From 99b4e0c72f86f3191062e22513bcfbda228f9820 Mon Sep 17 00:00:00 2001 From: Nils Rokita <0rokita@informatik.uni-hamburg.de> Date: Tue, 31 Jan 2017 17:37:43 +0100 Subject: [PATCH] Allow multible certificates to be handeld The first new option MULTIBLE_HPKP_CONF tells the script to generate the nginx config file name from the common name of the certificate currently handled. This allow the script to handle more than one Domain with different private keys. The second new config variable STATIC_PIN_FILE allows it to define a file from which the STATIC_PIN for each common name is read. This basically allows it to have an different backup key per CN. The file is organized line wise separated by a space the CN and the HPKP static pin. --- hpkpinx.sh | 32 +++++++++++++++++++++++--------- readme.md | 17 +++++++++++++++++ 2 files changed, 40 insertions(+), 9 deletions(-) diff --git a/hpkpinx.sh b/hpkpinx.sh index 101b2b2..39f781d 100755 --- a/hpkpinx.sh +++ b/hpkpinx.sh @@ -4,6 +4,8 @@ set -e NGINX_ROOT='/etc/nginx' HPKPINX_ROOT='/opt/hpkpinx' +MULTIPLE_HPKP_CONF=0 +STATIC_PIN_FILE="" . ${HPKPINX_ROOT}/config.sh @@ -44,21 +46,33 @@ then echo "" elif [ ${1} = "deploy_cert" ] then - if [ -e ${NGINX_ROOT}/hpkp.conf ] + CERT_NAME=${2} # The second argument is the name of the cert + if [ ${MULTIPLE_HPKP_CONF} -eq 1 ] # if we want multiple conf files we have to prefix the config file with the name + then + HPKP_CONF=${NGINX_ROOT}/${CERT_NAME}-hpkp.conf + else + HPKP_CONF=${NGINX_ROOT}/hpkp.conf + fi + if [ ${STATIC_PIN_FILE} != "" ] # if an path to an STATIC_PIN_FILE is set use it + then + # get the pin + STATIC_PIN=$(cat "${STATIC_PIN_FILE}" | grep "${CERT_NAME}" | cut -d ' ' -f 2) + fi + if [ -e ${HPKP_CONF} ] then echo 'Backing up current hpkp.conf' - \cp -f ${NGINX_ROOT}/hpkp.conf ${HPKPINX_ROOT}/hpkp.conf.bak + \cp -f ${HPKP_CONF} ${HPKP_CONF}.bak fi echo 'Regenerating public key pins using new private keys' - echo '# THIS FILE IS GENERATED, ANY MODIFICATION WILL BE DISCARDED' > ${NGINX_ROOT}/hpkp.conf + echo '# THIS FILE IS GENERATED, ANY MODIFICATION WILL BE DISCARDED' > ${HPKP_CONF} if [ ${DEPLOY_HPKP} -eq 1 ] then - echo -n "add_header Public-Key-Pins '" >> ${NGINX_ROOT}/hpkp.conf + echo -n "add_header Public-Key-Pins '" >> ${HPKP_CONF} else - echo -n "add_header Public-Key-Pins-Report-Only '" > ${NGINX_ROOT}/hpkp.conf + echo -n "add_header Public-Key-Pins-Report-Only '" > ${HPKP_CONF} fi - echo -n "pin-sha256=\"${STATIC_PIN}\"; " >> ${NGINX_ROOT}/hpkp.conf - generate_pin "${NGINX_ROOT}/certs/${2}/privkey.pem" >> ${NGINX_ROOT}/hpkp.conf - generate_pin "${NGINX_ROOT}/certs/${2}/privkey.roll.pem" >> ${NGINX_ROOT}/hpkp.conf - echo "max-age=${HPKP_AGE}';" >> ${NGINX_ROOT}/hpkp.conf + echo -n "pin-sha256=\"${STATIC_PIN}\"; " >> ${HPKP_CONF} + generate_pin "${NGINX_ROOT}/certs/${CERT_NAME}/privkey.pem" >> ${HPKP_CONF} + generate_pin "${NGINX_ROOT}/certs/${CERT_NAME}/privkey.roll.pem" >> ${HPKP_CONF} + echo "max-age=${HPKP_AGE}';" >> ${HPKP_CONF} fi diff --git a/readme.md b/readme.md index 252bab0..f379d30 100644 --- a/readme.md +++ b/readme.md @@ -68,6 +68,23 @@ In this case, you can generate a pin for your private key with: hpkpinx.sh generate_pin ~~~ +### MULTIBLE_HPKP_CONF + +If this config value is set to `1` it will generate an nginx hkpk config file for for each Certificate. +This is normally needed if more than one Key is in use. + +### STATIC_PIN_FILE + +An File to get the STATIC_PIN value for different Certificate CNs. This is used to have an seperat backup Key for each Certificate +The format should be the CN of the certificat, an space and then the PIN: + +~~~ +example.com 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= +test.example.net 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= +~~~ + +If this Option is used, `MULTIBLE_HPKP_CONF` should be enabled too in most cases. + ### DEPLOY_HPKP * If set to `0` (the default), Nginx will only send the `Public-Key-Pins-Report-Only` header and HPKP is not applied.