yosoyhendrix
/
vesta


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182
							#!/bin/bash
# info: register letsencrypt user account
# options: USER [TYPE]
#
# The function creates and register LetsEncript account key


#----------------------------------------------------------#
#                    Variable&Function                     #
#----------------------------------------------------------#

# Argument definition
user=$1
type=${2-1}
key_size=4096

# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf

# encode base64
encode_base64() {
    cat |base64 |tr '+/' '-_' |tr -d '\r\n='
}


#----------------------------------------------------------#
#                    Verifications                         #
#----------------------------------------------------------#

check_args '1' "$#" 'USER [TYPE]'
is_format_valid 'user'
is_object_valid 'user' 'USER' "$user"
if [ -e "$USER_DATA/ssl/le.conf" ]; then
    source "$USER_DATA/ssl/le.conf"
    if [ "$type" -eq 1 ] && [ ! -z "$EMAIL" ]; then
        exit
    fi
    if [ "$type" -eq 2 ] && [ ! -z "$KID" ]; then
        exit
    fi
fi


#----------------------------------------------------------#
#                       Action                             #
#----------------------------------------------------------#

# Defining LE API endpoint
if [ "$type" -eq 1 ]; then
    api='https://acme-v01.api.letsencrypt.org'
else
    api='https://acme-v02.api.letsencrypt.org'
fi

# Defining user email
if [ $type -eq 1 ]; then
    email=$(get_user_value '$CONTACT')
fi

# Defining user agreement
if [ "$type" -eq 1 ]; then
    agreement=$(curl -s -I "$api/terms" |grep Location |\
        cut -f 2 -d \ |tr -d '\r\n')
else
    #agreement=$(curl -s "$api/directory" |grep termsOfService |\
    #    cut -f 4 -d '"')
    agreement=''
fi

# Generating user key
key="$USER_DATA/ssl/user.key"
if [ ! -e "$key" ]; then
    openssl genrsa -out $key $key_size >/dev/null 2>&1
    chmod 600 $key
fi

# Defining key exponent
if [ -z "$EXPONENT" ]; then
    exponent=$(openssl pkey -inform pem -in "$key" -noout -text_pub |\
        grep Exponent: |cut -f 2 -d '(' |cut -f 1 -d ')' |sed -e 's/x//' |\
        xxd -r -p |encode_base64)
else
    exponent="$EXPONENT"
fi

# Defining key modulus
if [ -z "$MODULUS" ]; then
    modulus=$(openssl rsa -in "$key" -modulus -noout |\
        sed -e 's/^Modulus=//' |xxd -r -p |encode_base64)
else
    modulus="$MODULUS"
fi

# Defining JWK token
jwk='{"e":"'$exponent'","kty":"RSA","n":"'"$modulus"'"}'

# Defining key thumbnail
if [ -z "$THUMB" ]; then
    thumb="$(echo -n "$jwk" |openssl dgst -sha256 -binary |encode_base64)"
else
    thumb="$THUMB"
fi

# Requesting ACME nonce
nonce=$(curl -s -I "$api/directory" |grep Nonce |cut -f 2 -d \ |tr -d '\r\n')

# Defining payload and protected data for v1 and v2
if [ "$type" -eq 1 ]; then
    header='{"alg":"RS256","jwk":'"$jwk"'}'
    protected='{"nonce":"'"$nonce"'"}'
    payload='{"resource":"new-reg","contact":["mailto:'"$email"'"],'
    payload=$payload'"agreement":"'$agreement'"}'

else
    protected='{"nonce": "'$nonce'",'
    protected=''$protected' "url": "'$api/acme/new-acct'",'
    protected=''$protected' "alg": "RS256", "jwk": '$jwk'}'
    payload='{"termsOfServiceAgreed": true}'
fi

# Encoding data
protected=$(echo -n "$protected" |encode_base64)
payload=$(echo -n "$payload" |encode_base64)

# Signing request
signature=$(printf "%s" "$protected.$payload" |\
    openssl dgst -sha256 -binary -sign "$key" |\
    encode_base64)

if [ "$type" -eq 1 ]; then
    data='{"header":'"$header"',"protected":"'"$protected"'",'
    data=$data'"payload":"'"$payload"'","signature":"'"$signature"'"}'

    answer=$(curl -s -i -d "$data" "$api/acme/new-reg")
    status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
else
    data='{"protected":"'"$protected"'",'
    data=$data'"payload":"'"$payload"'",'
    data=$data'"signature":"'"$signature"'"}'

    answer=$(curl -s -i -d "$data" "$api/acme/new-acct" \
        -H "Content-Type: application/jose+json")
    status=$(echo "$answer" |grep HTTP/1.1 |tail -n1 |cut -f2 -d ' ')
    kid=$(echo "$answer" |grep Location: |cut -f2 -d ' '|tr -d '\r')
fi

# Checking http answer status
if [[ "${status:0:2}" -ne "20" ]] && [[ "$status" -ne "409" ]]; then
    check_result $E_CONNECT "LetsEncrypt account registration $status"
fi


#----------------------------------------------------------#
#                       Vesta                              #
#----------------------------------------------------------#

# Adding le.conf
if [ ! -e "$USER_DATA/ssl/le.conf" ]; then
    echo "EXPONENT='$exponent'" > $USER_DATA/ssl/le.conf
    echo "MODULUS='$modulus'" >> $USER_DATA/ssl/le.conf
    echo "THUMB='$thumb'" >> $USER_DATA/ssl/le.conf
    if [ "$type" -eq 1]; then
        echo "EMAIL='$email'" >> $USER_DATA/ssl/le.conf
    else
        echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
    fi
    chmod 660  $USER_DATA/ssl/le.conf
else
    if [ "$type" -eq 1 ]; then
        sed -i '/^EMAIL=/d' $USER_DATA/ssl/le.conf
        echo "EMAIL='$email'" >> $USER_DATA/ssl/le.conf
    else
        sed -i '/^KID=/d' $USER_DATA/ssl/le.conf
        echo "KID='$kid'" >> $USER_DATA/ssl/le.conf
    fi
fi

# Logging
log_event "$OK" "$ARGUMENTS"

exit