From 20e82f26cf3ce393c7ac40d0960dab523e8f1e48 Mon Sep 17 00:00:00 2001 From: Nils Rokita <0rokita@informatik.uni-hamburg.de> Date: Tue, 31 Jan 2017 17:37:43 +0100 Subject: [PATCH] Allow multible certificates to be handeld The first new option MULTIBLE_HPKP_CONF tells the script to generate the nginx config file name from the common name of the certificate currently handled. This allow the script to handle more than one Domain with different private keys. The second new config variable STATIC_PIN_FILE allows it to define a file from which the STATIC_PIN for each common name is read. This basically allows it to have an different backup key per CN. The file is organized line wise separated by a space the CN and the HPKP static pin. --- hpkpinx.sh | 33 ++++++++++++++++++++++++--------- readme.md | 17 +++++++++++++++++ 2 files changed, 41 insertions(+), 9 deletions(-) diff --git a/hpkpinx.sh b/hpkpinx.sh index 101b2b2..a3d1064 100755 --- a/hpkpinx.sh +++ b/hpkpinx.sh @@ -4,6 +4,9 @@ set -e NGINX_ROOT='/etc/nginx' HPKPINX_ROOT='/opt/hpkpinx' +MULTIBLE_CERTS=0 +MULTIBLE_HPKP_CONF=0 +STATIC_PIN_FILE="" . ${HPKPINX_ROOT}/config.sh @@ -44,21 +47,33 @@ then echo "" elif [ ${1} = "deploy_cert" ] then - if [ -e ${NGINX_ROOT}/hpkp.conf ] + CERT_NAME=${2} # The second argument is the name of the cert + if [ ${MULTIBLE_HPKP_CONF} -eq 1 ] # if we want multiple conf files we have to prefix the config file with the name + then + HPKP_CONF=${NGINX_ROOT}/${CERT_NAME}-hpkp.conf + else + HPKP_CONF=${NGINX_ROOT}/hpkp.conf + fi + if [ ${STATIC_PIN_FILE} -ne "" ] # if an path to an STATIC_PIN_FILE is set use it + then + # get the pin + STATIC_PIN=$(cat "${STATIC_PIN_FILE}" | grep "${CERT_NAME}" | cut -d ' ' -f 2) + fi + if [ -e ${HPKP_CONF} ] then echo 'Backing up current hpkp.conf' - \cp -f ${NGINX_ROOT}/hpkp.conf ${HPKPINX_ROOT}/hpkp.conf.bak + \cp -f ${HPKP_CONF} ${HPKP_CONF}.bak fi echo 'Regenerating public key pins using new private keys' - echo '# THIS FILE IS GENERATED, ANY MODIFICATION WILL BE DISCARDED' > ${NGINX_ROOT}/hpkp.conf + echo '# THIS FILE IS GENERATED, ANY MODIFICATION WILL BE DISCARDED' > ${HPKP_CONF} if [ ${DEPLOY_HPKP} -eq 1 ] then - echo -n "add_header Public-Key-Pins '" >> ${NGINX_ROOT}/hpkp.conf + echo -n "add_header Public-Key-Pins '" >> ${HPKP_CONF} else - echo -n "add_header Public-Key-Pins-Report-Only '" > ${NGINX_ROOT}/hpkp.conf + echo -n "add_header Public-Key-Pins-Report-Only '" > ${HPKP_CONF} fi - echo -n "pin-sha256=\"${STATIC_PIN}\"; " >> ${NGINX_ROOT}/hpkp.conf - generate_pin "${NGINX_ROOT}/certs/${2}/privkey.pem" >> ${NGINX_ROOT}/hpkp.conf - generate_pin "${NGINX_ROOT}/certs/${2}/privkey.roll.pem" >> ${NGINX_ROOT}/hpkp.conf - echo "max-age=${HPKP_AGE}';" >> ${NGINX_ROOT}/hpkp.conf + echo -n "pin-sha256=\"${STATIC_PIN}\"; " >> ${HPKP_CONF} + generate_pin "${NGINX_ROOT}/certs/${CERT_NAME}/privkey.pem" >> ${HPKP_CONF} + generate_pin "${NGINX_ROOT}/certs/${CERT_NAME}/privkey.roll.pem" >> ${HPKP_CONF} + echo "max-age=${HPKP_AGE}';" >> ${HPKP_CONF} fi diff --git a/readme.md b/readme.md index 252bab0..f379d30 100644 --- a/readme.md +++ b/readme.md @@ -68,6 +68,23 @@ In this case, you can generate a pin for your private key with: hpkpinx.sh generate_pin ~~~ +### MULTIBLE_HPKP_CONF + +If this config value is set to `1` it will generate an nginx hkpk config file for for each Certificate. +This is normally needed if more than one Key is in use. + +### STATIC_PIN_FILE + +An File to get the STATIC_PIN value for different Certificate CNs. This is used to have an seperat backup Key for each Certificate +The format should be the CN of the certificat, an space and then the PIN: + +~~~ +example.com 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= +test.example.net 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= +~~~ + +If this Option is used, `MULTIBLE_HPKP_CONF` should be enabled too in most cases. + ### DEPLOY_HPKP * If set to `0` (the default), Nginx will only send the `Public-Key-Pins-Report-Only` header and HPKP is not applied.