blob: a4ea8dfb0dd700b308db6cafe956feab151e7016 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
#!/bin/bash
CERTFILE="/etc/lighttpd/server.pem"
CHAINFILE="/etc/lighttpd/chain.pem"
op_disable ()
{
[ -e "$CERTFILE" ] || exit 0
rm -f -- "$CERTFILE" || exit 1
rm -f -- "$CHAINFILE"
}
op_test ()
{
[ $# -eq 2 ] || exit 1
local K=$1
local C=$2
[ -r "$K" ] || exit 2
[ -r "$C" ] || exit 3
# Encrypt something, then decrypt again and compare
local TEST_IN=$(mktemp --tmpdir bwlp-XXXXXXXX)
local TEST_OUT=$(mktemp --tmpdir bwlp-XXXXXXXX)
local TEST_DIFF=$(mktemp --tmpdir bwlp-XXXXXXXX)
[ -z "$TEST_IN" ] && exit 4
[ -z "$TEST_OUT" ] && exit 5
[ -z "$TEST_DIFF" ] && exit 6
date > "$TEST_IN"
openssl smime -encrypt -binary -aes-256-cbc -in "$TEST_IN" -out "$TEST_OUT" -outform DER "$C" || exit 7
openssl smime -decrypt -binary -in "$TEST_OUT" -inform DER -out "$TEST_DIFF" -inkey "$K" || exit 8
diff -q "$TEST_IN" "$TEST_DIFF" || exit 9
exit 0 # No restart either way
}
op_import ()
{
[ $# -lt 2 ] && exit 1
local K=$1
local C=$2
local CHAIN=$3
[ -r "$K" ] || exit 2
[ -r "$C" ] || exit 3
rm -f -- "$CHAINFILE"
# Create server.pem
cat "$C" "$K" > "$CERTFILE"
chmod 0600 "$CERTFILE" || exit 4
rm -f -- "$C" "$K"
# If we have a chainfile, try to use it aswell
if [ -s "$CHAIN" ]; then
openssl x509 -noout -hash -in "$CHAIN" >/dev/null 2>&1 && cp "$CHAIN" "$CHAINFILE"
fi
}
op_random ()
{
[ -z "$1" ] && exit 1
rm -f -- "$CHAINFILE"
openssl req -x509 -new -newkey rsa:4096 -keyout "$CERTFILE" -out "$CERTFILE" -days 5000 -nodes -subj "/C=DE/ST=Nowhere/L=Springfield/O=bwLehrpool/CN=$1" || exit 2
chmod 0600 "$CERTFILE" || exit 3
}
OP=$1
shift
case "$OP" in
--random) op_random "$@" ;;
--test) op_test "$@" ;;
--import) op_import "$@" ;;
--disable) op_disable ;;
*)
echo "Invalid operation: $1"
exit 1
;;
esac
systemctl restart lighttpd
exit 0
|
