144 lines
3.3 KiB
Bash
144 lines
3.3 KiB
Bash
|
#!/bin/sh
|
||
|
|
|
||
|
|
# Whether a certificate or CRLs needs updating
|
||
|
|
expired=0
|
||
|
|
# Default to checking expiry within 6 months
|
||
|
|
offset="+6 months"
|
||
|
|
|
||
|
|
# First command line argument is the new expiry time
|
||
|
|
if [ "$1" != "" ]
|
||
|
|
then
|
||
|
|
offset=$1
|
||
|
|
fi
|
||
|
|
|
||
|
|
# Certificates that are expired and are intentionally or irrelevantly so.
|
||
|
|
exp_expired="\
|
||
|
|
/test/crit-cert.pem \
|
||
|
|
/test/expired/expired-cert.pem \
|
||
|
|
/test/expired/expired-ca.pem \
|
||
|
|
/test/expired/expired-cert.der \
|
||
|
|
/test/expired/expired-ca.der \
|
||
|
|
/certeccrsa.pem \
|
||
|
|
/certeccrsa.der
|
||
|
|
"
|
||
|
|
|
||
|
|
# Files that are not certificates or CRLs put get matched anyway
|
||
|
|
ignore="\
|
||
|
|
/test/cert-ext-ns.der \
|
||
|
|
/rsa3072.der \
|
||
|
|
/rsa2048.der \
|
||
|
|
/1024/rsa1024.der \
|
||
|
|
"
|
||
|
|
|
||
|
|
# Get the date offset from now - earliest expiry - in seconds
|
||
|
|
earliest=`date -d "$offset" +%s`
|
||
|
|
|
||
|
|
# Compare the date with earliest allowed expiry.
|
||
|
|
#
|
||
|
|
# $1 Name of file being checked.
|
||
|
|
# $2 Expiry date in file (notAfter or nextUpdate).
|
||
|
|
check_expiry() {
|
||
|
|
# Convert date to a number of seconds
|
||
|
|
expiry=`date -d "$2" +%s`
|
||
|
|
|
||
|
|
# Check expiry is not too soon
|
||
|
|
if [ $expiry -lt $earliest ]
|
||
|
|
then
|
||
|
|
# Reset result
|
||
|
|
result=expired
|
||
|
|
# Ignore files that are expected to be expired
|
||
|
|
for exp in $exp_expired
|
||
|
|
do
|
||
|
|
case $1 in
|
||
|
|
*$exp)
|
||
|
|
result=ignore
|
||
|
|
break
|
||
|
|
;;
|
||
|
|
esac
|
||
|
|
done
|
||
|
|
# Report any unexpected expiries
|
||
|
|
if [ "$result" = "expired" ]
|
||
|
|
then
|
||
|
|
echo "$1 expires at:"
|
||
|
|
echo " '$2' (< $offset)"
|
||
|
|
expired=1
|
||
|
|
fi
|
||
|
|
fi
|
||
|
|
}
|
||
|
|
|
||
|
|
# Check file expiry.
|
||
|
|
#
|
||
|
|
# The file is of any format.
|
||
|
|
# Try to guess from name what it is.
|
||
|
|
#
|
||
|
|
# $1 Name of file to check
|
||
|
|
# $inform Command line argument to use with openssl for input file format
|
||
|
|
check_file() {
|
||
|
|
# Check file is not in list of files to ignore
|
||
|
|
for i in $ignore
|
||
|
|
do
|
||
|
|
case $1 in
|
||
|
|
*$i)
|
||
|
|
return
|
||
|
|
;;
|
||
|
|
esac
|
||
|
|
done
|
||
|
|
|
||
|
|
# Use pattern matching to guess format
|
||
|
|
case $1 in
|
||
|
|
*key*) ;;
|
||
|
|
*dh*) ;;
|
||
|
|
*params*) ;;
|
||
|
|
*priv*) ;;
|
||
|
|
*pub*) ;;
|
||
|
|
*dsa*) ;;
|
||
|
|
*crl*)
|
||
|
|
# Get the nextUpdate field from the CRL
|
||
|
|
next_update=`openssl crl -in $file $inform -noout -nextupdate 2>&1`
|
||
|
|
if [ "$?" != "0" ]
|
||
|
|
then
|
||
|
|
# Didn't work so report failure
|
||
|
|
echo "$file not a crl"
|
||
|
|
else
|
||
|
|
# Get the date after the equal sign and check file
|
||
|
|
next_update="${next_update#*=}"
|
||
|
|
check_expiry $file "$next_update"
|
||
|
|
fi
|
||
|
|
;;
|
||
|
|
*)
|
||
|
|
# Get the notAfter field from the certificate
|
||
|
|
not_after=`openssl x509 -in $file $inform -noout -enddate 2>&1`
|
||
|
|
if [ "$?" != "0" ]
|
||
|
|
then
|
||
|
|
# Didn't work, maybe wasn't a certificate, so report failure
|
||
|
|
echo "$file not a certificate"
|
||
|
|
else
|
||
|
|
# Get the date after the equal sign and check file
|
||
|
|
not_after="${not_after#*=}"
|
||
|
|
check_expiry $file "$not_after"
|
||
|
|
fi
|
||
|
|
;;
|
||
|
|
esac
|
||
|
|
}
|
||
|
|
|
||
|
|
# Check all PEM files
|
||
|
|
inform="-inform PEM"
|
||
|
|
pem_files=`find . -name '*.pem'`
|
||
|
|
for file in $pem_files
|
||
|
|
do
|
||
|
|
check_file $file
|
||
|
|
done
|
||
|
|
|
||
|
|
# Check all DER files
|
||
|
|
inform="-inform DER"
|
||
|
|
der_files=`find . -name '*.der'`
|
||
|
|
for file in $der_files
|
||
|
|
do
|
||
|
|
check_file $file
|
||
|
|
done
|
||
|
|
|
||
|
|
# Return result of check
|
||
|
|
# 0 on success
|
||
|
|
# 1 on failure
|
||
|
|
return $expired
|