[hcoop/scripts.git] / ca-install

#!/bin/bash
#
# Install a signed certificate, placing a complimentary copy in the
# member's homedir.  Validation is done on the certificate before
# allowing it to be installed.  Also grant member domtool permissions
# for the certificate.
#
# If the certificate comes from the member's home directory, then
# don't place an extra copy there.
#
# Run this on an administrative node while holding admin tokens.
#
# Usage: ca-install member domain cert-file.pem [key-file.pem]

function usage () {
    echo "Usage: ca-install member domain cert-file.pem [key-file.pem] [intermediate-chain.pem]"
    exit 1
}

# Check arguments
if test -n "$6"; then
    echo "Error: Too many arguments."
    usage
elif test -z "$3"; then
    echo "Error: Not enough arguments."
    usage
else
    MEMBER=$1
    DOMAIN=$2
    CERT=$3
    KEY=$4
    CHAIN=$5
fi

WEBSERVERS="shelob.hcoop.net minsky.hcoop.net"

function verify_cert () {
    if test -z "$2" || test -n "$3"; then
        echo "Bad programming."
        exit 1
    fi
    local CERT=$1
    local KEY=$2
    local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
    if test $(echo "$MOD1" | wc -c) -lt 500; then
        echo "Error: Bad x509 part in certificate."
        exit 1
    fi
    local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1)
    if test $(echo "$MOD2" | wc -c) -lt 500; then
        echo "Error: Bad RSA part in certificate or key."
        exit 1
    fi
    if test "$MOD1" != "$MOD2"; then
        echo "Error: x509 and RSA parts in certificate do not match."
        exit 1
    fi
}

function verify_chain () {
    if test -z "$1" || test -n "$2"; then
	echo "Bad programming."
	exit 1
    fi
    # just make sure the intermediate chain contains a cert, might be
    # nice if this checked if it was used to sign the user's cert
    local CERT=$1
    local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
    if test $(echo "$MOD1" | wc -c) -lt 500; then
        echo "Error: Bad x509 part in intermediate chain."
        exit 1
    fi
}

# Make sure we run this from an admin host...
if test "$(hostname -s)" != "gibran"; then
    echo "Error: This script must be run from gibran."
    exit 1
fi

# Sanity-check some paths
if test ! -f "$CERT"; then
    echo "Error: Nonexistent or unreadable cert $CERT."
    exit 1
fi
if test -n "$KEY" && test ! -f "$KEY"; then
    echo "Error: Nonexistent or unreadable key $KEY."
    exit 1
fi
if test -n "$CHAIN" && test ! -f "$CHAIN"; then
    echo "Error: Nonexistent or unreadable intermediate chain $CHAIN."
    exit 1
fi    

# Check for valid username
if ! getent passwd "$MEMBER" > /dev/null; then
    echo "Error: Invalid user \"$MEMBER\"."
    exit 1
fi

# Figure out destination for complimentary copy
APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem
MEMBERHOME=$(getent passwd $MEMBER | cut -d':' -f 6)
if test -n "$KEY"; then
    DEST="$(dirname $KEY)/$DOMAIN.pem"
else
    DEST=
fi

# Perform complimentary copy
if test -z "$DEST"; then
    echo "No key specified, so skipping complimentary copy."
elif echo "$CERT" | grep "^$MEMBERHOME" > /dev/null; then
    echo "Member already has a cert, skipping the complimentary copy."
elif test -f "$DEST"; then
    echo "Not overwriting existing file $DEST."
else
    echo "Copying signed certificate to member's home directory ..."
    cp "$CERT" "$DEST"
    chown $MEMBER:nogroup "$DEST"
fi
echo

# Determine whether we need to concatenate a private key
if openssl rsa -noout -check -in "$CERT" > /dev/null; then
    KEY=
else
    if test -z "$KEY"; then
        echo "Error: No RSA private key is included with this certificate."
        exit 1
    fi
fi

# Verify certificate and key
echo "Validating certificate ..."
if test -z "$KEY"; then
    verify_cert "$CERT" "$CERT"
else
    verify_cert "$CERT" "$KEY"
fi
if test -n "$CHAIN"; then
    verify_chain "$CHAIN"
fi
echo "Certificate passed validatation."
echo

# Copy complete certificate to webserver
if test -z "$KEY"; then
    echo "Installing certificate to Apache SSL directory ..."
    for WEBSERVER in $WEBSERVERS; do
	< "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
    done
else
    echo "Installing certificate and key to Apache SSL directory ..."
    for WEBSERVER in $WEBSERVERS; do
	cat "$CERT" "$KEY" "$CHAIN" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
    done
fi
for WEBSERVER in $WEBSERVERS; do
    ssh $WEBSERVER sudo chmod 400 "$APACHE_DEST" > /dev/null
done
echo

# Grant Domtool permissions
echo "Granting member Domtool permissions for the certificate ..."
domtool-admin grant $MEMBER cert "$APACHE_DEST"
echo

echo "Restarting apache ..."
for WEBSERVER in $WEBSERVERS; do
    ssh $WEBSERVER sudo apache2ctl graceful
done
echo

# Tell admin what to do
echo "Done.  Tell $MEMBER that the certificate is available for use at"
echo "  $APACHE_DEST"
Commit	Line	Data
b7068ae3	1	#!/bin/bash
4c237a24	2	#
4c237a24	3	# Install a signed certificate, placing a complimentary copy in the
139a90c8	4	# member's homedir. Validation is done on the certificate before
	5	# allowing it to be installed. Also grant member domtool permissions
	6	# for the certificate.
4c237a24	7	#
b7068ae3	8	# If the certificate comes from the member's home directory, then
b7068ae3	9	# don't place an extra copy there.
4c237a24	10	#
652feaf6	11	# Run this on an administrative node while holding admin tokens.
4c237a24	12	#
b7068ae3	13	# Usage: ca-install member domain cert-file.pem [key-file.pem]
	14
	15	function usage () {
28174df8	16	echo "Usage: ca-install member domain cert-file.pem [key-file.pem] [intermediate-chain.pem]"
b7068ae3	17	exit 1
b7068ae3	18	}
4c237a24	19
4c237a24	20	# Check arguments
28174df8	21	if test -n "$6"; then
b7068ae3	22	echo "Error: Too many arguments."
b7068ae3	23	usage
4c237a24	24	elif test -z "$3"; then
b7068ae3	25	echo "Error: Not enough arguments."
b7068ae3	26	usage
4c237a24	27	else
b7068ae3	28	MEMBER=$1
4c237a24	29	DOMAIN=$2
	30	CERT=$3
	31	KEY=$4
28174df8	32	CHAIN=$5
4c237a24	33	fi
4c237a24	34
e7dafc9b	35	WEBSERVERS="shelob.hcoop.net minsky.hcoop.net"
b7068ae3	36
	37	function verify_cert () {
	38	if test -z "$2" \|\| test -n "$3"; then
	39	echo "Bad programming."
	40	exit 1
	41	fi
	42	local CERT=$1
	43	local KEY=$2
	44	local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
	45	if test $(echo "$MOD1" \| wc -c) -lt 500; then
	46	echo "Error: Bad x509 part in certificate."
	47	exit 1
	48	fi
	49	local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1)
	50	if test $(echo "$MOD2" \| wc -c) -lt 500; then
	51	echo "Error: Bad RSA part in certificate or key."
	52	exit 1
	53	fi
	54	if test "$MOD1" != "$MOD2"; then
	55	echo "Error: x509 and RSA parts in certificate do not match."
	56	exit 1
	57	fi
	58	}
	59
28174df8 CE	60	function verify_chain () {
	61	if test -z "$1" \|\| test -n "$2"; then
	62	echo "Bad programming."
	63	exit 1
	64	fi
	65	# just make sure the intermediate chain contains a cert, might be
	66	# nice if this checked if it was used to sign the user's cert
	67	local CERT=$1
	68	local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
	69	if test $(echo "$MOD1" \| wc -c) -lt 500; then
	70	echo "Error: Bad x509 part in intermediate chain."
	71	exit 1
	72	fi
	73	}
	74
652feaf6	75	# Make sure we run this from an admin host...
00034618	76	if test "$(hostname -s)" != "gibran"; then
6d76f213	77	echo "Error: This script must be run from gibran."
b7068ae3	78	exit 1
	79	fi
	80
4c237a24	81	# Sanity-check some paths
b7068ae3	82	if test ! -f "$CERT"; then
b7068ae3	83	echo "Error: Nonexistent or unreadable cert $CERT."
4c237a24	84	exit 1
4c237a24	85	fi
b7068ae3	86	if test -n "$KEY" && test ! -f "$KEY"; then
b7068ae3	87	echo "Error: Nonexistent or unreadable key $KEY."
4c237a24	88	exit 1
28174df8 CE	89	fi
	90	if test -n "$CHAIN" && test ! -f "$CHAIN"; then
	91	echo "Error: Nonexistent or unreadable intermediate chain $CHAIN."
	92	exit 1
4c237a24	93	fi
4c237a24	94
b7068ae3	95	# Check for valid username
	96	if ! getent passwd "$MEMBER" > /dev/null; then
	97	echo "Error: Invalid user \"$MEMBER\"."
	98	exit 1
	99	fi
	100
4c237a24	101	# Figure out destination for complimentary copy
4c237a24	102	APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem
b7068ae3	103	MEMBERHOME=$(getent passwd $MEMBER \| cut -d':' -f 6)
4c237a24	104	if test -n "$KEY"; then
b7068ae3	105	DEST="$(dirname $KEY)/$DOMAIN.pem"
4c237a24	106	else
	107	DEST=
	108	fi
	109
	110	# Perform complimentary copy
	111	if test -z "$DEST"; then
b7068ae3	112	echo "No key specified, so skipping complimentary copy."
	113	elif echo "$CERT" \| grep "^$MEMBERHOME" > /dev/null; then
	114	echo "Member already has a cert, skipping the complimentary copy."
	115	elif test -f "$DEST"; then
	116	echo "Not overwriting existing file $DEST."
4c237a24	117	else
b7068ae3	118	echo "Copying signed certificate to member's home directory ..."
	119	cp "$CERT" "$DEST"
	120	chown $MEMBER:nogroup "$DEST"
4c237a24	121	fi
	122	echo
	123
	124	# Determine whether we need to concatenate a private key
53aedbca	125	if openssl rsa -noout -check -in "$CERT" > /dev/null; then
4c237a24	126	KEY=
	127	else
	128	if test -z "$KEY"; then
b7068ae3	129	echo "Error: No RSA private key is included with this certificate."
4c237a24	130	exit 1
	131	fi
	132	fi
	133
b7068ae3	134	# Verify certificate and key
b7068ae3	135	echo "Validating certificate ..."
4c237a24	136	if test -z "$KEY"; then
b7068ae3	137	verify_cert "$CERT" "$CERT"
4c237a24	138	else
b7068ae3	139	verify_cert "$CERT" "$KEY"
b7068ae3	140	fi
28174df8 CE	141	if test -n "$CHAIN"; then
	142	verify_chain "$CHAIN"
	143	fi
b7068ae3	144	echo "Certificate passed validatation."
	145	echo
	146
	147	# Copy complete certificate to webserver
	148	if test -z "$KEY"; then
	149	echo "Installing certificate to Apache SSL directory ..."
00034618 CE	150	for WEBSERVER in $WEBSERVERS; do
	151	< "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
	152	done
b7068ae3	153	else
b7068ae3	154	echo "Installing certificate and key to Apache SSL directory ..."
00034618	155	for WEBSERVER in $WEBSERVERS; do
28174df8	156	cat "$CERT" "$KEY" "$CHAIN" \| ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
00034618	157	done
4c237a24	158	fi
00034618 CE	159	for WEBSERVER in $WEBSERVERS; do
	160	ssh $WEBSERVER sudo chmod 400 "$APACHE_DEST" > /dev/null
	161	done
4c237a24	162	echo
	163
	164	# Grant Domtool permissions
b7068ae3	165	echo "Granting member Domtool permissions for the certificate ..."
	166	domtool-admin grant $MEMBER cert "$APACHE_DEST"
	167	echo
	168
13910790	169	echo "Restarting apache ..."
00034618 CE	170	for WEBSERVER in $WEBSERVERS; do
	171	ssh $WEBSERVER sudo apache2ctl graceful
	172	done
13910790	173	echo
13910790	174
b7068ae3	175	# Tell admin what to do
	176	echo "Done. Tell $MEMBER that the certificate is available for use at"
	177	echo " $APACHE_DEST"