source: tests/scripts/checkcerts.sh @ 53ed10c

Last change on this file since 53ed10c was 53ed10c, checked in by kytv <kytv@…>, 7 years ago

typo fix (s/lt/le/)

  • Property mode set to 100755
File size: 4.6 KB
Line 
1#!/bin/sh
2#
3# Run 'openssl x509' or 'certtool -i' on all certificate files
4# Returns nonzero on failure. Fails if cert cannot be read or is older than
5# $SOON (default 60).
6#
7# Hard dependency: OpenSSL OR gnutls
8# Recommended: GNU date
9#
10# zzz 2011-08
11# kytv 2013-03
12# public domain
13#
14
15# How soon is too soon for a cert to expire?
16# By default <= 60 will fail. 90 < x < 60 will warn.
17WARN=90
18SOON=60
19
20
21date2julian() {
22    # Julian date conversion adapted from a post (its code released into the public
23    # domain) by Tapani Tarvainen to comp.unix.shell (1998) for portability
24    # (e.g. using 'expr' instead of requiring Bash, ksh, or zsh).
25    #   $1 = Month
26    #   $2 = Day
27    #   $3 = Year
28
29    if [ "${1}" != "" ] && [ "${2}" != ""  ] && [ "${3}" != "" ]; then
30        ## Because leap years add a day at the end of February,
31        ## calculations are done from 1 March 0000 (a fictional year)
32        d2j_tmpmonth=$(expr 12 \* $3 + $1 - 3)
33
34        ## If it is not yet March, the year is changed to the previous year
35        d2j_tmpyear=$(expr ${d2j_tmpmonth} / 12)
36
37        ## The number of days from 1 March 0000 is calculated
38        ## and the number of days from 1 Jan. 4713BC is added
39        expr \( 734 \* ${d2j_tmpmonth} + 15 \) / 24 - 2 \* ${d2j_tmpyear} + ${d2j_tmpyear} / 4 - ${d2j_tmpyear} / 100 + ${d2j_tmpyear} / 400 + $2 + 1721119
40    else
41        # We *really* shouldn't get here
42        echo 0
43    fi
44}
45
46getmonth() {
47    case ${1} in
48        Jan)
49            echo 1
50            ;;
51        Feb)
52            echo 2
53            ;;
54        Mar)
55            echo 3
56            ;;
57        Apr)
58            echo 4
59            ;;
60        May)
61            echo 5
62            ;;
63        Jun)
64            echo 6
65            ;;
66        Jul)
67            echo 7
68            ;;
69        Aug)
70            echo 8
71            ;;
72        Sep)
73            echo 9
74            ;;
75        Oct)
76            echo 10
77            ;;
78        Nov)
79            echo 11
80            ;;
81        Dec)
82            echo 12
83            ;;
84          *)
85            echo  0
86            ;;
87    esac
88}
89
90checkcert() {
91    if [ $OPENSSL ]; then
92        # OpenSSL's format: Mar  7 16:08:35 2022 GMT
93        DATA=$(openssl x509 -enddate -noout -in $1| cut -d'=' -f2-)
94    else
95        # Certtool's format: Mon Mar 07 16:08:35 UTC 2022
96        DATA=$(certtool -i < "$1" | sed -e '/Not\sAfter/!d' -e 's/^.*:\s\(.*\)/\1/')
97        # The formatting is normalized for passing to the date2julian function (if needed)
98        set -- `echo $DATA`
99        DATA="$2 $3 $4 $6 GMT"
100    fi
101    echo $DATA
102}
103
104print_status() {
105        if [ $DAYS -ge $SOON ]; then
106            echo "Expires in $DAYS days ($EXPIRES)"
107        elif [ $DAYS -eq 1 ]; then
108            DAYS=$(echo $DAYS | sed 's/^-//')
109            echo "****** Check for $I failed, expires tomorrow ($EXPIRES) ******"
110            FAIL=1
111        elif [ $DAYS -eq 0 ]; then
112            echo "****** Check for $i failed, expires today ($EXPIRES) ******"
113            FAIL=1
114        elif [ $DAYS -le $SOON ] && [ $DAYS -gt 0 ]; then
115            echo "****** Check for $i failed, expires in $DAYS days (<= ${SOON}d) ($EXPIRES) ******"
116            FAIL=1
117        elif [ $DAYS -le $WARN ] && [ $DAYS -gt $SOON ]; then
118            echo "****** WARNING: $i expires in $DAYS days (<= ${WANT}d) ($EXPIRES) ******"
119        elif [ $DAYS -lt 0 ]; then
120            DAYS=$(echo $DAYS | sed 's/^-//')
121            echo "****** Check for $i failed, expired $DAYS days ago ($EXPIRES) ******"
122            FAIL=1
123        fi
124}
125
126compute_dates() {
127    if [ -n "$HAVE_GNUDATE" ]; then
128        SECS=$(date -u -d "$EXPIRES" '+%s')
129        DAYS="$(expr \( $SECS - $NOW \) / 86400)"
130    else
131        set -- `echo $EXPIRES`
132        # date2julian needs the format mm dd yyyy
133        SECS=$(date2julian `getmonth $1` $2 $4)
134        DAYS=$(expr $SECS - $NOW)
135    fi
136    print_status
137}
138
139# This "grouping hack" is here to prevent errors from being displayed with the
140# original Bourne shell (Linux shells don't need the {}s
141if { date --help;} >/dev/null 2>&1 ; then
142    HAVE_GNUDATE=1
143    NOW=$(date -u '+%s')
144else
145    NOW=$(date2julian `date -u '+%m %d %Y'`)
146fi
147
148if [ $(which openssl) ]; then
149    OPENSSL=1
150elif [ $(which certtool) ]; then : ;else
151    echo "ERROR: Neither certtool nor openssl were found..." >&2
152    exit 1
153fi
154
155cd `dirname $0`/../../installer/resources/certificates
156
157for i in *.crt *.cert
158do
159    echo "Checking $i ..."
160    EXPIRES=`checkcert $i`
161    if [ -z "$EXPIRES" ]; then
162        echo "********* FAILED CHECK FOR $i *************"
163        FAIL=1
164    else
165       compute_dates
166    fi
167done
168
169if [ -n "$FAIL" ]; then
170    echo "******** At least one file failed check *********"
171else
172    echo "All files passed"
173fi
174
175[ -n $FAIL ] && exit $FAIL
Note: See TracBrowser for help on using the repository browser.