1
0
mirror of https://github.com/bitwarden/server.git synced 2024-12-23 17:07:42 +01:00

cert builder

This commit is contained in:
Kyle Spearrin 2017-10-24 08:45:48 -04:00
parent ba94fe97c0
commit 36e1ba66c7
3 changed files with 122 additions and 105 deletions

84
util/Setup/CertBuilder.cs Normal file
View File

@ -0,0 +1,84 @@
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace Bit.Setup
{
public class CertBuilder
{
public CertBuilder(string domain, string identityCertPassword, bool letsEncrypt, bool ssl)
{
Domain = domain;
IdentityCertPassword = identityCertPassword;
LetsEncrypt = letsEncrypt;
Ssl = ssl;
}
public string Domain { get; private set; }
public bool LetsEncrypt { get; private set; }
public bool Ssl { get; private set; }
public string IdentityCertPassword { get; private set; }
public bool BuildForInstall()
{
var selfSignedSsl = false;
if(!Ssl)
{
Directory.CreateDirectory($"/bitwarden/ssl/self/{Domain}/");
Console.WriteLine("Generating self signed SSL certificate.");
Ssl = selfSignedSsl = true;
Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 365 " +
$"-keyout /bitwarden/ssl/self/{Domain}/private.key " +
$"-out /bitwarden/ssl/self/{Domain}/certificate.crt " +
$"-subj \"/C=US/ST=New York/L=New York/O=8bit Solutions LLC/OU=bitwarden/CN={Domain}\"");
}
if(LetsEncrypt)
{
Directory.CreateDirectory($"/bitwarden/letsencrypt/live/{Domain}/");
Exec($"openssl dhparam -out /bitwarden/letsencrypt/live/{Domain}/dhparam.pem 2048");
}
Console.WriteLine("Generating key for IdentityServer.");
Directory.CreateDirectory("/bitwarden/identity/");
Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " +
"-out identity.crt -subj \"/CN=bitwarden IdentityServer\" -days 10950");
Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " +
$"-in identity.crt -certfile identity.crt -passout pass:{IdentityCertPassword}");
return selfSignedSsl;
}
private string Exec(string cmd)
{
var process = new Process
{
StartInfo = new ProcessStartInfo
{
RedirectStandardOutput = true,
UseShellExecute = false,
CreateNoWindow = true,
WindowStyle = ProcessWindowStyle.Hidden
}
};
if(!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
var escapedArgs = cmd.Replace("\"", "\\\"");
process.StartInfo.FileName = "/bin/bash";
process.StartInfo.Arguments = $"-c \"{escapedArgs}\"";
}
else
{
process.StartInfo.FileName = "powershell";
process.StartInfo.Arguments = cmd;
}
process.Start();
var result = process.StandardOutput.ReadToEnd();
process.WaitForExit();
return result;
}
}
}

View File

@ -34,12 +34,32 @@ namespace Bit.Setup
public void BuildForInstaller()
{
Build(true);
if(Ssl && !SelfSignedSsl && !LetsEncrypt)
{
Console.Write("(!) Use Diffie Hellman ephemeral parameters for SSL (requires dhparam.pem)? (y/n): ");
DiffieHellman = Console.ReadLine().ToLowerInvariant() == "y";
}
else
{
DiffieHellman = LetsEncrypt;
}
if(Ssl && !SelfSignedSsl && !LetsEncrypt)
{
Console.Write("(!) Is this a trusted SSL certificate (requires ca.crt)? (y/n): ");
Trusted = Console.ReadLine().ToLowerInvariant() == "y";
}
else
{
Trusted = LetsEncrypt;
}
Build();
}
public void BuildForUpdater()
{
Build(false);
Build();
}
public bool UpdateContext()
@ -58,31 +78,8 @@ namespace Bit.Setup
return true;
}
private void Build(bool installer)
private void Build()
{
if(installer)
{
if(Ssl && !SelfSignedSsl && !LetsEncrypt)
{
Console.Write("(!) Use Diffie Hellman ephemeral parameters for SSL (requires dhparam.pem)? (y/n): ");
DiffieHellman = Console.ReadLine().ToLowerInvariant() == "y";
}
else
{
DiffieHellman = LetsEncrypt;
}
if(Ssl && !SelfSignedSsl && !LetsEncrypt)
{
Console.Write("(!) Is this a trusted SSL certificate (requires ca.crt)? (y/n): ");
Trusted = Console.ReadLine().ToLowerInvariant() == "y";
}
else
{
Trusted = LetsEncrypt;
}
}
Directory.CreateDirectory("/bitwarden/nginx/");
var sslPath = LetsEncrypt ? $"/etc/letsencrypt/live/{Domain}" :

View File

@ -3,11 +3,8 @@ using Newtonsoft.Json;
using System;
using System.Collections.Generic;
using System.Data.SqlClient;
using System.Diagnostics;
using System.IO;
using System.Net.Http;
using System.Reflection;
using System.Runtime.InteropServices;
namespace Bit.Setup
{
@ -15,11 +12,6 @@ namespace Bit.Setup
{
private static string[] _args = null;
private static IDictionary<string, string> _parameters = null;
private static string _domain = null;
private static string _identityCertPassword = null;
private static bool _ssl = false;
private static bool _selfSignedSsl = false;
private static bool _letsEncrypt = false;
private static Guid? _installationId = null;
private static string _installationKey = null;
@ -49,9 +41,9 @@ namespace Bit.Setup
{
var outputDir = _parameters.ContainsKey("out") ?
_parameters["out"].ToLowerInvariant() : "/etc/bitwarden";
_domain = _parameters.ContainsKey("domain") ?
var domain = _parameters.ContainsKey("domain") ?
_parameters["domain"].ToLowerInvariant() : "localhost";
_letsEncrypt = _parameters.ContainsKey("letsencrypt") ?
var letsEncrypt = _parameters.ContainsKey("letsencrypt") ?
_parameters["letsencrypt"].ToLowerInvariant() == "y" : false;
if(!ValidateInstallation())
@ -59,24 +51,26 @@ namespace Bit.Setup
return;
}
_ssl = _letsEncrypt;
if(!_letsEncrypt)
var ssl = letsEncrypt;
if(!letsEncrypt)
{
Console.Write("(!) Do you have a SSL certificate to use? (y/n): ");
_ssl = Console.ReadLine().ToLowerInvariant() == "y";
ssl = Console.ReadLine().ToLowerInvariant() == "y";
if(_ssl)
if(ssl)
{
Console.WriteLine("Make sure 'certificate.crt' and 'private.key' are provided in the " +
"appropriate directory (see setup instructions).");
}
}
_identityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
MakeCerts();
var identityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
var certBuilder = new CertBuilder(domain, identityCertPassword, letsEncrypt, ssl);
var selfSignedSsl = certBuilder.BuildForInstall();
ssl = certBuilder.Ssl; // Ssl prop can get flipped during the build
var url = _ssl ? $"https://{_domain}" : $"http://{_domain}";
var nginxBuilder = new NginxConfigBuilder(_domain, _ssl, _selfSignedSsl, _letsEncrypt);
var url = ssl ? $"https://{domain}" : $"http://{domain}";
var nginxBuilder = new NginxConfigBuilder(domain, ssl, selfSignedSsl, letsEncrypt);
nginxBuilder.BuildForInstaller();
Console.Write("(!) Do you want to use push notifications? (y/n): ");
@ -85,8 +79,8 @@ namespace Bit.Setup
var environmentFileBuilder = new EnvironmentFileBuilder
{
DatabasePassword = Helpers.SecureRandomString(32),
Domain = _domain,
IdentityCertPassword = _identityCertPassword,
Domain = domain,
IdentityCertPassword = identityCertPassword,
InstallationId = _installationId,
InstallationKey = _installationKey,
OutputDirectory = outputDir,
@ -95,7 +89,7 @@ namespace Bit.Setup
};
environmentFileBuilder.Build();
var appSettingsBuilder = new AppSettingsBuilder(url, _domain);
var appSettingsBuilder = new AppSettingsBuilder(url, domain);
appSettingsBuilder.Build();
var appIdBuilder = new AppIdBuilder(url);
@ -221,33 +215,6 @@ namespace Bit.Setup
}
}
private static void MakeCerts()
{
if(!_ssl)
{
Directory.CreateDirectory($"/bitwarden/ssl/self/{_domain}/");
Console.WriteLine("Generating self signed SSL certificate.");
_ssl = _selfSignedSsl = true;
Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 365 " +
$"-keyout /bitwarden/ssl/self/{_domain}/private.key " +
$"-out /bitwarden/ssl/self/{_domain}/certificate.crt " +
$"-subj \"/C=US/ST=New York/L=New York/O=8bit Solutions LLC/OU=bitwarden/CN={_domain}\"");
}
if(_letsEncrypt)
{
Directory.CreateDirectory($"/bitwarden/letsencrypt/live/{_domain}/");
Exec($"openssl dhparam -out /bitwarden/letsencrypt/live/{_domain}/dhparam.pem 2048");
}
Console.WriteLine("Generating key for IdentityServer.");
Directory.CreateDirectory("/bitwarden/identity/");
Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " +
"-out identity.crt -subj \"/CN=bitwarden IdentityServer\" -days 10950");
Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " +
$"-in identity.crt -certfile identity.crt -passout pass:{_identityCertPassword}");
}
private static void RebuildConfigs()
{
var url = Helpers.GetValueFronEnvFile("global", "globalSettings__baseServiceUri__vault");
@ -284,36 +251,5 @@ namespace Bit.Setup
return dict;
}
private static string Exec(string cmd)
{
var process = new Process
{
StartInfo = new ProcessStartInfo
{
RedirectStandardOutput = true,
UseShellExecute = false,
CreateNoWindow = true,
WindowStyle = ProcessWindowStyle.Hidden
}
};
if(!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
var escapedArgs = cmd.Replace("\"", "\\\"");
process.StartInfo.FileName = "/bin/bash";
process.StartInfo.Arguments = $"-c \"{escapedArgs}\"";
}
else
{
process.StartInfo.FileName = "powershell";
process.StartInfo.Arguments = cmd;
}
process.Start();
var result = process.StandardOutput.ReadToEnd();
process.WaitForExit();
return result;
}
}
}