free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Option to pin all tls certificates

Bob Mottram 8 years ago
parent
288e6c5aca
commit
94e5a1ab57
2 changed files with 931 additions and 886 deletions
Unified View Show Diff Stats
  1. 51
    6
      src/freedombone-pin-cert
  2. 880
    880
      src/freedombone-sec

+ 51
- 6
src/freedombone-pin-cert View File

33 
 export TEXTDOMAIN=${PROJECT_NAME}-pin-cert
 33 
 export TEXTDOMAIN=${PROJECT_NAME}-pin-cert
34 
 export TEXTDOMAINDIR="/usr/share/locale"
 34 
 export TEXTDOMAINDIR="/usr/share/locale"
35
35
36 
+WEBSITES_DIRECTORY=/etc/nginx/sites-available
37 
+
38 
+function pin_all_certs {
39 
+    if [ ! -d $WEBSITES_DIRECTORY ]; then
40 
+        return
41 
+    fi
42 
+
43 
+    cd $WEBSITES_DIRECTORY
44 
+    for file in `dir -d *` ; do
45 
+        if grep -q "Public-Key-Pins" $file; then
46 
+            DOMAIN_NAME=$file
47 
+            KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key
48 
+            if [ -f $KEY_FILENAME ]; then
49 
+                BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem
50 
+                if [ -f $BACKUP_KEY_FILENAME ]; then
51 
+                    KEY_HASH=$(openssl rsa -in $KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
52 
+                    BACKUP_KEY_HASH=$(openssl rsa -in $BACKUP_KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
53 
+                    if [ ${#BACKUP_KEY_HASH} -gt 5 ]; then
54 
+
55 
+                        PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"
56 
+                        sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" $file
57 
+                        echo "Pinned $DOMAIN_NAME"
58 
+                    fi
59 
+                fi
60 
+            fi
61 
+        fi
62 
+    done
63 
+}
64 
+
65 
+if [[ $1 == "all" ]]; then
66 
+    pin_all_certs
67 
+    systemctl restart nginx
68 
+    exit 0
69 
+fi
70 
+
36 
 DOMAIN_NAME=$1
 71 
 DOMAIN_NAME=$1
37 
 KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key
 72 
 KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key
38 
 BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem
 73 
 BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem
39 
-SITE_FILENAME=/etc/nginx/sites-available/${DOMAIN_NAME}
74 
+SITE_FILENAME=$WEBSITES_DIRECTORY/${DOMAIN_NAME}
75 
+
76 
+if [ ! -f "$SITE_FILENAME" ]; then
77 
+    exit 0
78 
+fi
40
79
41 
 if [ ! -f "$KEY_FILENAME" ]; then
 80 
 if [ ! -f "$KEY_FILENAME" ]; then
42 
     echo $"No private key certificate found for $DOMAIN_NAME"
 81 
     echo $"No private key certificate found for $DOMAIN_NAME"
45
84
46 
 if [ ! -f "$BACKUP_KEY_FILENAME" ]; then
 85 
 if [ ! -f "$BACKUP_KEY_FILENAME" ]; then
47 
     echo $"No fullchain certificate found for $DOMAIN_NAME"
 86 
     echo $"No fullchain certificate found for $DOMAIN_NAME"
48 
-    exit 1
49 
-fi
50 
-
51 
-if [ ! -f "$SITE_FILENAME" ]; then
52 
-    exit 0
87 
+    exit 2
53 
 fi
 88 
 fi
54
89
55 
 KEY_HASH=$(openssl rsa -in $KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
 90 
 KEY_HASH=$(openssl rsa -in $KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
56 
 BACKUP_KEY_HASH=$(openssl rsa -in $BACKUP_KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
 91 
 BACKUP_KEY_HASH=$(openssl rsa -in $BACKUP_KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)
57
92
93 
+if [ ${#KEY_HASH} -lt 5 ]; then
94 
+    echo 'Pin hash unexpectedly short'
95 
+    exit 3
96 
+fi
97 
+
98 
+if [ ${#BACKUP_KEY_HASH} -lt 5 ]; then
99 
+    echo 'Backup pin hash unexpectedly short'
100 
+    exit 4
101 
+fi
102 
+
58 
 PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"
 103 
 PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"
59 
 if ! grep -q "Public-Key-Pins" $SITE_FILENAME; then
 104 
 if ! grep -q "Public-Key-Pins" $SITE_FILENAME; then
60 
     sed -i "/ssl_ciphers.*/a     add_header ${PIN_HEADER}" $SITE_FILENAME
 105 
     sed -i "/ssl_ciphers.*/a     add_header ${PIN_HEADER}" $SITE_FILENAME

+ 880
- 880
src/freedombone-sec
File diff suppressed because it is too large
View File