From 8eb679e08e08b4bb992c8d43f57c3458aab4cf1a Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 9 Dec 2015 00:17:20 +0100
Subject: Ship LE's intermediate CA files and add cert validation.

---
 letsencrypt | 31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

(limited to 'letsencrypt')

diff --git a/letsencrypt b/letsencrypt
index 4c932e4..7465378 100755
--- a/letsencrypt
+++ b/letsencrypt
@@ -11,13 +11,14 @@ WWW_USER=www-data
 WWW_GROUP=www-data
 ACME_WEBSERVER=acme-webserver
 ACME_CLIENT=acme-slave
+CAfile=/usr/share/lets-encrypt/letsencryptauthorityx1.pem
 
 declare COMMAND ACCOUNTKEY
 declare -l GENKEY
 declare RUNAS QUIET= DEBUG=
 
 declare SRVCRT= CHAIN= CSR SRVKEY
-delcale -i MIN_AGE=0
+declare -i MIN_AGE=0
 declare -l HASH=
 declare SUBJECT=/
 declare SAN=
@@ -168,7 +169,7 @@ elif [ "$COMMAND" = 'new-cert' ]; then
         echo "Error: Missing --output" >&2
         exit 1
     fi
-    if [ -s "$SRVCRT" ] && \
+    if [ -s "$SRVCRT" ] && [ $MIN_AGE -gt 0 ] && \
          exp=$(openssl x509 -noout -enddate <"$SRVCRT" 2>/dev/null) && \
          [ $(( $(date -d "${exp#*=}" +%s) - $(date +%s))) -gt $MIN_AGE ]; then
         [ ! "$DEBUG" ] || echo "Expiration date ($(date -d"${exp#*=}")) is too far away, come back later." >&2
@@ -277,17 +278,35 @@ while read data; do
 done >"$pipe"
 
 if [ "$COMMAND" = 'new-cert' ]; then
-    # TODO
-    # Verify: dump and compare public keys
-    # Valid cert, signed by the right CA
-    # https://crt.sh/?q=cse-fresti.cse.chalmers.se&iCAID=7395
+    # https://crt.sh/?q=mail.fripost.org&iCAID=7395
+    # https://crt.sh/?spkisha1=$sha1
+
+    # Ensure the cert's pubkey matches that of the CSR, and that it's signed by the intended CA
+    if [ ! -s "$x509" ] ||
+         ! diff <(openssl req  -in "$CSR"  -pubkey -noout) \
+                <(openssl x509 -in "$x509" -pubkey -noout) >/dev/null ||
+         ! openssl verify -CAfile "$CAfile" -purpose sslserver -x509_strict <"$x509" >/dev/null; then
+        echo "Error: Got an invalid X.509 certificate from the ACME server!" >&2
+        exit 1
+    fi
 
     # if it doesn't exist, create the file with mode 0644 minus the process's umask(2)
     [ -e "$SRVCRT" ] || touch "$SRVCRT"
     cat "$x509" >"$SRVCRT"
     [ ! "$DEBUG" ] || openssl x509 -noout -text <"$SRVCRT"
 
+    if [ ! "$QUIET" ]; then
+        echo "X.509 certificate $SRVCRT has been updated or renewed"
+        echo
+        openssl x509 -noout \
+            -text -certopt no_header,no_version,no_pubkey,no_sigdump \
+            -fingerprint -sha256 <"$SRVCRT"
+    fi
+
     for (( i=0; i<${#NOTIFY[@]}; i++ )); do
         ${NOTIFY[$i]}
     done
+
+else
+    [ "$QUIET" ] || echo OK
 fi
-- 
cgit v1.2.3