blob: 143638e939e5a9b585664350349a81aa91aa6e6b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
#!/bin/bash
declare -rg CERT_KEY_FILE="/etc/lighttpd/server.pem"
declare -rg PUB_CERT_FILE="/etc/lighttpd/pub-cert.pem"
declare -rg CHAIN_FILE="/etc/lighttpd/chain.pem"
declare -rg REDIR_FLAG="/etc/lighttpd/redirect.flag"
op_disable ()
{
[ -e "$CERT_KEY_FILE" ] || exit 0
rm -f -- "$CERT_KEY_FILE" || exit 1
rm -f -- "$CHAIN_FILE"
}
op_test ()
{
[ $# -eq 2 ] || exit 1
local K=$1
local C=$2
[ -r "$K" ] || exit 2
[ -r "$C" ] || exit 3
# Encrypt something, then decrypt again and compare
local TEST_IN=$(mktemp --tmpdir bwlp-XXXXXXXX)
local TEST_OUT=$(mktemp --tmpdir bwlp-XXXXXXXX)
local TEST_DIFF=$(mktemp --tmpdir bwlp-XXXXXXXX)
[ -z "$TEST_IN" ] && exit 4
[ -z "$TEST_OUT" ] && exit 5
[ -z "$TEST_DIFF" ] && exit 6
date > "$TEST_IN"
openssl smime -encrypt -binary -aes-256-cbc -in "$TEST_IN" -out "$TEST_OUT" -outform DER "$C" || exit 7
openssl smime -decrypt -binary -in "$TEST_OUT" -inform DER -out "$TEST_DIFF" -inkey "$K" || exit 8
diff -q "$TEST_IN" "$TEST_DIFF" || exit 9
exit 0 # No restart either way
}
op_import ()
{
[ $# -lt 2 ] && exit 1
local K=$1
local C=$2
local CHAIN=$3
[ -r "$K" ] || exit 2
[ -r "$C" ] || exit 3
rm -f -- "$CHAIN_FILE"
# Create server.pem
{
cat "$C"
# If we have a chainfile, try to use it aswell
if [ -s "$CHAIN" ] && openssl x509 -noout -hash -in "$CHAIN" &> /dev/null \
&& [ "$( grep -c '^-----END' "$CHAIN" )" = "$( grep -c '^-----BEGIN' "$CHAIN" )" ]; then
echo
cat "$CHAIN"
fi
echo
cat "$K"
} > "$CERT_KEY_FILE"
chmod 0600 "$CERT_KEY_FILE" || exit 4
rm -f -- "$C" "$K"
post_setup_hook
return 0
}
op_random ()
{
[ -z "$1" ] && exit 1
rm -f -- "$CHAIN_FILE"
openssl req -x509 -new -newkey rsa:4096 -keyout "$CERT_KEY_FILE" -out "$CERT_KEY_FILE" -days 5000 -nodes -subj "/C=DE/ST=Nowhere/L=Springfield/O=bwLehrpool/CN=$1" || exit 2
chmod 0600 "$CERT_KEY_FILE" || exit 3
post_setup_hook
return 0
}
post_setup_hook ()
{
rm -f -- "$PUB_CERT_FILE"
openssl x509 -outform pem -in "$CERT_KEY_FILE" -out "$PUB_CERT_FILE"
local DHPARAM="/etc/lighttpd/dhparam.pem"
if ! [ -s "$DHPARAM" ]; then
echo "Generating DH parameters (this takes a while)..."
if openssl dhparam -out "$DHPARAM" 2048 >/dev/null 2>&1; then
echo "done"
else
echo "failed"
rm -f -- "$DHPARAM"
fi
fi
}
setup_redirect ()
{
if [ -n "$REDIR" ]; then
touch "$REDIR_FLAG"
else
rm -f -- "$REDIR_FLAG"
fi
}
RE_ONLY=
REDIR=
while true; do
case "$1" in
--redirect-only)
RE_ONLY=tru
;;
--redirect)
REDIR=truh
;;
*)
break
;;
esac
shift
done
setup_redirect
if [ -z "$RE_ONLY" ]; then
OP=$1
shift
case "$OP" in
--random) op_random "$@" ;;
--test) op_test "$@" ;;
--import) op_import "$@" ;;
--disable) op_disable ;;
*)
echo "Invalid operation: $1"
exit 1
;;
esac
fi
sleep .5
systemctl restart lighttpd
exit 0
|