diff --git a/hpkpinx.sh b/hpkpinx.sh index 101b2b2..39f781d 100755 --- a/hpkpinx.sh +++ b/hpkpinx.sh @@ -4,6 +4,8 @@ set -e NGINX_ROOT='/etc/nginx' HPKPINX_ROOT='/opt/hpkpinx' +MULTIPLE_HPKP_CONF=0 +STATIC_PIN_FILE="" . ${HPKPINX_ROOT}/config.sh @@ -44,21 +46,33 @@ then echo "" elif [ ${1} = "deploy_cert" ] then - if [ -e ${NGINX_ROOT}/hpkp.conf ] + CERT_NAME=${2} # The second argument is the name of the cert + if [ ${MULTIPLE_HPKP_CONF} -eq 1 ] # if we want multiple conf files we have to prefix the config file with the name + then + HPKP_CONF=${NGINX_ROOT}/${CERT_NAME}-hpkp.conf + else + HPKP_CONF=${NGINX_ROOT}/hpkp.conf + fi + if [ ${STATIC_PIN_FILE} != "" ] # if an path to an STATIC_PIN_FILE is set use it + then + # get the pin + STATIC_PIN=$(cat "${STATIC_PIN_FILE}" | grep "${CERT_NAME}" | cut -d ' ' -f 2) + fi + if [ -e ${HPKP_CONF} ] then echo 'Backing up current hpkp.conf' - \cp -f ${NGINX_ROOT}/hpkp.conf ${HPKPINX_ROOT}/hpkp.conf.bak + \cp -f ${HPKP_CONF} ${HPKP_CONF}.bak fi echo 'Regenerating public key pins using new private keys' - echo '# THIS FILE IS GENERATED, ANY MODIFICATION WILL BE DISCARDED' > ${NGINX_ROOT}/hpkp.conf + echo '# THIS FILE IS GENERATED, ANY MODIFICATION WILL BE DISCARDED' > ${HPKP_CONF} if [ ${DEPLOY_HPKP} -eq 1 ] then - echo -n "add_header Public-Key-Pins '" >> ${NGINX_ROOT}/hpkp.conf + echo -n "add_header Public-Key-Pins '" >> ${HPKP_CONF} else - echo -n "add_header Public-Key-Pins-Report-Only '" > ${NGINX_ROOT}/hpkp.conf + echo -n "add_header Public-Key-Pins-Report-Only '" > ${HPKP_CONF} fi - echo -n "pin-sha256=\"${STATIC_PIN}\"; " >> ${NGINX_ROOT}/hpkp.conf - generate_pin "${NGINX_ROOT}/certs/${2}/privkey.pem" >> ${NGINX_ROOT}/hpkp.conf - generate_pin "${NGINX_ROOT}/certs/${2}/privkey.roll.pem" >> ${NGINX_ROOT}/hpkp.conf - echo "max-age=${HPKP_AGE}';" >> ${NGINX_ROOT}/hpkp.conf + echo -n "pin-sha256=\"${STATIC_PIN}\"; " >> ${HPKP_CONF} + generate_pin "${NGINX_ROOT}/certs/${CERT_NAME}/privkey.pem" >> ${HPKP_CONF} + generate_pin "${NGINX_ROOT}/certs/${CERT_NAME}/privkey.roll.pem" >> ${HPKP_CONF} + echo "max-age=${HPKP_AGE}';" >> ${HPKP_CONF} fi diff --git a/readme.md b/readme.md index 252bab0..f379d30 100644 --- a/readme.md +++ b/readme.md @@ -68,6 +68,23 @@ In this case, you can generate a pin for your private key with: hpkpinx.sh generate_pin ~~~ +### MULTIBLE_HPKP_CONF + +If this config value is set to `1` it will generate an nginx hkpk config file for for each Certificate. +This is normally needed if more than one Key is in use. + +### STATIC_PIN_FILE + +An File to get the STATIC_PIN value for different Certificate CNs. This is used to have an seperat backup Key for each Certificate +The format should be the CN of the certificat, an space and then the PIN: + +~~~ +example.com 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= +test.example.net 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= +~~~ + +If this Option is used, `MULTIBLE_HPKP_CONF` should be enabled too in most cases. + ### DEPLOY_HPKP * If set to `0` (the default), Nginx will only send the `Public-Key-Pins-Report-Only` header and HPKP is not applied.