| 1 | #!/bin/bash |
| 2 | # |
| 3 | # Install a signed certificate, placing a complimentary copy in the |
| 4 | # member's homedir. Validation is done on the certificate before |
| 5 | # allowing it to be installed. Also grant member domtool permissions |
| 6 | # for the certificate. |
| 7 | # |
| 8 | # If the certificate comes from the member's home directory, then |
| 9 | # don't place an extra copy there. |
| 10 | # |
| 11 | # Run this on an administrative node while holding admin tokens. |
| 12 | # |
| 13 | # Usage: ca-install member domain cert-file.pem [key-file.pem] |
| 14 | |
| 15 | function usage () { |
| 16 | echo "Usage: ca-install member domain cert-file.pem [key-file.pem] [intermediate-chain.pem]" |
| 17 | exit 1 |
| 18 | } |
| 19 | |
| 20 | # Check arguments |
| 21 | if test -n "$6"; then |
| 22 | echo "Error: Too many arguments." |
| 23 | usage |
| 24 | elif test -z "$3"; then |
| 25 | echo "Error: Not enough arguments." |
| 26 | usage |
| 27 | else |
| 28 | MEMBER=$1 |
| 29 | DOMAIN=$2 |
| 30 | CERT=$3 |
| 31 | KEY=$4 |
| 32 | CHAIN=$5 |
| 33 | fi |
| 34 | |
| 35 | WEBSERVERS="shelob.hcoop.net minsky.hcoop.net" |
| 36 | |
| 37 | function verify_cert () { |
| 38 | if test -z "$2" || test -n "$3"; then |
| 39 | echo "Bad programming." |
| 40 | exit 1 |
| 41 | fi |
| 42 | local CERT=$1 |
| 43 | local KEY=$2 |
| 44 | local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1) |
| 45 | if test $(echo "$MOD1" | wc -c) -lt 500; then |
| 46 | echo "Error: Bad x509 part in certificate." |
| 47 | exit 1 |
| 48 | fi |
| 49 | local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1) |
| 50 | if test $(echo "$MOD2" | wc -c) -lt 500; then |
| 51 | echo "Error: Bad RSA part in certificate or key." |
| 52 | exit 1 |
| 53 | fi |
| 54 | if test "$MOD1" != "$MOD2"; then |
| 55 | echo "Error: x509 and RSA parts in certificate do not match." |
| 56 | exit 1 |
| 57 | fi |
| 58 | } |
| 59 | |
| 60 | function verify_chain () { |
| 61 | if test -z "$1" || test -n "$2"; then |
| 62 | echo "Bad programming." |
| 63 | exit 1 |
| 64 | fi |
| 65 | # just make sure the intermediate chain contains a cert, might be |
| 66 | # nice if this checked if it was used to sign the user's cert |
| 67 | local CERT=$1 |
| 68 | local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1) |
| 69 | if test $(echo "$MOD1" | wc -c) -lt 500; then |
| 70 | echo "Error: Bad x509 part in intermediate chain." |
| 71 | exit 1 |
| 72 | fi |
| 73 | } |
| 74 | |
| 75 | # Make sure we run this from an admin host... |
| 76 | if test "$(hostname -s)" != "gibran"; then |
| 77 | echo "Error: This script must be run from gibran." |
| 78 | exit 1 |
| 79 | fi |
| 80 | |
| 81 | # Sanity-check some paths |
| 82 | if test ! -f "$CERT"; then |
| 83 | echo "Error: Nonexistent or unreadable cert $CERT." |
| 84 | exit 1 |
| 85 | fi |
| 86 | if test -n "$KEY" && test ! -f "$KEY"; then |
| 87 | echo "Error: Nonexistent or unreadable key $KEY." |
| 88 | exit 1 |
| 89 | fi |
| 90 | if test -n "$CHAIN" && test ! -f "$CHAIN"; then |
| 91 | echo "Error: Nonexistent or unreadable intermediate chain $CHAIN." |
| 92 | exit 1 |
| 93 | fi |
| 94 | |
| 95 | # Check for valid username |
| 96 | if ! getent passwd "$MEMBER" > /dev/null; then |
| 97 | echo "Error: Invalid user \"$MEMBER\"." |
| 98 | exit 1 |
| 99 | fi |
| 100 | |
| 101 | # Figure out destination for complimentary copy |
| 102 | APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem |
| 103 | MEMBERHOME=$(getent passwd $MEMBER | cut -d':' -f 6) |
| 104 | if test -n "$KEY"; then |
| 105 | DEST="$(dirname $KEY)/$DOMAIN.pem" |
| 106 | else |
| 107 | DEST= |
| 108 | fi |
| 109 | |
| 110 | # Perform complimentary copy |
| 111 | if test -z "$DEST"; then |
| 112 | echo "No key specified, so skipping complimentary copy." |
| 113 | elif echo "$CERT" | grep "^$MEMBERHOME" > /dev/null; then |
| 114 | echo "Member already has a cert, skipping the complimentary copy." |
| 115 | elif test -f "$DEST"; then |
| 116 | echo "Not overwriting existing file $DEST." |
| 117 | else |
| 118 | echo "Copying signed certificate to member's home directory ..." |
| 119 | cp "$CERT" "$DEST" |
| 120 | chown $MEMBER:nogroup "$DEST" |
| 121 | fi |
| 122 | echo |
| 123 | |
| 124 | # Determine whether we need to concatenate a private key |
| 125 | if openssl rsa -noout -check -in "$CERT" > /dev/null; then |
| 126 | KEY= |
| 127 | else |
| 128 | if test -z "$KEY"; then |
| 129 | echo "Error: No RSA private key is included with this certificate." |
| 130 | exit 1 |
| 131 | fi |
| 132 | fi |
| 133 | |
| 134 | # Verify certificate and key |
| 135 | echo "Validating certificate ..." |
| 136 | if test -z "$KEY"; then |
| 137 | verify_cert "$CERT" "$CERT" |
| 138 | else |
| 139 | verify_cert "$CERT" "$KEY" |
| 140 | fi |
| 141 | if test -n "$CHAIN"; then |
| 142 | verify_chain "$CHAIN" |
| 143 | fi |
| 144 | echo "Certificate passed validatation." |
| 145 | echo |
| 146 | |
| 147 | # Copy complete certificate to webserver |
| 148 | if test -z "$KEY"; then |
| 149 | echo "Installing certificate to Apache SSL directory ..." |
| 150 | for WEBSERVER in $WEBSERVERS; do |
| 151 | < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null |
| 152 | done |
| 153 | else |
| 154 | echo "Installing certificate and key to Apache SSL directory ..." |
| 155 | for WEBSERVER in $WEBSERVERS; do |
| 156 | cat "$CERT" "$KEY" "$CHAIN" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null |
| 157 | done |
| 158 | fi |
| 159 | for WEBSERVER in $WEBSERVERS; do |
| 160 | ssh $WEBSERVER sudo chmod 400 "$APACHE_DEST" > /dev/null |
| 161 | done |
| 162 | echo |
| 163 | |
| 164 | # Grant Domtool permissions |
| 165 | echo "Granting member Domtool permissions for the certificate ..." |
| 166 | domtool-admin grant $MEMBER cert "$APACHE_DEST" |
| 167 | echo |
| 168 | |
| 169 | echo "Restarting apache ..." |
| 170 | for WEBSERVER in $WEBSERVERS; do |
| 171 | ssh $WEBSERVER sudo apache2ctl graceful |
| 172 | done |
| 173 | echo |
| 174 | |
| 175 | # Tell admin what to do |
| 176 | echo "Done. Tell $MEMBER that the certificate is available for use at" |
| 177 | echo " $APACHE_DEST" |