forked from I2P_Developers/i2p.i2p
various updates to checkcerts script
- add support for 'openssl' - parse expiration date, failing if expired or if expires within 30 days - warn at 60
This commit is contained in:
kytv
@ -1,30 +1,79 @@
|
|||||||
|
#!/bin/sh
|
||||||
#
|
#
|
||||||
# Run 'certtool -i' on all certificate files
|
# Run 'openssl x509' or 'certtool -i' on all certificate files
|
||||||
# Returns nonzero on failure
|
# Returns nonzero on failure. Fails if cert cannot be read or is older than
|
||||||
|
# $SOON (default 30).
|
||||||
#
|
#
|
||||||
# zzz 2011-08
|
# zzz 2011-08
|
||||||
|
# kytv 2013-03
|
||||||
# public domain
|
# public domain
|
||||||
#
|
#
|
||||||
|
|
||||||
|
# How soon is too soon for a cert to expire?
|
||||||
|
# By default <= 30 will fail. 60 < x < 30 will warn.
|
||||||
|
WARN=60
|
||||||
|
SOON=30
|
||||||
|
|
||||||
|
|
||||||
|
if [ $(which 1openssl) ]; then
|
||||||
|
OPENSSL=1
|
||||||
|
elif [ $(which certtool) ]; then : ;else
|
||||||
|
echo "ERROR: Neither certtool nor openssl were found..." >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
CHECKCERT() {
|
||||||
|
if [ $OPENSSL ]; then
|
||||||
|
DATA=$(openssl x509 -enddate -noout -in $1| cut -d'=' -f2-)
|
||||||
|
else
|
||||||
|
DATA=$(certtool -i < "$1" | sed -e '/Not\sAfter/!d' -e 's/^.*:\s\(.*\)/\1/')
|
||||||
|
fi
|
||||||
|
# While this isn't strictly needed it'll ensure that the output is consistent,
|
||||||
|
# regardles of the tool used.
|
||||||
|
date -u -d "$(echo $DATA)" '+%F %H:%M'
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
cd `dirname $0`/../../installer/resources/certificates
|
cd `dirname $0`/../../installer/resources/certificates
|
||||||
|
|
||||||
for i in *
|
NOW=$(date -u '+%s')
|
||||||
|
|
||||||
|
for i in *.crt
|
||||||
do
|
do
|
||||||
echo "Checking $i ..."
|
echo "Checking $i ..."
|
||||||
EXPIRES=`certtool -i < $i | grep 'Not After'`
|
EXPIRES=`CHECKCERT $i`
|
||||||
if [ $? -ne 0 ]
|
if [ -z "$EXPIRES" ]; then
|
||||||
then
|
echo "********* FAILED CHECK FOR $i *************"
|
||||||
echo "********* FAILED CHECK FOR $i *************"
|
FAIL=1
|
||||||
FAIL=1
|
else
|
||||||
fi
|
SECS=$(date -u -d "$EXPIRES" '+%s')
|
||||||
echo $EXPIRES
|
DAYS="$(expr \( $SECS - $NOW \) / 86400)"
|
||||||
# TODO - parse and fail if it expires soon
|
if [ $DAYS -ge $SOON ]; then
|
||||||
|
echo "Expires in $DAYS days ($EXPIRES)"
|
||||||
|
elif [ $DAYS -le $SOON ] && [ $DAYS -gt 0 ]; then
|
||||||
|
echo "****** Check for $i failed, expires in $DAYS days (<= ${SOON}d) ($EXPIRES) ******"
|
||||||
|
FAIL=1
|
||||||
|
elif [ $DAYS -le $WARN ] && [ $DAYS -ge $SOON ]; then
|
||||||
|
echo "****** WARNING: $i expires in $DAYS days (<= ${WANT}d) ($EXPIRES) ******"
|
||||||
|
elif [ $DAYS -eq 1 ]; then
|
||||||
|
DAYS=$(echo $DAYS | sed 's/^-//')
|
||||||
|
echo "****** Check for $I failed, expires in $DAYS day ($EXPIRES) ******"
|
||||||
|
FAIL=1
|
||||||
|
elif [ $DAYS -eq 0 ]; then
|
||||||
|
echo "****** Check for $i failed, expires today ($EXPIRES) ******"
|
||||||
|
FAIL=1
|
||||||
|
elif [ $DAYS -le 0 ]; then
|
||||||
|
DAYS=$(echo $DAYS | sed 's/^-//')
|
||||||
|
echo "****** Check for $i failed, expired $DAYS days ago ($EXPIRES) ******"
|
||||||
|
FAIL=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ "$FAIL" != "" ]
|
if [ -n "$FAIL" ]; then
|
||||||
then
|
echo "******** At least one file failed check *********"
|
||||||
echo "******** At least one file failed check *********"
|
|
||||||
else
|
else
|
||||||
echo "All files passed"
|
echo "All files passed"
|
||||||
fi
|
fi
|
||||||
exit $FAIL
|
|
||||||
|
[ -n $FAIL ] && exit $FAIL
|
||||||
|
|||||||
Reference in New Issue
Block a user