github
/
acme.sh
mirror of https://github.com/acmesh-official/acme.sh
1
0
Fork 0
Code Issues Releases Wiki Activity

added secure debug, use global functions, removed local variables

pull/901/head
Rikard Gynnerstedt 2017-06-27 07:44:04 +02:00
parent 04997413a5
commit 2f61a597c6
1 changed files with 27 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
deploy/s3.sh
View File

@ -1,19 +1,10 @@
#!/bin/bash #!/bin/bash
#Here is the script to deploy the cert to your s3 bucket. #Here is a sample custom api script.
#export S3_BUCKET=acme #This file name is "myapi.sh"
#export S3_REGION=eu-central-1 #So, here must be a method myapi_deploy()
#export AWS_ACCESS_KEY_ID=exampleid #Which will be called by acme.sh to deploy the cert
#export AWS_SECRET_ACCESS_KEY=examplekey #returns 0 means success, otherwise error.
# Checks to see if awscli present
# If not, use curl + aws v4 signature to upload object
# Make sure your keys have access to upload objects.
# Also make sure your default region is correct, otherwise, override with $S3_REGION
# IMPORTANT
# If you're using acme.sh on a mac, make sure you have the latest version of openssl
# Upgrade easily with homebrew: brew install openssl
######## Public functions ##################### ######## Public functions #####################
@ -32,7 +23,7 @@ s3_deploy() {
return 1 return 1
fi fi
if ! command -v aws; then if ! _exists aws; then
_debug "AWS CLI not installed, defaulting to curl method" _debug "AWS CLI not installed, defaulting to curl method"
_aws_cli_installed=0 _aws_cli_installed=0
else else
@ -60,9 +51,9 @@ s3_deploy() {
_debug _cca "$_cca" _debug _cca "$_cca"
_debug _cfullchain "$_cfullchain" _debug _cfullchain "$_cfullchain"
_debug S3_BUCKET "$S3_BUCKET" _debug S3_BUCKET "$S3_BUCKET"
_debug AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" _secure_debug AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID"
_debug AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" _secure_debug AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY"
_info "Deploying certificate to s3 bucket: $S3_BUCKET in $S3_REGION" _info "Deploying certificate to s3 bucket: $S3_BUCKET in $S3_REGION"
if [ "$_aws_cli_installed" -eq "0" ]; then if [ "$_aws_cli_installed" -eq "0" ]; then
@ -125,20 +116,18 @@ _deploy_with_curl() {
_info "Uploading $S3_BUCKET/$prefix" _info "Uploading $S3_BUCKET/$prefix"
curl \ export _H1="Authorization: AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID}/${date_scope}/${region}/s3/aws4_request,SignedHeaders=${signed_headers},Signature=$(_signature)"
-T "${file}" \ export _H2="Date:${date_header}"
-H "Authorization: AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID}/${date_scope}/${region}/s3/aws4_request,SignedHeaders=${signed_headers},Signature=$(_signature)" \ export _H3="x-amz-acl:${acl}"
-H "Date:${date_header}" \ export _H4="x-amz-content-sha256:$(_payload_hash)"
-H "x-amz-acl:${acl}" \ export _H5="x-amz-date:${iso_timestamp}"
-H "x-amz-content-sha256:$(_payload_hash)" \ response=$(_post "${file}" "https://${bucket}.s3.${region}.amazonaws.com/${prefix}")
-H "x-amz-date:${iso_timestamp}" \ _debug response
"https://${bucket}.s3.${region}.amazonaws.com/${prefix}"
} }
_payload_hash() { _payload_hash() {
local output=$(shasum -ba 256 "$file") hash_output=$(shasum -ba 256 "$file")
echo "${output%% *}" echo "${hash_output%% *}"
} }
_canonical_request() { _canonical_request() {
@ -156,8 +145,8 @@ _canonical_request() {
} }
_canonical_request_hash() { _canonical_request_hash() {
local output=$(_canonical_request | shasum -a 256) _canonical_request_output=$(_canonical_request | shasum -a 256)
echo "${output%% *}" echo "${_canonical_request_output%% *}"
} }
_string_to_sign() { _string_to_sign() {
@ -168,22 +157,13 @@ _string_to_sign() {
} }
_signature_key() { _signature_key() {
local secret=$(printf "AWS4${AWS_SECRET_ACCESS_KEY?}" | _hex_key) secret_key=$(printf "AWS4${AWS_SECRET_ACCESS_KEY?}" | _hex_dump | tr -d " ")
local date_key=$(printf ${date_scope} | _hmac_sha256 "${secret}" | _hex_key) date_key=$(printf ${date_scope} | _hmac "sha256" "${secret_key}" | _hex_dump | tr -d " ")
local region_key=$(printf ${region} | _hmac_sha256 "${date_key}" | _hex_key) region_key=$(printf ${region} | _hmac "sha256" "${date_key}" | _hex_dump | tr -d " ")
local service_key=$(printf "s3" | _hmac_sha256 "${region_key}" | _hex_key) service_key=$(printf "s3" | _hmac "sha256" "${region_key}" | _hex_dump | tr -d " ")
printf "aws4_request" | _hmac_sha256 "${service_key}" | _hex_key printf "aws4_request" | _hmac "sha256" "${service_key}" | _hex_dump | tr -d " "
}
_hex_key() {
hexdump -ve '1/1 "%.2x"'; echo
}
_hmac_sha256() {
local hexkey=$1
openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:${hexkey}
} }
_signature() { _signature() {
_string_to_sign | _hmac_sha256 $(_signature_key) | _hex_key | sed "s/^.* //" _string_to_sign | _hmac "sha256" $(_signature_key) | _hex_dump | tr -d " " | sed "s/^.* //"
} }