From 28174df8b6b8d3cf68f996035951d2da62857bc5 Mon Sep 17 00:00:00 2001
From: Clinton Ebadi <clinton@hcoop.net>
Date: Sun, 31 Mar 2019 15:45:40 -0400
Subject: [PATCH] ca-install: allow installing optional intermediate chain

All software nowadays supports storing cert + key + intermediate in
one file, adapt ca-install for this format.
---
 ca-install | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/ca-install b/ca-install
index c76206b..5b17734 100755
--- a/ca-install
+++ b/ca-install
@@ -13,12 +13,12 @@
 # Usage: ca-install member domain cert-file.pem [key-file.pem]
 
 function usage () {
-    echo "Usage: ca-install member domain cert-file.pem [key-file.pem]"
+    echo "Usage: ca-install member domain cert-file.pem [key-file.pem] [intermediate-chain.pem]"
     exit 1
 }
 
 # Check arguments
-if test -n "$5"; then
+if test -n "$6"; then
     echo "Error: Too many arguments."
     usage
 elif test -z "$3"; then
@@ -29,6 +29,7 @@ else
     DOMAIN=$2
     CERT=$3
     KEY=$4
+    CHAIN=$5
 fi
 
 WEBSERVERS="shelob.hcoop.net minsky.hcoop.net"
@@ -56,6 +57,21 @@ function verify_cert () {
     fi
 }
 
+function verify_chain () {
+    if test -z "$1" || test -n "$2"; then
+	echo "Bad programming."
+	exit 1
+    fi
+    # just make sure the intermediate chain contains a cert, might be
+    # nice if this checked if it was used to sign the user's cert
+    local CERT=$1
+    local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
+    if test $(echo "$MOD1" | wc -c) -lt 500; then
+        echo "Error: Bad x509 part in intermediate chain."
+        exit 1
+    fi
+}
+
 # Make sure we run this from an admin host...
 if test "$(hostname -s)" != "gibran"; then
     echo "Error: This script must be run from gibran."
@@ -70,6 +86,10 @@ fi
 if test -n "$KEY" && test ! -f "$KEY"; then
     echo "Error: Nonexistent or unreadable key $KEY."
     exit 1
+fi
+if test -n "$CHAIN" && test ! -f "$CHAIN"; then
+    echo "Error: Nonexistent or unreadable intermediate chain $CHAIN."
+    exit 1
 fi    
 
 # Check for valid username
@@ -118,6 +138,9 @@ if test -z "$KEY"; then
 else
     verify_cert "$CERT" "$KEY"
 fi
+if test -n "$CHAIN"; then
+    verify_chain "$CHAIN"
+fi
 echo "Certificate passed validatation."
 echo
 
@@ -130,7 +153,7 @@ if test -z "$KEY"; then
 else
     echo "Installing certificate and key to Apache SSL directory ..."
     for WEBSERVER in $WEBSERVERS; do
-	cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
+	cat "$CERT" "$KEY" "$CHAIN" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
     done
 fi
 for WEBSERVER in $WEBSERVERS; do
-- 
2.20.1