Option to pin all TLS certificates

src/freedombone-pin-cert

@@ -33,26 +33,78 @@ PROJECT_NAME='freedombone'
 export TEXTDOMAIN=${PROJECT_NAME}-pin-cert
 export TEXTDOMAINDIR="/usr/share/locale"
 
+WEBSITES_DIRECTORY=/etc/nginx/sites-available
+
+function pin_all_certs {
+    if [ ! -d $WEBSITES_DIRECTORY ]; then
+        return
+    fi
+
+    cd $WEBSITES_DIRECTORY
+    for file in `dir -d *` ; do
+        if grep -q "Public-Key-Pins" $file; then
+            DOMAIN_NAME=$file
+            KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key
+            if [ -f $KEY_FILENAME ]; then
+                BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem
+                if [ -f $BACKUP_KEY_FILENAME ]; then
+                    KEY_HASH=$(openssl rsa -in $KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
+                    BACKUP_KEY_HASH=$(openssl rsa -in $BACKUP_KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
+                    if [ ${#BACKUP_KEY_HASH} -gt 5 ]; then
+
+                        PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"
+                        sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" $file
+                        echo "Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH"
+                    fi
+                fi
+            fi
+        fi
+    done
+}
+
+if [[ $1 == "all" ]]; then
+    pin_all_certs
+    systemctl restart nginx
+    exit 0
+fi
+
 DOMAIN_NAME=$1
 KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key
-SITE_FILENAME=/etc/nginx/sites-available/${DOMAIN_NAME}
+BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem
+SITE_FILENAME=$WEBSITES_DIRECTORY/${DOMAIN_NAME}
+
+if [ ! -f "$SITE_FILENAME" ]; then
+    exit 0
+fi
 
 if [ ! -f "$KEY_FILENAME" ]; then
-    echo $"No certificate found for $DOMAIN_NAME"
+    echo $"No private key certificate found for $DOMAIN_NAME"
     exit 1
 fi
 
-if [ ! -f "$SITE_FILENAME" ]; then
-    exit 0
+if [ ! -f "$BACKUP_KEY_FILENAME" ]; then
+    echo $"No fullchain certificate found for $DOMAIN_NAME"
+    exit 2
 fi
 
 KEY_HASH=$(openssl rsa -in $KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
+BACKUP_KEY_HASH=$(openssl rsa -in $BACKUP_KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
 
-PIN_HEADER="add_header Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; max-age=5184000; includeSubDomains';"
-if ! grep -q "add_header Public-Key-Pins" $SITE_FILENAME; then
-    sed -i "/ssl_ciphers.*/a     $PIN_HEADER" $SITE_FILENAME
+if [ ${#KEY_HASH} -lt 5 ]; then
+    echo 'Pin hash unexpectedly short'
+    exit 3
+fi
+
+if [ ${#BACKUP_KEY_HASH} -lt 5 ]; then
+    echo 'Backup pin hash unexpectedly short'
+    exit 4
+fi
+
+PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"
+if ! grep -q "Public-Key-Pins" $SITE_FILENAME; then
+    sed -i "/ssl_ciphers.*/a     add_header ${PIN_HEADER}" $SITE_FILENAME
 else
-    sed -i "s/add_header Public-Key-Pins.*/$PIN_HEADER/g" $SITE_FILENAME
+    sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" $SITE_FILENAME
 fi
 
 systemctl restart nginx
@@ -61,6 +113,6 @@ if ! grep -q "add_header Public-Key-Pins" $SITE_FILENAME; then
     echo $'Pinning failed'
 fi
 
-echo "Pinned $DOMAIN_NAME with hash $KEY_HASH"
+echo "Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH"
 
 exit 0