free
/
freedombone
关注 1
点赞 0
派生 0
代码 工单 0 合并请求 0 版本发布 0 百科 动态
8717 提交
5 分支
目录树: 89fb7a5886
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 '89fb7a5886'
${ noResults }
freedombone/src/freedombone-pin-cert

freedombone-pin-cert 4.3KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # Performs certificate pinning (HPKP) on a given domain name

  12. 

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2015-2018 Bob Mottram <bob@freedombone.net>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU Affero General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  26. # GNU Affero General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU Affero General Public License

  29. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. PROJECT_NAME='freedombone'

  32. 

  33. export TEXTDOMAIN=${PROJECT_NAME}-pin-cert

  34. export TEXTDOMAINDIR="/usr/share/locale"

  35. 

  36. WEBSITES_DIRECTORY=/etc/nginx/sites-available

  37. 

  38. # 90 days

  39. PIN_MAX_AGE=7776000

  40. 

  41. function pin_all_certs {

  42.     if [ ! -d $WEBSITES_DIRECTORY ]; then

  43.         return

  44.     fi

  45. 

  46.     cd $WEBSITES_DIRECTORY || exit 2468724684

  47.     for file in $(dir -d "*") ; do

  48.         if grep -q "Public-Key-Pins" "$file"; then

  49.             DOMAIN_NAME=$file

  50.             KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key

  51.             if [ -f "$KEY_FILENAME" ]; then

  52.                 BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem

  53.                 if [ -f "$BACKUP_KEY_FILENAME" ]; then

  54.                     KEY_HASH=$(openssl rsa -in "$KEY_FILENAME" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)

  55.                     BACKUP_KEY_HASH=$(openssl rsa -in "$BACKUP_KEY_FILENAME" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)

  56.                     if [ ${#BACKUP_KEY_HASH} -gt 5 ]; then

  57. 

  58.                         PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=${PIN_MAX_AGE}; includeSubDomains';"

  59.                         sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" "$file"

  60.                         echo $"Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH"

  61.                     fi

  62.                 fi

  63.             fi

  64.         fi

  65.     done

  66. }

  67. 

  68. if [[ "$1" == "all" ]]; then

  69.     pin_all_certs

  70.     systemctl restart nginx

  71.     exit 0

  72. fi

  73. 

  74. DOMAIN_NAME=$1

  75. REMOVE=$2

  76. KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key

  77. BACKUP_KEY_FILENAME=/etc/ssl/certs/${DOMAIN_NAME}.pem

  78. SITE_FILENAME=$WEBSITES_DIRECTORY/${DOMAIN_NAME}

  79. 

  80. if [ ! "${DOMAIN_NAME}" ]; then

  81.     exit 0

  82. fi

  83. 

  84. if [ ! -f "$SITE_FILENAME" ]; then

  85.     exit 0

  86. fi

  87. 

  88. if [[ $REMOVE == "remove" ]]; then

  89.     if grep -q "Public-Key-Pins" "$SITE_FILENAME"; then

  90.         sed -i "/Public-Key-Pins/d" "$SITE_FILENAME"

  91.         echo $"Removed pinning for ${DOMAIN_NAME}"

  92.         systemctl restart nginx

  93.     fi

  94.     exit 0

  95. fi

  96. 

  97. if [ ! -f "$KEY_FILENAME" ]; then

  98.     echo $"No private key certificate found for $DOMAIN_NAME"

  99.     exit 1

  100. fi

  101. 

  102. if [ ! -f "$BACKUP_KEY_FILENAME" ]; then

  103.     echo $"No fullchain certificate found for $DOMAIN_NAME"

  104.     exit 2

  105. fi

  106. 

  107. KEY_HASH=$(openssl rsa -in "$KEY_FILENAME" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)

  108. BACKUP_KEY_HASH=$(openssl rsa -in "$BACKUP_KEY_FILENAME" -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)

  109. 

  110. if [ ${#KEY_HASH} -lt 5 ]; then

  111.     echo 'Pin hash unexpectedly short'

  112.     exit 3

  113. fi

  114. 

  115. if [ ${#BACKUP_KEY_HASH} -lt 5 ]; then

  116.     echo 'Backup pin hash unexpectedly short'

  117.     exit 4

  118. fi

  119. 

  120. PIN_HEADER="Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; pin-sha256=\"${BACKUP_KEY_HASH}\"; max-age=5184000; includeSubDomains';"

  121. if ! grep -q "Public-Key-Pins" "$SITE_FILENAME"; then

  122.     sed -i "/ssl_ciphers.*/a     add_header ${PIN_HEADER}" "$SITE_FILENAME"

  123. else

  124.     sed -i "s|Public-Key-Pins.*|${PIN_HEADER}|g" "$SITE_FILENAME"

  125. fi

  126. 

  127. systemctl restart nginx

  128. 

  129. if ! grep -q "add_header Public-Key-Pins" "$SITE_FILENAME"; then

  130.     echo $'Pinning failed'

  131. fi

  132. 

  133. echo "Pinned $DOMAIN_NAME with keys $KEY_HASH $BACKUP_KEY_HASH"

  134. 

  135. exit 0