free
/
freedombone
关注 1
点赞 0
派生 0
代码 工单 0 合并请求 0 版本发布 0 百科 动态
2731 提交
5 分支
目录树: bbbfd9dea0
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 'bbbfd9dea0'
${ noResults }
freedombone/src/freedombone-pin-cert

freedombone-pin-cert 2.0KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # Performs certificate pinning (HPKP) on a given domain name

  12. 

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2015-2016 Bob Mottram <bob@robotics.uk.to>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  26. # GNU General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU General Public License

  29. # along with this program. If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. PROJECT_NAME='freedombone'

  32. 

  33. export TEXTDOMAIN=${PROJECT_NAME}-pin-cert

  34. export TEXTDOMAINDIR="/usr/share/locale"

  35. 

  36. DOMAIN_NAME=$1

  37. KEY_FILENAME=/etc/ssl/private/${DOMAIN_NAME}.key

  38. SITE_FILENAME=/etc/nginx/sites-available/${DOMAIN_NAME}

  39. 

  40. if [ ! -f "$KEY_FILENAME" ]; then

  41.     echo $"No certificate found for $DOMAIN_NAME"

  42.     exit 1

  43. fi

  44. 

  45. if [ ! -f "$SITE_FILENAME" ]; then

  46.     exit 0

  47. fi

  48. 

  49. KEY_HASH=$(openssl rsa -in $KEY_FILENAME -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64)

  50. 

  51. PIN_HEADER="add_header Public-Key-Pins 'pin-sha256=\"${KEY_HASH}\"; max-age=5184000; includeSubDomains';"

  52. if ! grep -q "add_header Public-Key-Pins" $SITE_FILENAME; then

  53.     sed -i "/ssl_ciphers.*/a     $PIN_HEADER" $SITE_FILENAME

  54. else

  55.     sed -i "s/add_header Public-Key-Pins.*/$PIN_HEADER/g" $SITE_FILENAME

  56. fi

  57. 

  58. systemctl restart nginx

  59. 

  60. if ! grep -q "add_header Public-Key-Pins" $SITE_FILENAME; then

  61.     echo $'Pinning failed'

  62. fi

  63. 

  64. echo "Pinned $DOMAIN_NAME with hash $KEY_HASH"

  65. 

  66. exit 0