From: mwolson_admin Date: Tue, 1 Apr 2008 05:08:42 +0000 (-0400) Subject: ca-install: Add verification of cert and overhaul X-Git-Url: https://git.hcoop.net/hcoop/scripts.git/commitdiff_plain/b7068ae3ae7bbb47c778e5f1e11ac9c1caad45ea ca-install: Add verification of cert and overhaul --- diff --git a/ca-install b/ca-install dissimilarity index 67% index c053e6b..9fa74bc 100755 --- a/ca-install +++ b/ca-install @@ -1,82 +1,140 @@ -#!/bin/sh -# -# Install a signed certificate, placing a complimentary copy in the -# user's homedir. Also grant user domtool permissions. -# -# If the certificate comes from the USER's home directory, then don't -# place an extra copy there. -# -# Run this on deleuze as an admin. -# -# Usage: ca-install user domain cert-file.pem [key-file.pem] - -# Check arguments -if test -n "$5"; then - echo "Error: Too many arguments" - exit 1 -elif test -z "$3"; then - echo "Error: Not enough arguments" - exit 1 -else - USER=$1 - DOMAIN=$2 - CERT=$3 - KEY=$4 -fi - -# Sanity-check some paths -if test ! -f $CERT; then - echo "Error: Nonexistent or unreadable cert $CERT" - exit 1 -fi -if test -n "$KEY" && test ! -f $KEY; then - echo "Error: Nonexistent or unreadable key $KEY" - exit 1 -fi - -# Figure out destination for complimentary copy -APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem -USERHOME=$(getent passwd $USER | cut -d':' -f 6) -if test -n "$KEY"; then - DEST=$(dirname $KEY)/$DOMAIN.pem -else - DEST= -fi - -# Perform complimentary copy -if test -z "$DEST"; then - echo "No key specified, so skipping complimentary copy" -elif echo "$CERT" | grep "^$USERHOME" > /dev/null; then - echo "User already has a cert, skipping the complimentary copy" -elif test -f $DEST; then - echo "Not overwriting existing file $DEST" -else - echo "Copying signed certificate to user's home directory ..." - cp $CERT $DEST - chown $USER:nogroup $DEST -fi -echo - -# Determine whether we need to concatenate a private key -if grep "^-----BEGIN RSA PRIVATE KEY-----" $CERT > /dev/null; then - KEY= -else - if test -z "$KEY"; then - echo "Error: No private key is included with this certificate" - exit 1 - fi -fi - -# Copy complete certificate to mire -if test -z "$KEY"; then - echo "Installing cert to Apache SSL directory ..." - cat $CERT | ssh mire.hcoop.net sudo tee $APACHE_DEST > /dev/null -else - echo "Installing cert to Apache SSL directory, adding key ..." - cat $CERT $KEY | ssh mire.hcoop.net sudo tee $APACHE_DEST > /dev/null -fi -echo - -# Grant Domtool permissions -echo "Granting user Domtool permissions for the cert ..." -domtool-admin grant $USER cert $APACHE_DEST +#!/bin/bash +# +# Install a signed certificate, placing a complimentary copy in the +# member's homedir. Also grant member domtool permissions for the +# certificate. +# +# If the certificate comes from the member's home directory, then +# don't place an extra copy there. +# +# Run this on deleuze as an admin. +# +# Usage: ca-install member domain cert-file.pem [key-file.pem] + +function usage () { + echo "Usage: ca-install member domain cert-file.pem [key-file.pem]" + exit 1 +} + +# Check arguments +if test -n "$5"; then + echo "Error: Too many arguments." + usage +elif test -z "$3"; then + echo "Error: Not enough arguments." + usage +else + MEMBER=$1 + DOMAIN=$2 + CERT=$3 + KEY=$4 +fi + +WEBSERVER=mire.hcoop.net + +function verify_cert () { + if test -z "$2" || test -n "$3"; then + echo "Bad programming." + exit 1 + fi + local CERT=$1 + local KEY=$2 + local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1) + if test $(echo "$MOD1" | wc -c) -lt 500; then + echo "Error: Bad x509 part in certificate." + exit 1 + fi + local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1) + if test $(echo "$MOD2" | wc -c) -lt 500; then + echo "Error: Bad RSA part in certificate or key." + exit 1 + fi + if test "$MOD1" != "$MOD2"; then + echo "Error: x509 and RSA parts in certificate do not match." + exit 1 + fi +} + +# Make sure we run this from deleuze +if test "$(hostname -s)" != "deleuze"; then + echo "Error: This script must be run from deleuze." + exit 1 +fi + +# Sanity-check some paths +if test ! -f "$CERT"; then + echo "Error: Nonexistent or unreadable cert $CERT." + exit 1 +fi +if test -n "$KEY" && test ! -f "$KEY"; then + echo "Error: Nonexistent or unreadable key $KEY." + exit 1 +fi + +# Check for valid username +if ! getent passwd "$MEMBER" > /dev/null; then + echo "Error: Invalid user \"$MEMBER\"." + exit 1 +fi + +# Figure out destination for complimentary copy +APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem +MEMBERHOME=$(getent passwd $MEMBER | cut -d':' -f 6) +if test -n "$KEY"; then + DEST="$(dirname $KEY)/$DOMAIN.pem" +else + DEST= +fi + +# Perform complimentary copy +if test -z "$DEST"; then + echo "No key specified, so skipping complimentary copy." +elif echo "$CERT" | grep "^$MEMBERHOME" > /dev/null; then + echo "Member already has a cert, skipping the complimentary copy." +elif test -f "$DEST"; then + echo "Not overwriting existing file $DEST." +else + echo "Copying signed certificate to member's home directory ..." + cp "$CERT" "$DEST" + chown $MEMBER:nogroup "$DEST" +fi +echo + +# Determine whether we need to concatenate a private key +if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev/null; then + KEY= +else + if test -z "$KEY"; then + echo "Error: No RSA private key is included with this certificate." + exit 1 + fi +fi + +# Verify certificate and key +echo "Validating certificate ..." +if test -z "$KEY"; then + verify_cert "$CERT" "$CERT" +else + verify_cert "$CERT" "$KEY" +fi +echo "Certificate passed validatation." +echo + +# Copy complete certificate to webserver +if test -z "$KEY"; then + echo "Installing certificate to Apache SSL directory ..." + < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null +else + echo "Installing certificate and key to Apache SSL directory ..." + cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null +fi +echo + +# Grant Domtool permissions +echo "Granting member Domtool permissions for the certificate ..." +domtool-admin grant $MEMBER cert "$APACHE_DEST" +echo + +# Tell admin what to do +echo "Done. Tell $MEMBER that the certificate is available for use at" +echo " $APACHE_DEST"