 1
- fi
-fi
-
-# Copy complete certificate to mire
-if test -z "$KEY"; then
- echo "Installing cert to Apache SSL directory ..."
- cat $CERT | ssh mire.hcoop.net sudo tee $APACHE_DEST > /dev/null
-else
- echo "Installing cert to Apache SSL directory, adding key ..."
- cat $CERT $KEY | ssh mire.hcoop.net sudo tee $APACHE_DEST > /dev/null
-fi
-echo
-
-# Grant Domtool permissions
-echo "Granting user Domtool permissions for the cert ..."
-domtool-admin grant $USER cert $APACHE_DEST
+#!/bin/bash
+#
+# Install a signed certificate, placing a complimentary copy in the
+# member's homedir. Validation is done on the certificate before
+# allowing it to be installed. Also grant member domtool permissions
+# for the certificate.
+#
+# If the certificate comes from the member's home directory, then
+# don't place an extra copy there.
+#
+# Run this on deleuze as an admin.
+#
+# Usage: ca-install member domain cert-file.pem [key-file.pem]
+
+function usage () {
+ echo "Usage: ca-install member domain cert-file.pem [key-file.pem]"
+ exit 1
+}
+
+# Check arguments
+if test -n "$5"; then
+ echo "Error: Too many arguments."
+ usage
+elif test -z "$3"; then
+ echo "Error: Not enough arguments."
+ usage
+else
+ MEMBER=$1
+ DOMAIN=$2
+ CERT=$3
+ KEY=$4
+fi
+
+WEBSERVER=mire.hcoop.net
+
+function verify_cert () {
+ if test -z "$2" || test -n "$3"; then
+ echo "Bad programming."
+ exit 1
+ fi
+ local CERT=$1
+ local KEY=$2
+ local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
+ if test $(echo "$MOD1" | wc -c) -lt 500; then
+ echo "Error: Bad x509 part in certificate."
+ exit 1
+ fi
+ local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1)
+ if test $(echo "$MOD2" | wc -c) -lt 500; then
+ echo "Error: Bad RSA part in certificate or key."
+ exit 1
+ fi
+ if test "$MOD1" != "$MOD2"; then
+ echo "Error: x509 and RSA parts in certificate do not match."
+ exit 1
+ fi
+}
+
+# Make sure we run this from deleuze
+if test "$(hostname -s)" != "deleuze"; then
+ echo "Error: This script must be run from deleuze."
+ exit 1
+fi
+
+# Sanity-check some paths
+if test ! -f "$CERT"; then
+ echo "Error: Nonexistent or unreadable cert $CERT."
+ exit 1
+fi
+if test -n "$KEY" && test ! -f "$KEY"; then
+ echo "Error: Nonexistent or unreadable key $KEY."
+ exit 1
+fi
+
+# Check for valid username
+if ! getent passwd "$MEMBER" > /dev/null; then
+ echo "Error: Invalid user \"$MEMBER\"."
+ exit 1
+fi
+
+# Figure out destination for complimentary copy
+APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem
+MEMBERHOME=$(getent passwd $MEMBER | cut -d':' -f 6)
+if test -n "$KEY"; then
+ DEST="$(dirname $KEY)/$DOMAIN.pem"
+else
+ DEST=
+fi
+
+# Perform complimentary copy
+if test -z "$DEST"; then
+ echo "No key specified, so skipping complimentary copy."
+elif echo "$CERT" | grep "^$MEMBERHOME" > /dev/null; then
+ echo "Member already has a cert, skipping the complimentary copy."
+elif test -f "$DEST"; then
+ echo "Not overwriting existing file $DEST."
+else
+ echo "Copying signed certificate to member's home directory ..."
+ cp "$CERT" "$DEST"
+ chown $MEMBER:nogroup "$DEST"
+fi
+echo
+
+# Determine whether we need to concatenate a private key
+if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev/null; then
+ KEY=
+else
+ if test -z "$KEY"; then
+ echo "Error: No RSA private key is included with this certificate."
+ exit 1
+ fi
+fi
+
+# Verify certificate and key
+echo "Validating certificate ..."
+if test -z "$KEY"; then
+ verify_cert "$CERT" "$CERT"
+else
+ verify_cert "$CERT" "$KEY"
+fi
+echo "Certificate passed validatation."
+echo
+
+# Copy complete certificate to webserver
+if test -z "$KEY"; then
+ echo "Installing certificate to Apache SSL directory ..."
+ < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
+else
+ echo "Installing certificate and key to Apache SSL directory ..."
+ cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
+fi
+echo
+
+# Grant Domtool permissions
+echo "Granting member Domtool permissions for the certificate ..."
+domtool-admin grant $MEMBER cert "$APACHE_DEST"
+echo
+
+# Tell admin what to do
+echo "Done. Tell $MEMBER that the certificate is available for use at"
+echo " $APACHE_DEST"