diff options
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/common-LDAP/tasks/main.yml | 2 | ||||
| -rwxr-xr-x | roles/common/files/usr/local/bin/gendhparam.sh | 4 | ||||
| -rwxr-xr-x | roles/common/files/usr/local/bin/genkeypair.sh | 22 |
3 files changed, 13 insertions, 15 deletions
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml index aff0e58..5b7143f 100644 --- a/roles/common-LDAP/tasks/main.yml +++ b/roles/common-LDAP/tasks/main.yml @@ -25,41 +25,41 @@ file: path=/etc/ldap/ssl state=directory owner=root group=root mode=0755 tags: - genkey # XXX: It's ugly to list all roles here, and to prunes them with a # conditional... - name: Generate a private key and a X.509 certificate for slapd # XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't # support ECDSA; and slapd doesn't seem to support DHE (!?) so # we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with # SHA-512. command: genkeypair.sh x509 --pubkey=/etc/ldap/ssl/{{ item.name }}.pem --privkey=/etc/ldap/ssl/{{ item.name }}.key --ou=LDAP {{ item.ou }} --cn={{ item.name }} --usage=digitalSignature,keyEncipherment,keyCertSign -t rsa -b 4096 -h sha256 - --chown="root:openldap" --chmod=0640 + --owner=root --group=openldap --mode=0640 register: r2 changed_when: r2.rc == 0 failed_when: r2.rc > 1 with_items: - { group: 'LDAP-provider', name: ldap.fripost.org, ou: } - { group: 'MX', name: mx, ou: --ou=SyncRepl } - { group: 'lists', name: lists, ou: --ou=SyncRepl } when: "item.group in group_names" tags: - genkey - name: Fetch slapd's X.509 certificate # Ensure we don't fetch private data sudo: False fetch: src=/etc/ldap/ssl/{{ item.name }}.pem dest=certs/ldap/ fail_on_missing=yes flat=yes with_items: - { group: 'LDAP-provider', name: ldap.fripost.org } diff --git a/roles/common/files/usr/local/bin/gendhparam.sh b/roles/common/files/usr/local/bin/gendhparam.sh index 074986b..84b7d56 100755 --- a/roles/common/files/usr/local/bin/gendhparam.sh +++ b/roles/common/files/usr/local/bin/gendhparam.sh @@ -1,13 +1,11 @@ #!/bin/sh set -ue PATH=/usr/bin:/bin privkey="$1" bits="${2:-2048}" rand= -mv -f "$(mktemp)" "$privkey" -chmod og-rwx "$privkey" - +install --mode=0600 /dev/null "$privkey" openssl dhparam -rand "${rand:-/dev/urandom}" "$bits" >"$privkey" diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index 5bf67f2..fac8ff2 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -18,69 +18,71 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. set -ue PATH=/usr/bin:/bin # Default values type=rsa bits= hash= force=0 config= pubkey=pubkey.pem privkey=privkey.pem dns= ou= cn= usage= -chmod= -chown= +mode= +owner= +group= rand= usage() { cat >&2 <<- EOF Usage: $0 command [OPTIONS] Command: x509: generate a self-signed X.509 server certificate csr: generate a Certificate Signing Request dkim: generate a private key (to use for DKIM signing) Options: -t type: key type (default: rsa) -b bits: key length or EC curve (default: 2048 for RSA, 1024 for DSA, secp224r1 for ECDSA) -h digest: digest algorithm --ou: organizational Unit Name; can be repeated --cn: common Name (default: \$(hostname --fqdn) --dns: hostname for AltName; can be repeated -f: force; can be repeated (0: don't overwrite, default; 1: reuse private key if it exists; 2: overwrite both keys if they exist) --config: configuration file --pubkey: public key file (default: pubkey.pem) - --privkey: private key file (default: privkey.pem; created with og-rwx) + --privkey: private key file (default: privkey.pem) --usage: key usage (default: digitalSignature,keyEncipherment,keyCertSign) - --chmod: chmod the private key - --chown: chown the private key + --mode: set privkey's permission mode (default: 0600) + --owner: set privkey's owner (default: the process' current owner) + --group: set privkey's group (default: the process' current group) Return values: 0 The key pair was successfully generated 1 The public or private key file exists, and -f is not set 2 The key generation failed EOF } dkiminfo() { echo "Add the following TXT record to your DNS zone:" echo "${cn:-$(date +%Y%m%d)}._domainkey\tIN\tTXT ( " # See https://tools.ietf.org/html/rfc4871#section-3.6.1 # t=s: the "i=" domain in signature headers MUST NOT be a subdomain of "d=" # s=email: limit DKIM signing to email openssl pkey -pubout <"$privkey" | sed '/^--.*--$/d' \ | { echo -n "v=DKIM1; k=$type; t=s; s=email; p="; tr -d '\n'; } \ | fold -w 250 \ | { sed 's/.*/\t"&"/'; echo ' )'; } } @@ -98,42 +100,43 @@ while [ $# -gt 0 ]; do -t*) type="${1#-t}";; -b) shift; bits="$1";; -b*) bits="${1#-b}";; -h) shift; hash="$1";; -h*) hash="${1#-h}";; --dns=?*) dns="${dns:+$dns, }DNS:${1#--dns=}";; --cn=?*) cn="${1#--cn=}";; --ou=?*) ou="${ou:+$ou\n}$nou.organizationalUnitName = ${1#--ou=}" nou=$(( 1 + $nou ));; -f) force=$(( 1 + $force ));; --pubkey=?*) pubkey="${1#--pubkey=}";; --privkey=?*) privkey="${1#--privkey=}";; --usage=?*) usage="${usage:+$usage,}${1#--usage=}";; --config=?*) dns="${1#--config=}";; - --chmod=?*) chmod="${1#--chmod=}";; - --chown=?*) chown="${1#--chown=}";; + --mode=?*) mode="${1#--mode=}";; + --owner=?*) owner="${1#--owner=}";; + --group=?*) group="${1#--group=}";; --help) usage; exit;; *) echo "Unrecognized argument: $1" >&2; exit 2 esac shift; done case "$type" in # XXX: genrsa and dsaparam have been deprecated in favor of genpkey. # genpkey can also create explicit EC parameters, but not named. rsa) genkey=genrsa; genkeyargs="-f4 ${bits:-2048}";; dsa) genkey=dsaparam; genkeyargs="-noout -genkey ${bits:-1024}";; # See 'openssl ecparam -list_curves' for the list of supported # curves. StrongSwan doesn't support explicit curve parameters # (however explicit parameters might be required to make exotic # curves work with some clients.) ecdsa) genkey=ecparam genkeyargs="-noout -name ${bits:-secp224r1} -param_enc named_curve -genkey";; *) echo "Unrecognized key type: $type" >&2; exit 2 esac @@ -164,42 +167,39 @@ if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then [ req_distinguished_name ] organizationName = Fripost organizationalUnitName = SSLcerts $(echo "$ou") commonName = $cn [ v3_req ] subjectAltName = email:admin@fripost.org${dns:+, $dns} basicConstraints = critical, CA:FALSE # https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method keyUsage = critical, ${usage:-digitalSignature, keyEncipherment, keyCertSign} subjectKeyIdentifier = hash EOF fi if [ -s "$privkey" -a $force -eq 0 ]; then echo "Error: private key exists: $privkey" >&2 [ "$cmd" = dkim ] && dkiminfo exit 1 elif [ ! -s "$privkey" -o $force -ge 2 ]; then - # Ensure "$privkey" is created with umask 0077 - mv -f "$(mktemp)" "$privkey" || exit 2 - chmod "${chmod:-og-rwx}" "$privkey" || exit 2 - [ -z "$chown" ] || chown "$chown" "$privkey" || exit 2 + install --mode="${mode:-0600}" ${owner:+--owner="$owner"} ${group:+--group="$group"} /dev/null "$privkey" || exit 2 openssl $genkey -rand "${rand:-/dev/urandom}" $genkeyargs >"$privkey" || exit 2 [ "$cmd" = dkim ] && { dkiminfo; exit; } fi if [ "$cmd" = x509 -a "$pubkey" = "$privkey" ]; then pubkey=$(mktemp) openssl req -config "$config" -new -x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2 cat "$pubkey" >>"$privkey" || exit 2 rm -f "$pubkey" elif [ "$cmd" = x509 -o "$cmd" = csr ]; then if [ -s "$pubkey" -a $force -eq 0 ]; then echo "Error: public key exists: $pubkey" >&2 exit 1 else [ "$cmd" = x509 ] && x509=-x509 || x509= openssl req -config "$config" -new $x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2 fi fi |