cb601/edh-keygen
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Parameter 'key_sizes' has been added to the config

Browse Source
This commit is contained in:
Stephan Düsterhaupt
2025-05-19 21:54:42 +02:00
parent 80034ba0e7
commit f2676498cd
2 changed files with 34 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
edh-keygen.conf
View File

@@ -5,14 +5,31 @@
# #
# tls_tmp_path - Temporary folder for DH key generation # tls_tmp_path - Temporary folder for DH key generation
# tls_private_path - Folder where DH keys are stored permanently # tls_private_path - Folder where DH keys are stored permanently
# key_sizes - (Optional) Space-separated list of DH key sizes to generate.
# #
# If omitted, the following defaults are used: # If omitted, the following defaults are used:
# tls_tmp_path=/etc/pki/tls/tmp # tls_tmp_path=/etc/pki/tls/tmp
# tls_private_path=/etc/pki/tls/private/ # tls_private_path=/etc/pki/tls/private/
# #
# key_sizes usage:
# You can define a global list of Diffie-Hellman key sizes to generate by
# setting the 'key_sizes' parameter at the top of this file. This allows you
# to explicitly control which DH parameter sizes are created, regardless of
# the sizes specified in individual service lines.
#
# Example:
# key_sizes=2048 4096
#
# - This will instruct the script to generate DH parameters for 2048
# and 4096 bits.
# - If 'key_sizes' is not set, the script will automatically extract all key
# sizes used in the service definitions and generate those.
# - Use a space-separated list for multiple sizes.
#
# Example: # Example:
# tls_tmp_path=/etc/pki/tls/tmp # tls_tmp_path=/etc/pki/tls/tmp
# tls_private_path=/etc/pki/tls/private/ # tls_private_path=/etc/pki/tls/private/
# key_sizes=2048 4096
# #
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
# #
@@ -57,6 +74,7 @@
# Global settings # Global settings
#tls_tmp_path=/etc/pki/tls/tmp #tls_tmp_path=/etc/pki/tls/tmp
#tls_private_path=/etc/pki/tls/private/ #tls_private_path=/etc/pki/tls/private/
#key_sizes=2048 4096
# Service lines # Service lines
#dovecot:root #dovecot:root

24
edh-keygen.sh
View File

@@ -7,9 +7,9 @@
# Diffie-Hellman Key Generation and Service Management Script # Diffie-Hellman Key Generation and Service Management Script
# #
# This script generates Diffie-Hellman parameter files for various key sizes, # This script generates Diffie-Hellman parameter files for various key sizes,
# manages their permissions, and can synchronize keys to custom locations # manages their permissions and can synchronize keys to custom locations
# with specified ownership and permissions. It supports service restarts # with specified ownership and permissions. It supports service restarts
# for both root and non-root systemd users, and is designed for integration # for both root and non-root systemd users and is designed for integration
# with automated cron jobs. # with automated cron jobs.
# #
# Configuration is read from a .conf or .local file, supporting per-service # Configuration is read from a .conf or .local file, supporting per-service
@@ -37,8 +37,8 @@
# Permission is hereby granted, free of charge, to any person obtaining a copy # Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal # of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights # in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # to use, copy, modify, merge, publish, distribute, sublicense and/or sell
# copies of the Software, and to permit persons to whom the Software is # copies of the Software and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions: # furnished to do so, subject to the following conditions:
# #
# The above copyright notice and this permission notice shall be included in all # The above copyright notice and this permission notice shall be included in all
@@ -74,10 +74,11 @@ fi
# Read global settings from config file # Read global settings from config file
while IFS= read -r line || [ -n "$line" ]; do while IFS= read -r line || [ -n "$line" ]; do
case "$line" in case "$line" in
''|\#*) continue ;; ''|\#*) continue ;; # Skip empty lines and comments
tls_tmp_path=*) tls_tmp_path="${line#tls_tmp_path=}" ;; tls_tmp_path=*) tls_tmp_path="${line#tls_tmp_path=}" ;;
tls_private_path=*) tls_private_path="${line#tls_private_path=}" ;; tls_private_path=*) tls_private_path="${line#tls_private_path=}" ;;
*) break ;; # Stop at first non-global line key_sizes=*) key_sizes="${line#key_sizes=}" ;;
*) break ;; # Stop at first non-global line (service lines start here)
esac esac
done < "$my_service_conf" done < "$my_service_conf"
@@ -88,8 +89,15 @@ fi
umask 022 umask 022
# If key_sizes is set in the config, use it; otherwise, extract from service lines or set a default
if [ -z "$key_sizes" ]; then
key_sizes=$(awk -F: 'NF >= 3 && $3 ~ /^[0-9]+$/ { print $3 }' "$my_service_conf" | sort -nu)
[ -z "$key_sizes" ] && key_sizes="2048 4096"
fi
# Generate DH params # Generate DH params
for bits in 512 1024 2048 4096; do for bits in $key_sizes; do
echo "Generating DH parameters for $bits bits..."
openssl dhparam -out "$tls_tmp_path/dh_${bits}.pem" "$bits" openssl dhparam -out "$tls_tmp_path/dh_${bits}.pem" "$bits"
done done
@@ -109,7 +117,7 @@ while IFS= read -r line || [ -n "$line" ]; do
''|\#*) continue ;; ''|\#*) continue ;;
esac esac
# Extract service, owner, and sync parameters # Extract service, owner and sync parameters
service=$(printf "%s" "$line" | awk -F: '{print $1}') service=$(printf "%s" "$line" | awk -F: '{print $1}')
owner=$(printf "%s" "$line" | awk -F: '{print $2}') owner=$(printf "%s" "$line" | awk -F: '{print $2}')
key_size=$(printf "%s" "$line" | awk -F: '{print $3}') key_size=$(printf "%s" "$line" | awk -F: '{print $3}')