This repository has been archived by the owner on Jul 31, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
hpkpinx.sh
executable file
·64 lines (58 loc) · 1.69 KB
/
hpkpinx.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#!/bin/sh
set -e
NGINX_ROOT='/etc/nginx'
HPKPINX_ROOT='/opt/hpkpinx'
. ${HPKPINX_ROOT}/config.sh
generate_pin ()
{
echo -n "pin-sha256=\""
set +e
grep -i "begin ec private key" --quiet ${1}
USE_RSA=$?
set -e
if [ ${USE_RSA} -eq 1 ]
then
ALGO='rsa'
else
ALGO='ec'
fi
PIN=$(openssl ${ALGO} -in ${1} -pubout 2>/dev/null | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64)
if [ ${PIN} = '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' ]
then
echo -n 'MISSING KEY!'
else
echo -n ${PIN}
fi
echo -n "\"; "
}
if [ "$#" -ne 2 ]
then
echo 'Usage:'
echo -e '\thpkpinx.sh generate_pin <key.pem>'
echo -e '\thpkpinx.sh deploy_cert <domain.name>'
exit 1
fi
if [ ${1} = "generate_pin" ]
then
generate_pin ${2}
echo ""
elif [ ${1} = "deploy_cert" ]
then
if [ -e ${NGINX_ROOT}/hpkp.conf ]
then
echo 'Backing up current hpkp.conf'
\cp -f ${NGINX_ROOT}/hpkp.conf ${HPKPINX_ROOT}/hpkp.conf.bak
fi
echo 'Regenerating public key pins using new private keys'
echo '# THIS FILE IS GENERATED, ANY MODIFICATION WILL BE DISCARDED' > ${NGINX_ROOT}/hpkp.conf
if [ ${DEPLOY_HPKP} -eq 1 ]
then
echo -n "add_header Public-Key-Pins '" >> ${NGINX_ROOT}/hpkp.conf
else
echo -n "add_header Public-Key-Pins-Report-Only '" > ${NGINX_ROOT}/hpkp.conf
fi
echo -n "pin-sha256=\"${STATIC_PIN}\"; " >> ${NGINX_ROOT}/hpkp.conf
generate_pin "${NGINX_ROOT}/certs/${2}/privkey.pem" >> ${NGINX_ROOT}/hpkp.conf
generate_pin "${NGINX_ROOT}/certs/${2}/privkey.roll.pem" >> ${NGINX_ROOT}/hpkp.conf
echo "max-age=${HPKP_AGE}';" >> ${NGINX_ROOT}/hpkp.conf
fi