blob: dd7b1db88258fb220f5c14daa8cbe0b3c9ba0ad9 (
plain) (
tree)
|
|
#!/bin/bash
declare -rg CERT_KEY_FILE="/etc/lighttpd/server.pem"
declare -rg PUB_CERT_FILE="/etc/lighttpd/pub-cert.pem"
declare -rg CHAIN_FILE="/etc/lighttpd/chain.pem"
declare -rg REDIR_FLAG="/etc/lighttpd/redirect.flag"
op_disable ()
{
[ -e "$CERT_KEY_FILE" ] || exit 0
rm -f -- "$CERT_KEY_FILE" || exit 1
rm -f -- "$CHAIN_FILE"
}
op_test ()
{
[ $# -eq 2 ] || exit 1
local K=$1
local C=$2
[ -r "$K" ] || exit 2
[ -r "$C" ] || exit 3
# Encrypt something, then decrypt again and compare
local TEST_IN=$(mktemp --tmpdir bwlp-XXXXXXXX)
local TEST_OUT=$(mktemp --tmpdir bwlp-XXXXXXXX)
local TEST_DIFF=$(mktemp --tmpdir bwlp-XXXXXXXX)
[ -z "$TEST_IN" ] && exit 4
[ -z "$TEST_OUT" ] && exit 5
[ -z "$TEST_DIFF" ] && exit 6
date > "$TEST_IN"
openssl smime -encrypt -binary -aes-256-cbc -in "$TEST_IN" -out "$TEST_OUT" -outform DER "$C" || exit 7
openssl smime -decrypt -binary -in "$TEST_OUT" -inform DER -out "$TEST_DIFF" -inkey "$K" || exit 8
diff -q "$TEST_IN" "$TEST_DIFF" || exit 9
exit 0 # No restart either way
}
op_import ()
{
[ $# -lt 2 ] && exit 1
local K=$1
local C=$2
local CHAIN=$3
[ -r "$K" ] || exit 2
[ -r "$C" ] || exit 3
rm -f -- "$CHAIN_FILE"
# Create server.pem
{
cat "$C"
echo
cat "$K"
} > "$CERT_KEY_FILE"
chmod 0600 "$CERT_KEY_FILE" || exit 4
rm -f -- "$C" "$K"
# If we have a chainfile, try to use it aswell
if [ -s "$CHAIN" ]; then
openssl x509 -noout -hash -in "$CHAIN" >/dev/null 2>&1 && cp "$CHAIN" "$CHAIN_FILE"
fi
post_setup_hook
return 0
}
op_random ()
{
[ -z "$1" ] && exit 1
rm -f -- "$CHAIN_FILE"
openssl req -x509 -new -newkey rsa:4096 -keyout "$CERT_KEY_FILE" -out "$CERT_KEY_FILE" -days 5000 -nodes -subj "/C=DE/ST=Nowhere/L=Springfield/O=bwLehrpool/CN=$1" || exit 2
chmod 0600 "$CERT_KEY_FILE" || exit 3
post_setup_hook
return 0
}
post_setup_hook ()
{
rm -f -- "$PUB_CERT_FILE"
openssl x509 -outform pem -in "$CERT_KEY_FILE" -out "$PUB_CERT_FILE"
local DHPARAM="/etc/lighttpd/dhparam.pem"
if ! [ -s "$DHPARAM" ]; then
echo "Generating DH parameters (this takes a while)..."
if openssl dhparam -out "$DHPARAM" 2048 >/dev/null 2>&1; then
echo "done"
else
echo "failed"
rm -f -- "$DHPARAM"
fi
fi
}
setup_redirect ()
{
if [ -n "$REDIR" ]; then
touch "$REDIR_FLAG"
else
rm -f -- "$REDIR_FLAG"
fi
}
RE_ONLY=
REDIR=
while true; do
case "$1" in
--redirect-only)
RE_ONLY=tru
;;
--redirect)
REDIR=truh
;;
*)
break
;;
esac
shift
done
setup_redirect
if [ -z "$RE_ONLY" ]; then
OP=$1
shift
case "$OP" in
--random) op_random "$@" ;;
--test) op_test "$@" ;;
--import) op_import "$@" ;;
--disable) op_disable ;;
*)
echo "Invalid operation: $1"
exit 1
;;
esac
fi
sleep .5
systemctl restart lighttpd
exit 0
|