diff --git a/edh-keygen.conf b/edh-keygen.conf index 4fc61a3..612088d 100644 --- a/edh-keygen.conf +++ b/edh-keygen.conf @@ -5,14 +5,31 @@ # # tls_tmp_path - Temporary folder for DH key generation # tls_private_path - Folder where DH keys are stored permanently +# key_sizes - (Optional) Space-separated list of DH key sizes to generate. # # If omitted, the following defaults are used: # tls_tmp_path=/etc/pki/tls/tmp # tls_private_path=/etc/pki/tls/private/ # +# key_sizes usage: +# You can define a global list of Diffie-Hellman key sizes to generate by +# setting the 'key_sizes' parameter at the top of this file. This allows you +# to explicitly control which DH parameter sizes are created, regardless of +# the sizes specified in individual service lines. +# +# Example: +# key_sizes=2048 4096 +# +# - This will instruct the script to generate DH parameters for 2048 +# and 4096 bits. +# - If 'key_sizes' is not set, the script will automatically extract all key +# sizes used in the service definitions and generate those. +# - Use a space-separated list for multiple sizes. +# # Example: # tls_tmp_path=/etc/pki/tls/tmp # tls_private_path=/etc/pki/tls/private/ +# key_sizes=2048 4096 # # ----------------------------------------------------------------------------- # @@ -57,6 +74,7 @@ # Global settings #tls_tmp_path=/etc/pki/tls/tmp #tls_private_path=/etc/pki/tls/private/ +#key_sizes=2048 4096 # Service lines #dovecot:root diff --git a/edh-keygen.sh b/edh-keygen.sh index 331c399..11bfa65 100644 --- a/edh-keygen.sh +++ b/edh-keygen.sh @@ -7,9 +7,9 @@ # Diffie-Hellman Key Generation and Service Management Script # # This script generates Diffie-Hellman parameter files for various key sizes, -# manages their permissions, and can synchronize keys to custom locations +# manages their permissions and can synchronize keys to custom locations # with specified ownership and permissions. It supports service restarts -# for both root and non-root systemd users, and is designed for integration +# for both root and non-root systemd users and is designed for integration # with automated cron jobs. # # Configuration is read from a .conf or .local file, supporting per-service @@ -37,8 +37,8 @@ # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is +# to use, copy, modify, merge, publish, distribute, sublicense and/or sell +# copies of the Software and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in all @@ -74,10 +74,11 @@ fi # Read global settings from config file while IFS= read -r line || [ -n "$line" ]; do case "$line" in - ''|\#*) continue ;; + ''|\#*) continue ;; # Skip empty lines and comments tls_tmp_path=*) tls_tmp_path="${line#tls_tmp_path=}" ;; tls_private_path=*) tls_private_path="${line#tls_private_path=}" ;; - *) break ;; # Stop at first non-global line + key_sizes=*) key_sizes="${line#key_sizes=}" ;; + *) break ;; # Stop at first non-global line (service lines start here) esac done < "$my_service_conf" @@ -88,8 +89,15 @@ fi umask 022 +# If key_sizes is set in the config, use it; otherwise, extract from service lines or set a default +if [ -z "$key_sizes" ]; then + key_sizes=$(awk -F: 'NF >= 3 && $3 ~ /^[0-9]+$/ { print $3 }' "$my_service_conf" | sort -nu) + [ -z "$key_sizes" ] && key_sizes="2048 4096" +fi + # Generate DH params -for bits in 512 1024 2048 4096; do +for bits in $key_sizes; do + echo "Generating DH parameters for $bits bits..." openssl dhparam -out "$tls_tmp_path/dh_${bits}.pem" "$bits" done @@ -109,7 +117,7 @@ while IFS= read -r line || [ -n "$line" ]; do ''|\#*) continue ;; esac - # Extract service, owner, and sync parameters + # Extract service, owner and sync parameters service=$(printf "%s" "$line" | awk -F: '{print $1}') owner=$(printf "%s" "$line" | awk -F: '{print $2}') key_size=$(printf "%s" "$line" | awk -F: '{print $3}')