davrot/ciphermail_notes
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ciphermail_notes/get_public_cert.sh
davrot 9aad07749f Upload files to "/"
2025-05-29 18:01:26 +02:00

252 lines
7.6 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
read password
#############
# Parameter #
#############
dn_base=",ou=people,dc=smime,dc=uni-bremen,dc=de"
org1="Universitaet Bremen"
org2="Universität Bremen"
root_certicate="HARICA-GEANT.pem"
########################
# CipherMail Parameter #
########################
ENABLE_CIPHERMAIL_SUPPORT=false
base_url="https://ciphermail.neuro.uni-bremen.de"
ciphermail_username="sa"
ciphermail_password="REDACTED"
##########################################
filename_with_extention="$1"
# Remove the .p12 extension from the filename, if present
filename="${filename_with_extention%.*}"
# Read uid as external parameter
uid=$2
# Check if $1 (filename) and $2 (UID) are provided
if [ -z "${filename}" ] || [ -z "${uid}" ] || [ -z "${password}" ]; then
echo "Usage: echo PASSWORD | ./get_public_cert.sh <filename> <uid>"
echo "Error: Missing required arguments."
exit 1
fi
##########################################
# Add p12 file to keystore of Ciphermail #
##########################################
if [ "$ENABLE_CIPHERMAIL_SUPPORT" = true ]; then
java -cp '/usr/share/djigzo/lib/*' mitm.application.djigzo.tools.CertStore --import-keys --check-validity --file ${filename}.p12 --keystore-password ${password}
fi
#####################
# CipherMail cookie #
#####################
if [ "$ENABLE_CIPHERMAIL_SUPPORT" = true ]; then
login_url="${base_url}/check"
prefix="${base_url}/user/signing/"
postfix="/true"
cookies="$(mktemp).txt"
\rm -f ${cookies}
curl -s -c ${cookies} -o /dev/null ${base_url}
curl -s -c ${cookies} -o /dev/null -b ${cookies} -L -d "username=${ciphermail_username}" -d "password=${ciphermail_password}" ${login_url}
fi
# Function to read first line from file and remove newline character
read_first_line() {
local filename="$1"
head -n 1 "${filename}" | tr -d '\n'
}
##############################
# Extract public certificate #
##############################
pem_file="$(mktemp).pem"
openssl pkcs12 -in ${filename}.p12 -clcerts -nokeys -out ${pem_file} -passin "pass:${password}"
#######################
# Certificate valid ? #
#######################
cert_valid=$(openssl verify -CAfile $root_certicate ${pem_file} 2>/dev/null | grep ": OK$" | wc -l | grep -o '^1$' | wc -l)
if (( ${cert_valid} != 1 )); then
echo "File ${filename} is not a vaild certificate. Stopping script."
exit 1
fi
#########################
# Convert to DER format #
#########################
der_encoded=$(openssl x509 -in "$pem_file" -outform der | base64)
if [ $? -ne 0 ]; then
echo "Error: Unable to convert PEM data to DER."
rm "$tmp_der"
exit 1
fi
#############################
# Make a clean PEM from DER #
#############################
der_encoded=$(echo "$der_encoded" | tr -d '[:space:]')
tmp_der="$(mktemp)"
echo "$der_encoded" | base64 -d > "$tmp_der"
pem_data=$(openssl x509 -inform der -in "$tmp_der" -outform pem)
pem_data=$(echo "$pem_data" | base64 | tr -d '[:space:]')
if [ $? -ne 0 ]; then
echo "Error: Unable to convert DER data back to PEM."
rm "$tmp_der"
exit 1
fi
# Clean up temporary files
\rm -f "$tmp_der"
###################
# email addresses #
###################
emails=$(openssl x509 -in ${pem_file} -noout -text | grep "email:" | sed 's/,/\n/g' | sed 's/email://g' | sed 's/^ *//; s/ *$//')
# Check if emails were found
if [ -z "$emails" ]; then
echo "No emails found in certificate. Stopping script."
exit 1
fi
# Check if emails contain @
if ! echo "$emails" | grep -q "@"; then
echo "No valid email addresses found (missing @). Stopping script."
exit 1
fi
##############################
# Is this a UB certificate ? #
##############################
ub=$(openssl x509 -in ${pem_file} -noout -text 2>/dev/null | grep Subject: | grep -oE '(O = [^,]*|O=[^,]*)' | cut -d'=' -f2 | sed 's/^ *//' | grep -iE "(${org1}|${org2})" | wc -l | grep -o '^1$' | wc -l )
if (( ${ub} != 1 )); then
echo "File ${filename} is not a certificate of the University of Bremen. Stopping script."
exit 1
fi
######
# CN #
######
cn=$(openssl x509 -in ${pem_file} -noout -text 2>/dev/null | grep Subject: | grep -oE '(CN = [^,]*|CN=[^,]*)' | cut -d'=' -f2 | sed 's/^ *//')
if [ -z "${cn}" ]; then
echo "Error: Failed to extract complete name from certificate"
exit 1
fi
######
# SN #
######
sn=$(openssl x509 -in ${pem_file} -noout -text 2>/dev/null | grep Subject: | grep -oE '(SN = [^,]*|SN=[^,]*)' | cut -d'=' -f2 | sed 's/^ *//' )
if [ -z "${sn}" ]; then
echo "Error: Failed to extract surename from certificate"
exit 1
fi
######
# GN #
######
gn=$(openssl x509 -in ${pem_file} -noout -text 2>/dev/null | grep Subject: | grep -oE '(GN = [^,]*|GN=[^,]*)' | cut -d'=' -f2 | sed 's/^ *//')
if [ -z "${gn}" ]; then
echo "Error: Failed to extract given name from certificate"
exit 1
fi
###############
# Expire date #
###############
cert_expire=$(openssl x509 -in ${pem_file} -noout -enddate -inform PEM 2>/dev/null | cut -d= -f2)
if [ -z "${cert_expire}" ]; then
echo "Error: Failed to extract expiration date from certificate"
exit 1
fi
cert_expire_clean=$(date -d "${cert_expire}" "+%B %d, %Y" 2>/dev/null || echo "${cert_expire}")
if [ $? -ne 0 ] || [ -z "${cert_expire_clean}" ]; then
echo "Error: Failed to format expiration date"
exit 1
fi
################################
# Prepare the ldif information #
################################
filename_ldif="$(mktemp).ldif"
\rm -f ${filename_ldif}
# Loop through each email in the emails var
echo "$emails" | while IFS= read -r mail; do
# Skip blank lines
[ -z "$mail" ] && continue
###########################
# Add email to ciphermail #
###########################
if [ "$ENABLE_CIPHERMAIL_SUPPORT" = true ]; then
java -cp '/usr/share/djigzo/lib/*' mitm.application.djigzo.tools.CLITool --add-user ${mail} --email ${mail}
fi
##########################################################
# Activate the user under ciphermail #
# i.e. force it to connect the user with the certifikate #
##########################################################
if [ "$ENABLE_CIPHERMAIL_SUPPORT" = true ]; then
email_converted=$(echo ${mail} | sed s/"\@"/"\\\$0040"/g)
url=${prefix}${email_converted}${postfix}
curl -s -b ${cookies} -o /dev/null "${url}"
fi
############################################################
# Convert the collected information into ldap ldif entries #
############################################################
echo "dn: uid=${uid}#${mail}${dn_base}" >> ${filename_ldif}
echo "objectClass: top" >> ${filename_ldif}
echo "objectClass: person" >> ${filename_ldif}
echo "objectClass: organizationalPerson" >> ${filename_ldif}
echo "objectClass: inetOrgPerson" >> ${filename_ldif}
echo "uid: ${uid}#${mail}" >> ${filename_ldif}
echo "cn: ${cn}" >> ${filename_ldif}
echo "givenName: ${gn}" >> ${filename_ldif}
echo "sn: ${sn}" >> ${filename_ldif}
echo "mail: ${mail}" >> ${filename_ldif}
echo "userSMIMECertificate: ${pem_data}" >> ${filename_ldif}
echo "userSMIMECertificate;binary:: ${der_encoded}" >> ${filename_ldif}
echo "description: Certificate expires: ${cert_expire_clean}" >> ${filename_ldif}
echo "" >> ${filename_ldif}
echo "" >> ${filename_ldif}
done
\rm -f ${pem_file}
if [ "$ENABLE_CIPHERMAIL_SUPPORT" = true ]; then
\rm -f ${cookies}
fi
#########
# Debug #
#########
echo ${filename_ldif}
cat ${filename_ldif}
######################
# Add to ldap server #
######################
# ldapadd -x -H ldap://localhost:1389 -D "cn=admin,dc=smime,dc=uni-bremen,dc=de" -W -f ${filename_ldif}
\rm -f ${filename_ldif}
Reference in a new issue View git blame Copy permalink