| 1 | #!/bin/bash |
| 2 | # |
| 3 | # Install a signed certificate, placing a complimentary copy in the |
| 4 | # member's homedir. Validation is done on the certificate before |
| 5 | # allowing it to be installed. Also grant member domtool permissions |
| 6 | # for the certificate. |
| 7 | # |
| 8 | # If the certificate comes from the member's home directory, then |
| 9 | # don't place an extra copy there. |
| 10 | # |
| 11 | # Run this on deleuze as an admin. |
| 12 | # |
| 13 | # Usage: ca-install member domain cert-file.pem [key-file.pem] |
| 14 | |
| 15 | function usage () { |
| 16 | echo "Usage: ca-install member domain cert-file.pem [key-file.pem]" |
| 17 | exit 1 |
| 18 | } |
| 19 | |
| 20 | # Check arguments |
| 21 | if test -n "$5"; then |
| 22 | echo "Error: Too many arguments." |
| 23 | usage |
| 24 | elif test -z "$3"; then |
| 25 | echo "Error: Not enough arguments." |
| 26 | usage |
| 27 | else |
| 28 | MEMBER=$1 |
| 29 | DOMAIN=$2 |
| 30 | CERT=$3 |
| 31 | KEY=$4 |
| 32 | fi |
| 33 | |
| 34 | WEBSERVER=mire.hcoop.net |
| 35 | |
| 36 | function verify_cert () { |
| 37 | if test -z "$2" || test -n "$3"; then |
| 38 | echo "Bad programming." |
| 39 | exit 1 |
| 40 | fi |
| 41 | local CERT=$1 |
| 42 | local KEY=$2 |
| 43 | local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1) |
| 44 | if test $(echo "$MOD1" | wc -c) -lt 500; then |
| 45 | echo "Error: Bad x509 part in certificate." |
| 46 | exit 1 |
| 47 | fi |
| 48 | local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1) |
| 49 | if test $(echo "$MOD2" | wc -c) -lt 500; then |
| 50 | echo "Error: Bad RSA part in certificate or key." |
| 51 | exit 1 |
| 52 | fi |
| 53 | if test "$MOD1" != "$MOD2"; then |
| 54 | echo "Error: x509 and RSA parts in certificate do not match." |
| 55 | exit 1 |
| 56 | fi |
| 57 | } |
| 58 | |
| 59 | # Make sure we run this from deleuze |
| 60 | if test "$(hostname -s)" != "deleuze"; then |
| 61 | echo "Error: This script must be run from deleuze." |
| 62 | exit 1 |
| 63 | fi |
| 64 | |
| 65 | # Sanity-check some paths |
| 66 | if test ! -f "$CERT"; then |
| 67 | echo "Error: Nonexistent or unreadable cert $CERT." |
| 68 | exit 1 |
| 69 | fi |
| 70 | if test -n "$KEY" && test ! -f "$KEY"; then |
| 71 | echo "Error: Nonexistent or unreadable key $KEY." |
| 72 | exit 1 |
| 73 | fi |
| 74 | |
| 75 | # Check for valid username |
| 76 | if ! getent passwd "$MEMBER" > /dev/null; then |
| 77 | echo "Error: Invalid user \"$MEMBER\"." |
| 78 | exit 1 |
| 79 | fi |
| 80 | |
| 81 | # Figure out destination for complimentary copy |
| 82 | APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem |
| 83 | MEMBERHOME=$(getent passwd $MEMBER | cut -d':' -f 6) |
| 84 | if test -n "$KEY"; then |
| 85 | DEST="$(dirname $KEY)/$DOMAIN.pem" |
| 86 | else |
| 87 | DEST= |
| 88 | fi |
| 89 | |
| 90 | # Perform complimentary copy |
| 91 | if test -z "$DEST"; then |
| 92 | echo "No key specified, so skipping complimentary copy." |
| 93 | elif echo "$CERT" | grep "^$MEMBERHOME" > /dev/null; then |
| 94 | echo "Member already has a cert, skipping the complimentary copy." |
| 95 | elif test -f "$DEST"; then |
| 96 | echo "Not overwriting existing file $DEST." |
| 97 | else |
| 98 | echo "Copying signed certificate to member's home directory ..." |
| 99 | cp "$CERT" "$DEST" |
| 100 | chown $MEMBER:nogroup "$DEST" |
| 101 | fi |
| 102 | echo |
| 103 | |
| 104 | # Determine whether we need to concatenate a private key |
| 105 | if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev/null; then |
| 106 | KEY= |
| 107 | else |
| 108 | if test -z "$KEY"; then |
| 109 | echo "Error: No RSA private key is included with this certificate." |
| 110 | exit 1 |
| 111 | fi |
| 112 | fi |
| 113 | |
| 114 | # Verify certificate and key |
| 115 | echo "Validating certificate ..." |
| 116 | if test -z "$KEY"; then |
| 117 | verify_cert "$CERT" "$CERT" |
| 118 | else |
| 119 | verify_cert "$CERT" "$KEY" |
| 120 | fi |
| 121 | echo "Certificate passed validatation." |
| 122 | echo |
| 123 | |
| 124 | # Copy complete certificate to webserver |
| 125 | if test -z "$KEY"; then |
| 126 | echo "Installing certificate to Apache SSL directory ..." |
| 127 | < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null |
| 128 | else |
| 129 | echo "Installing certificate and key to Apache SSL directory ..." |
| 130 | cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null |
| 131 | fi |
| 132 | echo |
| 133 | |
| 134 | # Grant Domtool permissions |
| 135 | echo "Granting member Domtool permissions for the certificate ..." |
| 136 | domtool-admin grant $MEMBER cert "$APACHE_DEST" |
| 137 | echo |
| 138 | |
| 139 | # Tell admin what to do |
| 140 | echo "Done. Tell $MEMBER that the certificate is available for use at" |
| 141 | echo " $APACHE_DEST" |