[hcoop/scripts.git] / ca-install

#!/bin/bash
#
# Install a signed certificate, placing a complimentary copy in the
# member's homedir.  Validation is done on the certificate before
# allowing it to be installed.  Also grant member domtool permissions
# for the certificate.
#
# If the certificate comes from the member's home directory, then
# don't place an extra copy there.
#
# Run this on an administrative node while holding admin tokens.
#
# Usage: ca-install member domain cert-file.pem [key-file.pem]

function usage () {
    echo "Usage: ca-install member domain cert-file.pem [key-file.pem]"
    exit 1
}

# Check arguments
if test -n "$5"; then
    echo "Error: Too many arguments."
    usage
elif test -z "$3"; then
    echo "Error: Not enough arguments."
    usage
else
    MEMBER=$1
    DOMAIN=$2
    CERT=$3
    KEY=$4
fi

WEBSERVER=navajos.hcoop.net

function verify_cert () {
    if test -z "$2" || test -n "$3"; then
        echo "Bad programming."
        exit 1
    fi
    local CERT=$1
    local KEY=$2
    local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
    if test $(echo "$MOD1" | wc -c) -lt 500; then
        echo "Error: Bad x509 part in certificate."
        exit 1
    fi
    local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1)
    if test $(echo "$MOD2" | wc -c) -lt 500; then
        echo "Error: Bad RSA part in certificate or key."
        exit 1
    fi
    if test "$MOD1" != "$MOD2"; then
        echo "Error: x509 and RSA parts in certificate do not match."
        exit 1
    fi
}

# Make sure we run this from an admin host...
if test "$(hostname -s)" != "fritz"; then
    echo "Error: This script must be run from fritz."
    exit 1
fi

# Sanity-check some paths
if test ! -f "$CERT"; then
    echo "Error: Nonexistent or unreadable cert $CERT."
    exit 1
fi
if test -n "$KEY" && test ! -f "$KEY"; then
    echo "Error: Nonexistent or unreadable key $KEY."
    exit 1
fi    

# Check for valid username
if ! getent passwd "$MEMBER" > /dev/null; then
    echo "Error: Invalid user \"$MEMBER\"."
    exit 1
fi

# Figure out destination for complimentary copy
APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem
MEMBERHOME=$(getent passwd $MEMBER | cut -d':' -f 6)
if test -n "$KEY"; then
    DEST="$(dirname $KEY)/$DOMAIN.pem"
else
    DEST=
fi

# Perform complimentary copy
if test -z "$DEST"; then
    echo "No key specified, so skipping complimentary copy."
elif echo "$CERT" | grep "^$MEMBERHOME" > /dev/null; then
    echo "Member already has a cert, skipping the complimentary copy."
elif test -f "$DEST"; then
    echo "Not overwriting existing file $DEST."
else
    echo "Copying signed certificate to member's home directory ..."
    cp "$CERT" "$DEST"
    chown $MEMBER:nogroup "$DEST"
fi
echo

# Determine whether we need to concatenate a private key
if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev/null; then
    KEY=
else
    if test -z "$KEY"; then
        echo "Error: No RSA private key is included with this certificate."
        exit 1
    fi
fi

# Verify certificate and key
echo "Validating certificate ..."
if test -z "$KEY"; then
    verify_cert "$CERT" "$CERT"
else
    verify_cert "$CERT" "$KEY"
fi
echo "Certificate passed validatation."
echo

# Copy complete certificate to webserver
if test -z "$KEY"; then
    echo "Installing certificate to Apache SSL directory ..."
    < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
else
    echo "Installing certificate and key to Apache SSL directory ..."
    cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
fi
echo

# Grant Domtool permissions
echo "Granting member Domtool permissions for the certificate ..."
domtool-admin grant $MEMBER cert "$APACHE_DEST"
echo

# Tell admin what to do
echo "Done.  Tell $MEMBER that the certificate is available for use at"
echo "  $APACHE_DEST"
Commit	Line	Data
b7068ae3	1	#!/bin/bash
4c237a24	2	#
4c237a24	3	# Install a signed certificate, placing a complimentary copy in the
139a90c8	4	# member's homedir. Validation is done on the certificate before
	5	# allowing it to be installed. Also grant member domtool permissions
	6	# for the certificate.
4c237a24	7	#
b7068ae3	8	# If the certificate comes from the member's home directory, then
b7068ae3	9	# don't place an extra copy there.
4c237a24	10	#
652feaf6	11	# Run this on an administrative node while holding admin tokens.
4c237a24	12	#
b7068ae3	13	# Usage: ca-install member domain cert-file.pem [key-file.pem]
	14
	15	function usage () {
	16	echo "Usage: ca-install member domain cert-file.pem [key-file.pem]"
	17	exit 1
	18	}
4c237a24	19
	20	# Check arguments
	21	if test -n "$5"; then
b7068ae3	22	echo "Error: Too many arguments."
b7068ae3	23	usage
4c237a24	24	elif test -z "$3"; then
b7068ae3	25	echo "Error: Not enough arguments."
b7068ae3	26	usage
4c237a24	27	else
b7068ae3	28	MEMBER=$1
4c237a24	29	DOMAIN=$2
	30	CERT=$3
	31	KEY=$4
	32	fi
	33
652feaf6	34	WEBSERVER=navajos.hcoop.net
b7068ae3	35
	36	function verify_cert () {
	37	if test -z "$2" \|\| test -n "$3"; then
	38	echo "Bad programming."
	39	exit 1
	40	fi
	41	local CERT=$1
	42	local KEY=$2
	43	local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
	44	if test $(echo "$MOD1" \| wc -c) -lt 500; then
	45	echo "Error: Bad x509 part in certificate."
	46	exit 1
	47	fi
	48	local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1)
	49	if test $(echo "$MOD2" \| wc -c) -lt 500; then
	50	echo "Error: Bad RSA part in certificate or key."
	51	exit 1
	52	fi
	53	if test "$MOD1" != "$MOD2"; then
	54	echo "Error: x509 and RSA parts in certificate do not match."
	55	exit 1
	56	fi
	57	}
	58
652feaf6 CE	59	# Make sure we run this from an admin host...
	60	if test "$(hostname -s)" != "fritz"; then
	61	echo "Error: This script must be run from fritz."
b7068ae3	62	exit 1
	63	fi
	64
4c237a24	65	# Sanity-check some paths
b7068ae3	66	if test ! -f "$CERT"; then
b7068ae3	67	echo "Error: Nonexistent or unreadable cert $CERT."
4c237a24	68	exit 1
4c237a24	69	fi
b7068ae3	70	if test -n "$KEY" && test ! -f "$KEY"; then
b7068ae3	71	echo "Error: Nonexistent or unreadable key $KEY."
4c237a24	72	exit 1
	73	fi
	74
b7068ae3	75	# Check for valid username
	76	if ! getent passwd "$MEMBER" > /dev/null; then
	77	echo "Error: Invalid user \"$MEMBER\"."
	78	exit 1
	79	fi
	80
4c237a24	81	# Figure out destination for complimentary copy
4c237a24	82	APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem
b7068ae3	83	MEMBERHOME=$(getent passwd $MEMBER \| cut -d':' -f 6)
4c237a24	84	if test -n "$KEY"; then
b7068ae3	85	DEST="$(dirname $KEY)/$DOMAIN.pem"
4c237a24	86	else
	87	DEST=
	88	fi
	89
	90	# Perform complimentary copy
	91	if test -z "$DEST"; then
b7068ae3	92	echo "No key specified, so skipping complimentary copy."
	93	elif echo "$CERT" \| grep "^$MEMBERHOME" > /dev/null; then
	94	echo "Member already has a cert, skipping the complimentary copy."
	95	elif test -f "$DEST"; then
	96	echo "Not overwriting existing file $DEST."
4c237a24	97	else
b7068ae3	98	echo "Copying signed certificate to member's home directory ..."
	99	cp "$CERT" "$DEST"
	100	chown $MEMBER:nogroup "$DEST"
4c237a24	101	fi
	102	echo
	103
	104	# Determine whether we need to concatenate a private key
b7068ae3	105	if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev/null; then
4c237a24	106	KEY=
	107	else
	108	if test -z "$KEY"; then
b7068ae3	109	echo "Error: No RSA private key is included with this certificate."
4c237a24	110	exit 1
	111	fi
	112	fi
	113
b7068ae3	114	# Verify certificate and key
b7068ae3	115	echo "Validating certificate ..."
4c237a24	116	if test -z "$KEY"; then
b7068ae3	117	verify_cert "$CERT" "$CERT"
4c237a24	118	else
b7068ae3	119	verify_cert "$CERT" "$KEY"
	120	fi
	121	echo "Certificate passed validatation."
	122	echo
	123
	124	# Copy complete certificate to webserver
	125	if test -z "$KEY"; then
	126	echo "Installing certificate to Apache SSL directory ..."
	127	< "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
	128	else
	129	echo "Installing certificate and key to Apache SSL directory ..."
	130	cat "$CERT" "$KEY" \| ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
4c237a24	131	fi
	132	echo
	133
	134	# Grant Domtool permissions
b7068ae3	135	echo "Granting member Domtool permissions for the certificate ..."
	136	domtool-admin grant $MEMBER cert "$APACHE_DEST"
	137	echo
	138
	139	# Tell admin what to do
	140	echo "Done. Tell $MEMBER that the certificate is available for use at"
	141	echo " $APACHE_DEST"