2022-06-30 01:46:41 +02:00
|
|
|
|
namespace Bit.Setup;
|
2022-08-29 22:06:55 +02:00
|
|
|
|
|
2017-10-24 14:45:48 +02:00
|
|
|
|
public class CertBuilder
|
|
|
|
|
|
{
|
2018-08-30 17:35:44 +02:00
|
|
|
|
private readonly Context _context;
|
2022-08-29 22:06:55 +02:00
|
|
|
|
|
2017-10-24 14:45:48 +02:00
|
|
|
|
public CertBuilder(Context context)
|
|
|
|
|
|
{
|
2018-08-30 17:35:44 +02:00
|
|
|
|
_context = context;
|
2022-08-29 22:06:55 +02:00
|
|
|
|
}
|
2018-08-30 17:35:44 +02:00
|
|
|
|
|
|
|
|
|
|
public void BuildForInstall()
|
2022-08-29 22:06:55 +02:00
|
|
|
|
{
|
2018-08-30 17:35:44 +02:00
|
|
|
|
if (_context.Stub)
|
2017-10-24 14:45:48 +02:00
|
|
|
|
{
|
2018-08-30 17:35:44 +02:00
|
|
|
|
_context.Config.Ssl = true;
|
2019-03-15 14:28:39 +01:00
|
|
|
|
_context.Install.Trusted = true;
|
2018-08-30 17:35:44 +02:00
|
|
|
|
_context.Install.SelfSignedCert = false;
|
2019-03-15 14:28:39 +01:00
|
|
|
|
_context.Install.DiffieHellman = false;
|
2018-08-30 17:35:44 +02:00
|
|
|
|
_context.Install.IdentityCertPassword = "IDENTITY_CERT_PASSWORD";
|
2022-08-29 22:06:55 +02:00
|
|
|
|
return;
|
2017-10-24 14:45:48 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2018-08-30 17:35:44 +02:00
|
|
|
|
_context.Config.Ssl = _context.Config.SslManagedLetsEncrypt;
|
2022-08-29 21:53:48 +02:00
|
|
|
|
|
2018-08-30 17:35:44 +02:00
|
|
|
|
if (!_context.Config.Ssl)
|
2022-08-29 22:06:55 +02:00
|
|
|
|
{
|
2018-08-30 17:35:44 +02:00
|
|
|
|
var skipSSL = _context.Parameters.ContainsKey("skip-ssl") && (_context.Parameters["skip-ssl"] == "true" || _context.Parameters["skip-ssl"] == "1");
|
|
|
|
|
|
|
2020-03-27 19:36:37 +01:00
|
|
|
|
if (!skipSSL)
|
2017-10-24 14:45:48 +02:00
|
|
|
|
{
|
2021-04-06 20:39:27 +02:00
|
|
|
|
_context.Config.Ssl = Helpers.ReadQuestion("Do you have a SSL certificate to use?");
|
|
|
|
|
|
if (_context.Config.Ssl)
|
2022-08-29 22:06:55 +02:00
|
|
|
|
{
|
2021-04-06 20:39:27 +02:00
|
|
|
|
Directory.CreateDirectory($"/bitwarden/ssl/{_context.Install.Domain}/");
|
|
|
|
|
|
var message = "Make sure 'certificate.crt' and 'private.key' are provided in the \n" +
|
|
|
|
|
|
"appropriate directory before running 'start' (see docs for info).";
|
|
|
|
|
|
Helpers.ShowBanner(_context, "NOTE", message);
|
2022-08-29 22:06:55 +02:00
|
|
|
|
}
|
2021-04-06 20:39:27 +02:00
|
|
|
|
else if (Helpers.ReadQuestion("Do you want to generate a self-signed SSL certificate?"))
|
2018-08-30 17:35:44 +02:00
|
|
|
|
{
|
2021-04-06 20:39:27 +02:00
|
|
|
|
Directory.CreateDirectory($"/bitwarden/ssl/self/{_context.Install.Domain}/");
|
|
|
|
|
|
Helpers.WriteLine(_context, "Generating self signed SSL certificate.");
|
|
|
|
|
|
_context.Config.Ssl = true;
|
|
|
|
|
|
_context.Install.Trusted = false;
|
|
|
|
|
|
_context.Install.SelfSignedCert = true;
|
|
|
|
|
|
Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 36500 " +
|
|
|
|
|
|
$"-keyout /bitwarden/ssl/self/{_context.Install.Domain}/private.key " +
|
|
|
|
|
|
$"-out /bitwarden/ssl/self/{_context.Install.Domain}/certificate.crt " +
|
|
|
|
|
|
$"-reqexts SAN -extensions SAN " +
|
|
|
|
|
|
$"-config <(cat /usr/lib/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:{_context.Install.Domain}\nbasicConstraints=CA:true')) " +
|
|
|
|
|
|
$"-subj \"/C=US/ST=California/L=Santa Barbara/O=Bitwarden Inc./OU=Bitwarden/CN={_context.Install.Domain}\"");
|
2018-03-08 23:31:51 +01:00
|
|
|
|
}
|
2017-10-24 14:45:48 +02:00
|
|
|
|
}
|
2022-08-29 22:06:55 +02:00
|
|
|
|
}
|
2017-10-24 14:45:48 +02:00
|
|
|
|
|
2020-03-27 19:36:37 +01:00
|
|
|
|
if (_context.Config.SslManagedLetsEncrypt)
|
2018-08-30 17:35:44 +02:00
|
|
|
|
{
|
|
|
|
|
|
_context.Install.Trusted = true;
|
|
|
|
|
|
_context.Install.DiffieHellman = true;
|
|
|
|
|
|
Directory.CreateDirectory($"/bitwarden/letsencrypt/live/{_context.Install.Domain}/");
|
2019-03-15 16:19:52 +01:00
|
|
|
|
Helpers.Exec($"openssl dhparam -out " +
|
|
|
|
|
|
$"/bitwarden/letsencrypt/live/{_context.Install.Domain}/dhparam.pem 2048");
|
2018-08-30 17:35:44 +02:00
|
|
|
|
}
|
2020-03-27 19:36:37 +01:00
|
|
|
|
else if (_context.Config.Ssl && !_context.Install.SelfSignedCert)
|
2017-10-24 14:45:48 +02:00
|
|
|
|
{
|
2018-08-30 17:35:44 +02:00
|
|
|
|
_context.Install.Trusted = Helpers.ReadQuestion("Is this a trusted SSL certificate " +
|
|
|
|
|
|
"(requires ca.crt, see docs)?");
|
2017-10-24 14:45:48 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2019-03-12 15:26:14 +01:00
|
|
|
|
Helpers.WriteLine(_context, "Generating key for IdentityServer.");
|
2018-08-30 17:35:44 +02:00
|
|
|
|
_context.Install.IdentityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
|
2017-10-24 14:45:48 +02:00
|
|
|
|
Directory.CreateDirectory("/bitwarden/identity/");
|
2017-12-21 04:31:30 +01:00
|
|
|
|
Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " +
|
2019-10-02 16:26:07 +02:00
|
|
|
|
"-out identity.crt -subj \"/CN=Bitwarden IdentityServer\" -days 36500");
|
2017-12-21 04:31:30 +01:00
|
|
|
|
Helpers.Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " +
|
2021-07-09 23:52:48 +02:00
|
|
|
|
$"-in identity.crt -passout pass:{_context.Install.IdentityCertPassword}");
|
2017-10-24 14:45:48 +02:00
|
|
|
|
|
2019-03-12 15:26:14 +01:00
|
|
|
|
Helpers.WriteLine(_context);
|
2018-08-30 17:35:44 +02:00
|
|
|
|
|
2020-03-27 19:36:37 +01:00
|
|
|
|
if (!_context.Config.Ssl)
|
2018-08-30 17:35:44 +02:00
|
|
|
|
{
|
|
|
|
|
|
var message = "You are not using a SSL certificate. Bitwarden requires HTTPS to operate. \n" +
|
|
|
|
|
|
"You must front your installation with a HTTPS proxy or the web vault (and \n" +
|
|
|
|
|
|
"other Bitwarden apps) will not work properly.";
|
2019-03-12 15:26:14 +01:00
|
|
|
|
Helpers.ShowBanner(_context, "WARNING", message, ConsoleColor.Yellow);
|
2018-08-30 17:35:44 +02:00
|
|
|
|
}
|
2020-03-27 19:36:37 +01:00
|
|
|
|
else if (_context.Config.Ssl && !_context.Install.Trusted)
|
2018-08-30 17:35:44 +02:00
|
|
|
|
{
|
|
|
|
|
|
var message = "You are using an untrusted SSL certificate. This certificate will not be \n" +
|
|
|
|
|
|
"trusted by Bitwarden client applications. You must add this certificate to \n" +
|
|
|
|
|
|
"the trusted store on each device or else you will receive errors when trying \n" +
|
|
|
|
|
|
"to connect to your installation.";
|
2019-03-12 15:26:14 +01:00
|
|
|
|
Helpers.ShowBanner(_context, "WARNING", message, ConsoleColor.Yellow);
|
2017-10-24 14:45:48 +02:00
|
|
|
|
}
|
2022-08-29 22:06:55 +02:00
|
|
|
|
}
|
2021-11-16 18:52:02 +01:00
|
|
|
|
|
|
|
|
|
|
public void BuildForUpdater()
|
2022-08-29 22:06:55 +02:00
|
|
|
|
{
|
2021-11-16 18:52:02 +01:00
|
|
|
|
if (_context.Config.EnableKeyConnector && !File.Exists("/bitwarden/key-connector/bwkc.pfx"))
|
|
|
|
|
|
{
|
|
|
|
|
|
Directory.CreateDirectory("/bitwarden/key-connector/");
|
|
|
|
|
|
var keyConnectorCertPassword = Helpers.GetValueFromEnvFile("key-connector",
|
|
|
|
|
|
"keyConnectorSettings__certificate__filesystemPassword");
|
|
|
|
|
|
Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout bwkc.key " +
|
|
|
|
|
|
"-out bwkc.crt -subj \"/CN=Bitwarden Key Connector\" -days 36500");
|
|
|
|
|
|
Helpers.Exec("openssl pkcs12 -export -out /bitwarden/key-connector/bwkc.pfx -inkey bwkc.key " +
|
|
|
|
|
|
$"-in bwkc.crt -passout pass:{keyConnectorCertPassword}");
|
|
|
|
|
|
}
|
2017-10-24 14:45:48 +02:00
|
|
|
|
}
|
|
|
|
|
|
}
|
