i2p.i2p/tests/scripts/checkcerts.sh

#!/bin/sh
#
# Run 'openssl x509' or 'certtool -i' on all certificate files
# Returns nonzero on failure. Fails if cert cannot be read or is older than
# $SOON (default 30).
#
# Hard dependency: OpenSSL OR gnutls
# Recommended: GNU date
#
# zzz 2011-08
# kytv 2013-03
# public domain
#

# How soon is too soon for a cert to expire?
# By default <= 30 will fail. 60 < x < 30 will warn.
WARN=60
SOON=30


if [ $(which openssl) ]; then
    OPENSSL=1
elif [ $(which certtool) ]; then : ;else
    echo "ERROR: Neither certtool nor openssl were found..." >&2
    exit 1
fi

# This "grouping hack" is here to prevent errors from being displayed with the
# original Bourne shell (Linux shells don't need the {}s
if { date --help;} >/dev/null 2>&1 ; then
    HAVE_GNUDATE=1
fi

checkcert() {
    if [ $OPENSSL ]; then
        DATA=$(openssl x509 -enddate -noout -in $1| cut -d'=' -f2-)
    else
        DATA=$(certtool -i < "$1" | sed -e '/Not\sAfter/!d' -e 's/^.*:\s\(.*\)/\1/')
    fi
    # While this isn't strictly needed it'll ensure that the output is consistent,
    # regardles of the tool used. Dates/times are formatting according to OpenSSL's output
    # since this available by default on most systems.
    if [ -n "$HAVE_GNUDATE" ]; then
        LANG=C date -u -d "$(echo $DATA)" '+%b %d %H:%M:%S %Y GMT'
    else
        echo $DATA
    fi
}

compute_dates() {
    # Date computations currently depend on GNU date(1).
    # If run on a non-Linux system just print the expiration date.
    # TODO Cross-platform date calculation support
    if [ -n "$HAVE_GNUDATE" ]; then
        SECS=$(date -u -d "$EXPIRES" '+%s')
        DAYS="$(expr \( $SECS - $NOW \) / 86400)"
        if [ $DAYS -ge $SOON ]; then
            echo "Expires in $DAYS days ($EXPIRES)"
        elif [ $DAYS -eq 1 ]; then
            DAYS=$(echo $DAYS | sed 's/^-//')
            echo "****** Check for $I failed, expires tomorrow ($EXPIRES) ******"
            FAIL=1
        elif [ $DAYS -eq 0 ]; then
            echo "****** Check for $i failed, expires today ($EXPIRES) ******"
            FAIL=1
        elif [ $DAYS -le $SOON ] && [ $DAYS -gt 0 ]; then
            echo "****** Check for $i failed, expires in $DAYS days (<= ${SOON}d) ($EXPIRES) ******"
            FAIL=1
        elif [ $DAYS -lt $WARN ] && [ $DAYS -gt $SOON ]; then
            echo "****** WARNING: $i expires in $DAYS days (<= ${WANT}d) ($EXPIRES) ******"
        elif [ $DAYS -lt 0 ]; then
            DAYS=$(echo $DAYS | sed 's/^-//')
            echo "****** Check for $i failed, expired $DAYS days ago ($EXPIRES) ******"
            FAIL=1
        fi
    else
        echo $EXPIRES
    fi
}

cd `dirname $0`/../../installer/resources/certificates

NOW=$(date -u '+%s')

for i in *.crt
do
    echo "Checking $i ..."
    EXPIRES=`checkcert $i`
    if [ -z "$EXPIRES" ]; then
        echo "********* FAILED CHECK FOR $i *************"
        FAIL=1
    else
       compute_dates
    fi
done

if [ -n "$FAIL" ]; then
    echo "******** At least one file failed check *********"
else
    echo "All files passed"
fi

[ -n $FAIL ] && exit $FAIL
various updates to checkcerts script - add support for 'openssl' - parse expiration date, failing if expired or if expires within 30 days - warn at 60 2013-03-30 02:22:23 +00:00			`#!/bin/sh`
simple test script 2011-08-27 15:27:15 +00:00			`#`
various updates to checkcerts script - add support for 'openssl' - parse expiration date, failing if expired or if expires within 30 days - warn at 60 2013-03-30 02:22:23 +00:00			`# Run 'openssl x509' or 'certtool -i' on all certificate files`
			`# Returns nonzero on failure. Fails if cert cannot be read or is older than`
			`# $SOON (default 30).`
simple test script 2011-08-27 15:27:15 +00:00			`#`
checkcerts.sh: add some support for non-Linux systems Date computations as performed in this script require the use of GNU date, which is only available by default on Linux systems. With this check-in we explicitly check for the existence of GNU date before continuing with the date calculations. Previous versions of this script relied on 'certtool' to print the expiration dates but certtool isn't available by default on non-Linux systems either. The previous check-in added support for using OpenSSL, retaining the old behavior on non-Linux systems. (Also a re-arrangement of the date warning logic) 2013-03-30 14:24:59 +00:00			`# Hard dependency: OpenSSL OR gnutls`
			`# Recommended: GNU date`
			`#`
simple test script 2011-08-27 15:27:15 +00:00			`# zzz 2011-08`
various updates to checkcerts script - add support for 'openssl' - parse expiration date, failing if expired or if expires within 30 days - warn at 60 2013-03-30 02:22:23 +00:00			`# kytv 2013-03`
simple test script 2011-08-27 15:27:15 +00:00			`# public domain`
			`#`

various updates to checkcerts script - add support for 'openssl' - parse expiration date, failing if expired or if expires within 30 days - warn at 60 2013-03-30 02:22:23 +00:00			`# How soon is too soon for a cert to expire?`
			`# By default <= 30 will fail. 60 < x < 30 will warn.`
			`WARN=60`
			`SOON=30`


remove debug text 2013-03-30 02:26:37 +00:00			`if [ $(which openssl) ]; then`
various updates to checkcerts script - add support for 'openssl' - parse expiration date, failing if expired or if expires within 30 days - warn at 60 2013-03-30 02:22:23 +00:00			`OPENSSL=1`
			`elif [ $(which certtool) ]; then : ;else`
			`echo "ERROR: Neither certtool nor openssl were found..." >&2`
			`exit 1`
			`fi`

checkcerts.sh: add some support for non-Linux systems Date computations as performed in this script require the use of GNU date, which is only available by default on Linux systems. With this check-in we explicitly check for the existence of GNU date before continuing with the date calculations. Previous versions of this script relied on 'certtool' to print the expiration dates but certtool isn't available by default on non-Linux systems either. The previous check-in added support for using OpenSSL, retaining the old behavior on non-Linux systems. (Also a re-arrangement of the date warning logic) 2013-03-30 14:24:59 +00:00			`# This "grouping hack" is here to prevent errors from being displayed with the`
			`# original Bourne shell (Linux shells don't need the {}s`
			`if { date --help;} >/dev/null 2>&1 ; then`
			`HAVE_GNUDATE=1`
			`fi`

			`checkcert() {`
various updates to checkcerts script - add support for 'openssl' - parse expiration date, failing if expired or if expires within 30 days - warn at 60 2013-03-30 02:22:23 +00:00			`if [ $OPENSSL ]; then`
			`DATA=$(openssl x509 -enddate -noout -in $1\| cut -d'=' -f2-)`
			`else`
			`DATA=$(certtool -i < "$1" \| sed -e '/Not\sAfter/!d' -e 's/^.:\s\(.\)/\1/')`
			`fi`
			`# While this isn't strictly needed it'll ensure that the output is consistent,`
checkcerts.sh: add some support for non-Linux systems Date computations as performed in this script require the use of GNU date, which is only available by default on Linux systems. With this check-in we explicitly check for the existence of GNU date before continuing with the date calculations. Previous versions of this script relied on 'certtool' to print the expiration dates but certtool isn't available by default on non-Linux systems either. The previous check-in added support for using OpenSSL, retaining the old behavior on non-Linux systems. (Also a re-arrangement of the date warning logic) 2013-03-30 14:24:59 +00:00			`# regardles of the tool used. Dates/times are formatting according to OpenSSL's output`
			`# since this available by default on most systems.`
			`if [ -n "$HAVE_GNUDATE" ]; then`
			`LANG=C date -u -d "$(echo $DATA)" '+%b %d %H:%M:%S %Y GMT'`
			`else`
			`echo $DATA`
			`fi`
various updates to checkcerts script - add support for 'openssl' - parse expiration date, failing if expired or if expires within 30 days - warn at 60 2013-03-30 02:22:23 +00:00			`}`

checkcerts.sh: add some support for non-Linux systems Date computations as performed in this script require the use of GNU date, which is only available by default on Linux systems. With this check-in we explicitly check for the existence of GNU date before continuing with the date calculations. Previous versions of this script relied on 'certtool' to print the expiration dates but certtool isn't available by default on non-Linux systems either. The previous check-in added support for using OpenSSL, retaining the old behavior on non-Linux systems. (Also a re-arrangement of the date warning logic) 2013-03-30 14:24:59 +00:00			`compute_dates() {`
			`# Date computations currently depend on GNU date(1).`
			`# If run on a non-Linux system just print the expiration date.`
			`# TODO Cross-platform date calculation support`
			`if [ -n "$HAVE_GNUDATE" ]; then`
various updates to checkcerts script - add support for 'openssl' - parse expiration date, failing if expired or if expires within 30 days - warn at 60 2013-03-30 02:22:23 +00:00			`SECS=$(date -u -d "$EXPIRES" '+%s')`
			`DAYS="$(expr \( $SECS - $NOW \) / 86400)"`
			`if [ $DAYS -ge $SOON ]; then`
			`echo "Expires in $DAYS days ($EXPIRES)"`
			`elif [ $DAYS -eq 1 ]; then`
			`DAYS=$(echo $DAYS \| sed 's/^-//')`
checkcerts.sh: add some support for non-Linux systems Date computations as performed in this script require the use of GNU date, which is only available by default on Linux systems. With this check-in we explicitly check for the existence of GNU date before continuing with the date calculations. Previous versions of this script relied on 'certtool' to print the expiration dates but certtool isn't available by default on non-Linux systems either. The previous check-in added support for using OpenSSL, retaining the old behavior on non-Linux systems. (Also a re-arrangement of the date warning logic) 2013-03-30 14:24:59 +00:00			`echo "**** Check for $I failed, expires tomorrow ($EXPIRES) ****"`
various updates to checkcerts script - add support for 'openssl' - parse expiration date, failing if expired or if expires within 30 days - warn at 60 2013-03-30 02:22:23 +00:00			`FAIL=1`
			`elif [ $DAYS -eq 0 ]; then`
			`echo "**** Check for $i failed, expires today ($EXPIRES) ****"`
			`FAIL=1`
checkcerts.sh: add some support for non-Linux systems Date computations as performed in this script require the use of GNU date, which is only available by default on Linux systems. With this check-in we explicitly check for the existence of GNU date before continuing with the date calculations. Previous versions of this script relied on 'certtool' to print the expiration dates but certtool isn't available by default on non-Linux systems either. The previous check-in added support for using OpenSSL, retaining the old behavior on non-Linux systems. (Also a re-arrangement of the date warning logic) 2013-03-30 14:24:59 +00:00			`elif [ $DAYS -le $SOON ] && [ $DAYS -gt 0 ]; then`
			`echo "**** Check for $i failed, expires in $DAYS days (<= ${SOON}d) ($EXPIRES) ****"`
			`FAIL=1`
			`elif [ $DAYS -lt $WARN ] && [ $DAYS -gt $SOON ]; then`
			`echo "**** WARNING: $i expires in $DAYS days (<= ${WANT}d) ($EXPIRES) ****"`
			`elif [ $DAYS -lt 0 ]; then`
various updates to checkcerts script - add support for 'openssl' - parse expiration date, failing if expired or if expires within 30 days - warn at 60 2013-03-30 02:22:23 +00:00			`DAYS=$(echo $DAYS \| sed 's/^-//')`
			`echo "**** Check for $i failed, expired $DAYS days ago ($EXPIRES) ****"`
			`FAIL=1`
			`fi`
checkcerts.sh: add some support for non-Linux systems Date computations as performed in this script require the use of GNU date, which is only available by default on Linux systems. With this check-in we explicitly check for the existence of GNU date before continuing with the date calculations. Previous versions of this script relied on 'certtool' to print the expiration dates but certtool isn't available by default on non-Linux systems either. The previous check-in added support for using OpenSSL, retaining the old behavior on non-Linux systems. (Also a re-arrangement of the date warning logic) 2013-03-30 14:24:59 +00:00			`else`
			`echo $EXPIRES`
			`fi`
			`}`

			cd `dirname $0`/../../installer/resources/certificates

			`NOW=$(date -u '+%s')`

			`for i in *.crt`
			`do`
			`echo "Checking $i ..."`
			EXPIRES=`checkcert $i`
			`if [ -z "$EXPIRES" ]; then`
			`echo "******* FAILED CHECK FOR $i ***********"`
			`FAIL=1`
			`else`
			`compute_dates`
various updates to checkcerts script - add support for 'openssl' - parse expiration date, failing if expired or if expires within 30 days - warn at 60 2013-03-30 02:22:23 +00:00			`fi`
simple test script 2011-08-27 15:27:15 +00:00			`done`

various updates to checkcerts script - add support for 'openssl' - parse expiration date, failing if expired or if expires within 30 days - warn at 60 2013-03-30 02:22:23 +00:00			`if [ -n "$FAIL" ]; then`
			`echo "****** At least one file failed check *******"`
simple test script 2011-08-27 15:27:15 +00:00			`else`
various updates to checkcerts script - add support for 'openssl' - parse expiration date, failing if expired or if expires within 30 days - warn at 60 2013-03-30 02:22:23 +00:00			`echo "All files passed"`
simple test script 2011-08-27 15:27:15 +00:00			`fi`
various updates to checkcerts script - add support for 'openssl' - parse expiration date, failing if expired or if expires within 30 days - warn at 60 2013-03-30 02:22:23 +00:00
			`[ -n $FAIL ] && exit $FAIL`