pawohl/keystore-setup.sh

## keystore-setup.sh
#!/bin/ash
#
# Set up HTTPS in OpenCast
# ~~~~~~~~~~~~~~~~~~~~~~~~

set -e

dir_before="$PWD"

# Apply default values to environment variables
OPENCAST_HTTPS_ENABLED=${OPENCAST_HTTPS_ENABLED:=false}
OPENCAST_KEYSTORE_PASSWORD=${OPENCAST_KEYSTORE_PASSWORD:=password}
OPENCAST_KEY_PASSWORD=${OPENCAST_KEY_PASSWORD:=password}

# Ensure the methods required are present
. "${OPENCAST_SCRIPTS}/helper.sh"

# Replace env variables in HTTP(S) Webserver config
opencast_helper_replaceinfile "etc/org.ops4j.pax.web.cfg" \
        "OPENCAST_HTTPS_ENABLED" \
        "OPENCAST_KEYSTORE_PASSWORD" \
        "OPENCAST_KEY_PASSWORD"

# Exit here if HTTPS is disabled
case $OPENCAST_HTTPS_ENABLED in
  (false)    return 0;;
esac

# Change into the directory containing the certificates and keys
cd $OPENCAST_CONFIG/cert

# Java Server require/ work best with a Java Keystore
# So check whether it exists and if not, attempt to create one (for debugging)

make_new_keystore() {
        # Create a new Java keystore
        keytool -keystore keystore.jks \
                -genkeypair \
                -alias serverkey \
                -keyalg RSA \
                -keypass "$OPENCAST_KEY_PASSWORD" \
                -storepass "$OPENCAST_KEYSTORE_PASSWORD" \
                -dname "$OPENCAST_CERT_SUBJECT" && \
        keytool -keystore keystore.jks \
                -list \
                -alias serverkey \
                -storepass "$OPENCAST_KEYSTORE_PASSWORD"
}

import_keys() {
        echo "Obtaining certificate chain for $1"
        /usr/local/bin/cert-chain-resolver -s -o "opencast.chain.pem.tmp" "$1"
        openssl verify \
                -crl_download \
                -crl_check \
                -x509_strict \
                -untrusted "opencast.chain.pem.tmp" \
                $1

        # Check whether private key is encrypted
        # and create p12 keystore
        if grep -q "ENCRYPTED" "$2"; then
                openssl pkcs12 \
                        -export \
                        -inkey "$2" \
                        -passin "pass:$OPENCAST_KEY_PASSWORD" \
                        -in "opencast.chain.pem.tmp" \
                        -name "serverkey" \
                        -out "opencast.p12" \
                        -passout "pass:$OPENCAST_KEYSTORE_PASSWORD"
        else
                openssl pkcs12 \
                        -export \
                        -inkey "$2" \
                        -in "opencast.chain.pem.tmp" \
                        -name "serverkey" \
                        -out "opencast.p12" \
                        -passout "pass:$OPENCAST_KEYSTORE_PASSWORD"
        fi

        # Import the p12 keystore into a Java keystore
        keytool \
                -importkeystore \
                -srckeystore "opencast.p12" \
                -srcstoretype "pkcs12" \
                -srcstorepass "$OPENCAST_KEYSTORE_PASSWORD" \
                -destkeystore "keystore.jks" \
                -storepass "$OPENCAST_KEYSTORE_PASSWORD"
        keytool \
                -keystore "keystore.jks" \
                -list \
                -destalias serverkey \
                -storepass "$OPENCAST_KEYSTORE_PASSWORD"
        ls -la
}

# Look for a Java Keystore
if [ ! -e "keystore.jks" ]; then
        echo "No Java Keystore found."
        echo "Attempting to load server TLS certificate and private key"
        echo "from PEM-encoded files"
        PRIVATE_KEY_FILE="$(find . -regex ".*\\.\(cer\|crt\|pem\|key\)" -exec grep -l 'BEGIN .* PRIVATE KEY' {} \;)"
        CERTIFICATE_FILE="$(find . -regex ".*\\.\(cer\|crt\|pem\|key\)" -exec grep -l 'BEGIN CERTIFICATE\s*\-' {} \;)"
        echo "Private key file(s): ${PRIVATE_KEY_FILE}"
        echo "Certificate file(s): ${CERTIFICATE_FILE}"
        if [ "${PRIVATE_KEY_FILE}" = "" ] || [ "${PRIVATE_KEY_FILE}" = "" ]; then
                echo "Private key or certificate missing. Generating new keypair."
                make_new_keystore
        else
                import_keys ${CERTIFICATE_FILE} ${PRIVATE_KEY_FILE}
        fi
fi

cd "$dir_before"
	#!/bin/ash
	#
	# Set up HTTPS in OpenCast
	# ~~~~~~~~~~~~~~~~~~~~~~~~

	set -e

	dir_before="$PWD"

	# Apply default values to environment variables
	OPENCAST_HTTPS_ENABLED=${OPENCAST_HTTPS_ENABLED:=false}
	OPENCAST_KEYSTORE_PASSWORD=${OPENCAST_KEYSTORE_PASSWORD:=password}
	OPENCAST_KEY_PASSWORD=${OPENCAST_KEY_PASSWORD:=password}

	# Ensure the methods required are present
	. "${OPENCAST_SCRIPTS}/helper.sh"

	# Replace env variables in HTTP(S) Webserver config
	opencast_helper_replaceinfile "etc/org.ops4j.pax.web.cfg" \
	"OPENCAST_HTTPS_ENABLED" \
	"OPENCAST_KEYSTORE_PASSWORD" \
	"OPENCAST_KEY_PASSWORD"

	# Exit here if HTTPS is disabled
	case $OPENCAST_HTTPS_ENABLED in
	(false) return 0;;
	esac

	# Change into the directory containing the certificates and keys
	cd $OPENCAST_CONFIG/cert

	# Java Server require/ work best with a Java Keystore
	# So check whether it exists and if not, attempt to create one (for debugging)

	make_new_keystore() {
	# Create a new Java keystore
	keytool -keystore keystore.jks \
	-genkeypair \
	-alias serverkey \
	-keyalg RSA \
	-keypass "$OPENCAST_KEY_PASSWORD" \
	-storepass "$OPENCAST_KEYSTORE_PASSWORD" \
	-dname "$OPENCAST_CERT_SUBJECT" && \
	keytool -keystore keystore.jks \
	-list \
	-alias serverkey \
	-storepass "$OPENCAST_KEYSTORE_PASSWORD"
	}

	import_keys() {
	echo "Obtaining certificate chain for $1"
	/usr/local/bin/cert-chain-resolver -s -o "opencast.chain.pem.tmp" "$1"
	openssl verify \
	-crl_download \
	-crl_check \
	-x509_strict \
	-untrusted "opencast.chain.pem.tmp" \
	$1

	# Check whether private key is encrypted
	# and create p12 keystore
	if grep -q "ENCRYPTED" "$2"; then
	openssl pkcs12 \
	-export \
	-inkey "$2" \
	-passin "pass:$OPENCAST_KEY_PASSWORD" \
	-in "opencast.chain.pem.tmp" \
	-name "serverkey" \
	-out "opencast.p12" \
	-passout "pass:$OPENCAST_KEYSTORE_PASSWORD"
	else
	openssl pkcs12 \
	-export \
	-inkey "$2" \
	-in "opencast.chain.pem.tmp" \
	-name "serverkey" \
	-out "opencast.p12" \
	-passout "pass:$OPENCAST_KEYSTORE_PASSWORD"
	fi

	# Import the p12 keystore into a Java keystore
	keytool \
	-importkeystore \
	-srckeystore "opencast.p12" \
	-srcstoretype "pkcs12" \
	-srcstorepass "$OPENCAST_KEYSTORE_PASSWORD" \
	-destkeystore "keystore.jks" \
	-storepass "$OPENCAST_KEYSTORE_PASSWORD"
	keytool \
	-keystore "keystore.jks" \
	-list \
	-destalias serverkey \
	-storepass "$OPENCAST_KEYSTORE_PASSWORD"
	ls -la
	}

	# Look for a Java Keystore
	if [ ! -e "keystore.jks" ]; then
	echo "No Java Keystore found."
	echo "Attempting to load server TLS certificate and private key"
	echo "from PEM-encoded files"
	PRIVATE_KEY_FILE="$(find . -regex ".\\.\(cer\\|crt\\|pem\\|key\)" -exec grep -l 'BEGIN . PRIVATE KEY' {} \;)"
	CERTIFICATE_FILE="$(find . -regex ".\\.\(cer\\|crt\\|pem\\|key\)" -exec grep -l 'BEGIN CERTIFICATE\s\-' {} \;)"
	echo "Private key file(s): ${PRIVATE_KEY_FILE}"
	echo "Certificate file(s): ${CERTIFICATE_FILE}"
	if [ "${PRIVATE_KEY_FILE}" = "" ] \|\| [ "${PRIVATE_KEY_FILE}" = "" ]; then
	echo "Private key or certificate missing. Generating new keypair."
	make_new_keystore
	else
	import_keys ${CERTIFICATE_FILE} ${PRIVATE_KEY_FILE}
	fi
	fi

	cd "$dir_before"