server/certspotter: check tbs instead of pubkey
This commit is contained in:
parent
dcdb5f3734
commit
7535990be0
|
@ -1,6 +1,6 @@
|
||||||
# copy a path to store (needed because I don't copy the secrets to store by default)
|
# copy a path to store (needed because I don't copy the secrets to store by default)
|
||||||
# arg must be a string because of how nix handles relative paths as absolute
|
# arg must be a string because of how nix handles relative paths as absolute
|
||||||
{ copyToStore ? (pkgs: name: x: ./. + x)
|
{ copyToStore ? (pkgs: name: x: ./${x})
|
||||||
, ... }: {
|
, ... }: {
|
||||||
nixmsi = {
|
nixmsi = {
|
||||||
system = { pkgs, ... }: {
|
system = { pkgs, ... }: {
|
||||||
|
|
|
@ -314,9 +314,6 @@ in {
|
||||||
signing_salt._secret = "/secrets/akkoma/signing_salt";
|
signing_salt._secret = "/secrets/akkoma/signing_salt";
|
||||||
live_view.signing_salt._secret = "/secrets/akkoma/live_view_signing_salt";
|
live_view.signing_salt._secret = "/secrets/akkoma/live_view_signing_salt";
|
||||||
};
|
};
|
||||||
extraStatic."static/terms-of-service.html" = pkgs.writeText "terms-of-service.html" ''
|
|
||||||
no bigotry kthx
|
|
||||||
'';
|
|
||||||
initDb = {
|
initDb = {
|
||||||
enable = false;
|
enable = false;
|
||||||
username = "akkoma";
|
username = "akkoma";
|
||||||
|
@ -329,6 +326,8 @@ in {
|
||||||
notify_email = "noreply@${cfg.domainName}";
|
notify_email = "noreply@${cfg.domainName}";
|
||||||
limit = 5000;
|
limit = 5000;
|
||||||
registrations_open = true;
|
registrations_open = true;
|
||||||
|
account_activation_required = true;
|
||||||
|
account_approval_required = true;
|
||||||
};
|
};
|
||||||
config.":pleroma"."Pleroma.Repo" = {
|
config.":pleroma"."Pleroma.Repo" = {
|
||||||
adapter = (pkgs.formats.elixirConf { }).lib.mkRaw "Ecto.Adapters.Postgres";
|
adapter = (pkgs.formats.elixirConf { }).lib.mkRaw "Ecto.Adapters.Postgres";
|
||||||
|
@ -358,23 +357,38 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# TODO: create a separate group for nginx and certspotter
|
|
||||||
# TODO: calc tbs instead of pubkey hash?
|
# TODO: calc tbs instead of pubkey hash?
|
||||||
users.users.certspotter.extraGroups = [ "nginx" ];
|
security.acme.certs = lib.flip builtins.mapAttrs (lib.filterAttrs (k: v: v.enableACME) config.services.nginx.virtualHosts) (k: v: {
|
||||||
|
postRun = let
|
||||||
|
python = pkgs.python3.withPackages (p: with p; [ cryptography pyasn1 pyasn1-modules ]);
|
||||||
|
tbs-hash = pkgs.writeScript "tbs-hash.py" ''
|
||||||
|
#!${python}/bin/python3
|
||||||
|
import hashlib
|
||||||
|
from pyasn1.codec.der.decoder import decode
|
||||||
|
from pyasn1.codec.der.encoder import encode
|
||||||
|
from pyasn1_modules import rfc5280
|
||||||
|
from cryptography import x509
|
||||||
|
|
||||||
|
with open('full.pem', 'rb') as f:
|
||||||
|
cert = x509.load_pem_x509_certificate(f.read())
|
||||||
|
tbs, _leftover = decode(cert.tbs_certificate_bytes, asn1Spec=rfc5280.TBSCertificate())
|
||||||
|
precert_exts = [v.dotted_string for k, v in x509.ExtensionOID.__dict__.items() if k.startswith('PRECERT_')]
|
||||||
|
exts = [ext for ext in tbs["extensions"] if str(ext["extnID"]) not in precert_exts]
|
||||||
|
tbs["extensions"].clear()
|
||||||
|
tbs["extensions"].extend(exts)
|
||||||
|
print(hashlib.sha256(encode(tbs)).hexdigest())
|
||||||
|
'';
|
||||||
|
in ''
|
||||||
|
${tbs-hash} > "/var/lib/certspotter/tbs-hashes/${k}"
|
||||||
|
'';
|
||||||
|
});
|
||||||
services.certspotter = {
|
services.certspotter = {
|
||||||
enable = true;
|
enable = true;
|
||||||
extraFlags = [ ];
|
extraFlags = [ ];
|
||||||
watchlist = [ ".pavluk.org" ];
|
watchlist = [ ".pavluk.org" ];
|
||||||
hooks = let
|
hooks = lib.toList (pkgs.writeShellScript "certspotter-hook" ''
|
||||||
openssl = "${pkgs.openssl.bin}/bin/openssl";
|
|
||||||
in lib.toList (pkgs.writeShellScript "certspotter-hook" ''
|
|
||||||
if [[ "$EVENT" == discovered_cert ]]; then
|
if [[ "$EVENT" == discovered_cert ]]; then
|
||||||
mkdir -p /var/lib/certspotter/allowed_keys
|
${pkgs.gnugrep}/bin/grep -r "$TBS_SHA256" /var/lib/certspotter/tbs-hashes/ && exit
|
||||||
for cert in $(find /var/lib/acme -regex ".*/fullchain.pem"); do
|
|
||||||
hash="$(${openssl} x509 -in "$cert" -pubkey -noout | ${openssl} pkey -pubin -outform DER | ${openssl} sha256 | cut -d" " -f2)"
|
|
||||||
touch "/var/lib/certspotter/allowed_keys/$hash"
|
|
||||||
done
|
|
||||||
[[ -f "/var/lib/certspotter/allowed_keys/$PUBKEY_SHA256" ]] && exit 0
|
|
||||||
fi
|
fi
|
||||||
(echo "Subject: $SUMMARY" && echo && cat "$TEXT_FILENAME") | /run/wrappers/bin/sendmail -i webmaster-certspotter@${cfg.domainName}
|
(echo "Subject: $SUMMARY" && echo && cat "$TEXT_FILENAME") | /run/wrappers/bin/sendmail -i webmaster-certspotter@${cfg.domainName}
|
||||||
'');
|
'');
|
||||||
|
|
|
@ -23,7 +23,7 @@ in {
|
||||||
# Allow murmur to read the certificate
|
# Allow murmur to read the certificate
|
||||||
security.acme.certs."mumble.${cfg.domainName}" = {
|
security.acme.certs."mumble.${cfg.domainName}" = {
|
||||||
group = "nginxandmurmur";
|
group = "nginxandmurmur";
|
||||||
postRun = "systemctl try-reload-or-restart murmur";
|
reloadServices = [ "murmur" ];
|
||||||
};
|
};
|
||||||
users.groups.nginxandmurmur.members = [ "murmur" "nginx" ];
|
users.groups.nginxandmurmur.members = [ "murmur" "nginx" ];
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue