free
/
freedombone
關注 1
收藏 0
複製 0
程式碼 問題 0 合併請求 0 版本發佈 0 Wiki 活動
9068 提交
5 分支
目錄樹: 2b8eddba2f
分支列表 標籤
${ item.name }
建立分支 ${ searchTerm }
from '2b8eddba2f'
${ noResults }
freedombone/src/freedombone-pin-cert

freedombone-pin-cert 4.2KB
歷史記錄 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133 
  1. #!/bin/bash

  2. #  _____               _           _

  3. # |   __|___ ___ ___ _| |___ _____| |_ ___ ___ ___

  4. # |   __|  _| -_| -_| . | . |     | . | . |   | -_|

  5. # |__|  |_| |___|___|___|___|_|_|_|___|___|_|_|___|

  6. #

  7. #                              Freedom in the Cloud

  8. #

  9. # Performs certificate pinning (HPKP) on a given domain name

  10. 

  11. # License

  12. # =======

  13. #

  14. # Copyright (C) 2015-2018 Bob Mottram <bob@freedombone.net>

  15. #

  16. # This program is free software: you can redistribute it and/or modify

  17. # it under the terms of the GNU Affero General Public License as published by

  18. # the Free Software Foundation, either version 3 of the License, or

  19. # (at your option) any later version.

  20. #

  21. # This program is distributed in the hope that it will be useful,

  22. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  23. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  24. # GNU Affero General Public License for more details.

  25. #

  26. # You should have received a copy of the GNU Affero General Public License

  27. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  28. 

  29. PROJECT_NAME='freedombone'

  30. 

  31. export TEXTDOMAIN=${PROJECT_NAME}-pin-cert

  32. export TEXTDOMAINDIR="/usr/share/locale"

  33. 

  34. WEBSITES_DIRECTORY=/etc/nginx/sites-available

  35. 

  36. # 90 days

  37. PIN_MAX_AGE=7776000

  38. 

  39. function pin_all_certs {

  40.     if [ ! -d $WEBSITES_DIRECTORY ]; then

  41.         return

  42.     fi

  43. 

  44.     cd $WEBSITES_DIRECTORY || exit 2468724684

  45.     for file in $(dir -d "*") ; do

  46.         if grep -q "Public-Key-Pins" "$file"; then

  47.             DOMAIN_NAME=$file

  48.             KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key

  49.             if [ -f "$KEY_FILENAME" ]; then

  50.                 BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem

  51.                 if [ -f "$BACKUP_KEY_FILENAME" ]; then

  52.                     KEY_HASH=$(openssl rsa -in "$KEY_FILENAME" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)

  53.                     BACKUP_KEY_HASH=$(openssl rsa -in "$BACKUP_KEY_FILENAME" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)

  54.                     if [ ${#BACKUP_KEY_HASH} -gt 5 ]; then

  55. 

  56.                         PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=${PIN_MAX_AGE}; includeSubDomains';"

  57.                         sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" "$file"

  58.                         echo $"Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH"

  59.                     fi

  60.                 fi

  61.             fi

  62.         fi

  63.     done

  64. }

  65. 

  66. if [[ "$1" == "all" ]]; then

  67.     pin_all_certs

  68.     systemctl restart nginx

  69.     exit 0

  70. fi

  71. 

  72. DOMAIN_NAME=$1

  73. REMOVE=$2

  74. KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key

  75. BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem

  76. SITE_FILENAME=$WEBSITES_DIRECTORY/${DOMAIN_NAME}

  77. 

  78. if [ ! "${DOMAIN_NAME}" ]; then

  79.     exit 0

  80. fi

  81. 

  82. if [ ! -f "$SITE_FILENAME" ]; then

  83.     exit 0

  84. fi

  85. 

  86. if [[ $REMOVE == "remove" ]]; then

  87.     if grep -q "Public-Key-Pins" "$SITE_FILENAME"; then

  88.         sed -i "/Public-Key-Pins/d" "$SITE_FILENAME"

  89.         echo $"Removed pinning for ${DOMAIN_NAME}"

  90.         systemctl restart nginx

  91.     fi

  92.     exit 0

  93. fi

  94. 

  95. if [ ! -f "$KEY_FILENAME" ]; then

  96.     echo $"No private key certificate found for $DOMAIN_NAME"

  97.     exit 1

  98. fi

  99. 

  100. if [ ! -f "$BACKUP_KEY_FILENAME" ]; then

  101.     echo $"No fullchain certificate found for $DOMAIN_NAME"

  102.     exit 2

  103. fi

  104. 

  105. KEY_HASH=$(openssl rsa -in "$KEY_FILENAME" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)

  106. BACKUP_KEY_HASH=$(openssl rsa -in "$BACKUP_KEY_FILENAME" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)

  107. 

  108. if [ ${#KEY_HASH} -lt 5 ]; then

  109.     echo 'Pin hash unexpectedly short'

  110.     exit 3

  111. fi

  112. 

  113. if [ ${#BACKUP_KEY_HASH} -lt 5 ]; then

  114.     echo 'Backup pin hash unexpectedly short'

  115.     exit 4

  116. fi

  117. 

  118. PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"

  119. if ! grep -q "Public-Key-Pins" "$SITE_FILENAME"; then

  120.     sed -i "/ssl_ciphers.*/a     add_header ${PIN_HEADER}" "$SITE_FILENAME"

  121. else

  122.     sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" "$SITE_FILENAME"

  123. fi

  124. 

  125. systemctl restart nginx

  126. 

  127. if ! grep -q "add_header Public-Key-Pins" "$SITE_FILENAME"; then

  128.     echo $'Pinning failed'

  129. fi

  130. 

  131. echo "Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH"

  132. 

  133. exit 0