summaryrefslogblamecommitdiffstats
path: root/scripts/install-https
blob: dd7b1db88258fb220f5c14daa8cbe0b3c9ba0ad9 (plain) (tree)
1
2
3
4
5
6
7
8
9

           


                                                      
                                                    


             


                                           
























                                                                                                               
                              

                  
                      

                             
                              
                           




                            
                                             
                          

                                                      
                                                                                                   
          
                       
                




                             



                                                                                                                                                                                    


                
                  
 

                                                                            









                                                                             

 







                                      
 









                           
          
                     
                  






















                                                    
 
        
                          


      
#!/bin/bash

declare -rg CERT_KEY_FILE="/etc/lighttpd/server.pem"
declare -rg PUB_CERT_FILE="/etc/lighttpd/pub-cert.pem"
declare -rg CHAIN_FILE="/etc/lighttpd/chain.pem"
declare -rg REDIR_FLAG="/etc/lighttpd/redirect.flag"

op_disable ()
{
	[ -e "$CERT_KEY_FILE" ] || exit 0
	rm -f -- "$CERT_KEY_FILE" || exit 1
	rm -f -- "$CHAIN_FILE"
}

op_test ()
{
	[ $# -eq 2 ] || exit 1
	local K=$1
	local C=$2
	[ -r "$K" ] || exit 2
	[ -r "$C" ] || exit 3
	# Encrypt something, then decrypt again and compare
	local TEST_IN=$(mktemp --tmpdir bwlp-XXXXXXXX)
	local TEST_OUT=$(mktemp --tmpdir bwlp-XXXXXXXX)
	local TEST_DIFF=$(mktemp --tmpdir bwlp-XXXXXXXX)
	[ -z "$TEST_IN" ] && exit 4
	[ -z "$TEST_OUT" ] && exit 5
	[ -z "$TEST_DIFF" ] && exit 6
	date > "$TEST_IN"
	openssl smime -encrypt -binary -aes-256-cbc -in "$TEST_IN" -out "$TEST_OUT" -outform DER "$C" || exit 7
	openssl smime -decrypt -binary -in "$TEST_OUT" -inform DER -out "$TEST_DIFF" -inkey "$K" || exit 8
	diff -q "$TEST_IN" "$TEST_DIFF" || exit 9
	exit 0 # No restart either way
}

op_import ()
{
	[ $# -lt 2 ] && exit 1
	local K=$1
	local C=$2
	local CHAIN=$3
	[ -r "$K" ] || exit 2
	[ -r "$C" ] || exit 3
	rm -f -- "$CHAIN_FILE"
	# Create server.pem
	{
		cat "$C"
		echo
		cat "$K"
	} > "$CERT_KEY_FILE"
	chmod 0600 "$CERT_KEY_FILE" || exit 4
	rm -f -- "$C" "$K"
	# If we have a chainfile, try to use it aswell
	if [ -s "$CHAIN" ]; then
		openssl x509 -noout -hash -in "$CHAIN" >/dev/null 2>&1 && cp "$CHAIN" "$CHAIN_FILE"
	fi
	post_setup_hook
	return 0
}

op_random ()
{
	[ -z "$1" ] && exit 1
	rm -f -- "$CHAIN_FILE"
	openssl req -x509 -new -newkey rsa:4096 -keyout "$CERT_KEY_FILE" -out "$CERT_KEY_FILE" -days 5000 -nodes -subj "/C=DE/ST=Nowhere/L=Springfield/O=bwLehrpool/CN=$1" || exit 2
	chmod 0600 "$CERT_KEY_FILE" || exit 3
	post_setup_hook
	return 0
}

post_setup_hook ()
{
	rm -f -- "$PUB_CERT_FILE"
	openssl x509 -outform pem -in "$CERT_KEY_FILE" -out "$PUB_CERT_FILE"
	local DHPARAM="/etc/lighttpd/dhparam.pem"
	if ! [ -s "$DHPARAM" ]; then
		echo "Generating DH parameters (this takes a while)..."
		if openssl dhparam -out "$DHPARAM" 2048 >/dev/null 2>&1; then
			echo "done"
		else
			echo "failed"
			rm -f -- "$DHPARAM"
		fi
	fi
}

setup_redirect ()
{
	if [ -n "$REDIR" ]; then
		touch "$REDIR_FLAG"
	else
		rm -f -- "$REDIR_FLAG"
	fi
}

RE_ONLY=
REDIR=
while true; do
	case "$1" in
	--redirect-only)
		RE_ONLY=tru
		;;
	--redirect)
		REDIR=truh
		;;
	*)
		break
		;;
	esac
	shift
done

setup_redirect

if [ -z "$RE_ONLY" ]; then

	OP=$1
	shift

	case "$OP" in
		--random) op_random "$@" ;;
		--test) op_test "$@" ;;
		--import) op_import "$@" ;;
		--disable) op_disable ;;
		*)
			echo "Invalid operation: $1"
			exit 1
			;;
	esac

fi

sleep .5
systemctl restart lighttpd

exit 0