Allow multible certificates to be handeld

The first new option MULTIBLE_HPKP_CONF tells the script to generate the nginx config file name from the common name of the certificate currently handled. This allow the script to handle more than one Domain with different private keys. The second new config variable STATIC_PIN_FILE allows it to define a file from which the STATIC_PIN for each common name is read. This basically allows it to have an different backup key per CN. The file is organized line wise separated by a space the CN and the HPKP static pin.
bviktor · Jan 31, 2017 · 20e82f2 · 20e82f2
1 parent cf71d7f
commit 20e82f2
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 9 deletions.
diff --git a/hpkpinx.sh b/hpkpinx.sh
@@ -4,6 +4,9 @@ set -e
 
 NGINX_ROOT='/etc/nginx'
 HPKPINX_ROOT='/opt/hpkpinx'
+MULTIBLE_CERTS=0
+MULTIBLE_HPKP_CONF=0
+STATIC_PIN_FILE=""
 
 . ${HPKPINX_ROOT}/config.sh
 
@@ -44,21 +47,33 @@ then
     echo ""
 elif [ ${1} = "deploy_cert" ]
 then
-    if [ -e ${NGINX_ROOT}/hpkp.conf ]
+    CERT_NAME=${2} # The second argument is the name of the cert
+    if [ ${MULTIBLE_HPKP_CONF} -eq 1 ] # if we want multiple conf files we have to prefix the config file with the name
+    then
+        HPKP_CONF=${NGINX_ROOT}/${CERT_NAME}-hpkp.conf
+    else
+        HPKP_CONF=${NGINX_ROOT}/hpkp.conf
+    fi
+    if [ ${STATIC_PIN_FILE} -ne "" ] # if an path to an STATIC_PIN_FILE is set use it
+    then
+        # get the pin
+        STATIC_PIN=$(cat "${STATIC_PIN_FILE}" | grep "${CERT_NAME}" | cut -d ' ' -f 2)
+    fi
+    if [ -e ${HPKP_CONF} ]
     then
         echo 'Backing up current hpkp.conf'
-        \cp -f ${NGINX_ROOT}/hpkp.conf ${HPKPINX_ROOT}/hpkp.conf.bak
+        \cp -f ${HPKP_CONF} ${HPKP_CONF}.bak
     fi
     echo 'Regenerating public key pins using new private keys'
-    echo '# THIS FILE IS GENERATED, ANY MODIFICATION WILL BE DISCARDED' > ${NGINX_ROOT}/hpkp.conf
+    echo '# THIS FILE IS GENERATED, ANY MODIFICATION WILL BE DISCARDED' > ${HPKP_CONF}
     if [ ${DEPLOY_HPKP} -eq 1 ]
     then
-        echo -n "add_header Public-Key-Pins '" >> ${NGINX_ROOT}/hpkp.conf
+        echo -n "add_header Public-Key-Pins '" >> ${HPKP_CONF}
     else
-        echo -n "add_header Public-Key-Pins-Report-Only '" > ${NGINX_ROOT}/hpkp.conf
+        echo -n "add_header Public-Key-Pins-Report-Only '" > ${HPKP_CONF}
     fi
-    echo -n "pin-sha256=\"${STATIC_PIN}\"; " >> ${NGINX_ROOT}/hpkp.conf
-    generate_pin "${NGINX_ROOT}/certs/${2}/privkey.pem" >> ${NGINX_ROOT}/hpkp.conf
-    generate_pin "${NGINX_ROOT}/certs/${2}/privkey.roll.pem" >> ${NGINX_ROOT}/hpkp.conf
-    echo "max-age=${HPKP_AGE}';" >> ${NGINX_ROOT}/hpkp.conf
+    echo -n "pin-sha256=\"${STATIC_PIN}\"; " >> ${HPKP_CONF}
+    generate_pin "${NGINX_ROOT}/certs/${CERT_NAME}/privkey.pem" >> ${HPKP_CONF}
+    generate_pin "${NGINX_ROOT}/certs/${CERT_NAME}/privkey.roll.pem" >> ${HPKP_CONF}
+    echo "max-age=${HPKP_AGE}';" >> ${HPKP_CONF}
 fi
diff --git a/readme.md b/readme.md
@@ -68,6 +68,23 @@ In this case, you can generate a pin for your private key with:
 hpkpinx.sh generate_pin <your_key.pem>
 ~~~
 
+### MULTIBLE_HPKP_CONF
+
+If this config value is set to `1` it will generate an nginx hkpk config file for for each Certificate. 
+This is normally needed if more than one Key is in use.
+
+### STATIC_PIN_FILE
+
+An File to get the STATIC_PIN value for different Certificate CNs. This is used to have an seperat backup Key for each Certificate
+The format should be the CN of the certificat, an space and then the PIN:
+
+~~~
+example.com 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
+test.example.net 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
+~~~
+
+If this Option is used, `MULTIBLE_HPKP_CONF` should be enabled too in most cases.
+
 ### DEPLOY_HPKP
 
 * If set to `0` (the default), Nginx will only send the `Public-Key-Pins-Report-Only` header and HPKP is not applied.