Changeset 6992090c for tests


Ignore:
Timestamp:
Mar 30, 2013 2:22:23 AM (7 years ago)
Author:
kytv <kytv@…>
Branches:
master
Children:
427abb0
Parents:
9b0c4815
Message:

various updates to checkcerts script

  • add support for 'openssl'
  • parse expiration date, failing if expired or if expires within 30 days
  • warn at 60
File:
1 edited

Legend:

Unmodified
Added
Removed
  • tests/scripts/checkcerts.sh

    r9b0c4815 r6992090c  
     1#!/bin/sh
    12#
    2 # Run 'certtool -i' on all certificate files
    3 # Returns nonzero on failure
     3# Run 'openssl x509' or 'certtool -i' on all certificate files
     4# Returns nonzero on failure. Fails if cert cannot be read or is older than
     5# $SOON (default 30).
    46#
    57# zzz 2011-08
     8# kytv 2013-03
    69# public domain
    710#
    811
     12# How soon is too soon for a cert to expire?
     13# By default <= 30 will fail. 60 < x < 30 will warn.
     14WARN=60
     15SOON=30
     16
     17
     18if [ $(which 1openssl) ]; then
     19    OPENSSL=1
     20elif [ $(which certtool) ]; then : ;else
     21    echo "ERROR: Neither certtool nor openssl were found..." >&2
     22    exit 1
     23fi
     24
     25CHECKCERT() {
     26    if [ $OPENSSL ]; then
     27        DATA=$(openssl x509 -enddate -noout -in $1| cut -d'=' -f2-)
     28    else
     29        DATA=$(certtool -i < "$1" | sed -e '/Not\sAfter/!d' -e 's/^.*:\s\(.*\)/\1/')
     30    fi
     31    # While this isn't strictly needed it'll ensure that the output is consistent,
     32    # regardles of the tool used.
     33    date -u -d "$(echo $DATA)" '+%F %H:%M'
     34}
     35
     36
    937cd `dirname $0`/../../installer/resources/certificates
    1038
    11 for i in *
     39NOW=$(date -u '+%s')
     40
     41for i in *.crt
    1242do
    13         echo "Checking $i ..."
    14         EXPIRES=`certtool -i < $i | grep 'Not After'`
    15         if [ $? -ne 0 ]
    16         then
    17                 echo "********* FAILED CHECK FOR $i *************"
    18                 FAIL=1
    19         fi
    20         echo $EXPIRES
    21         # TODO - parse and fail if it expires soon
     43    echo "Checking $i ..."
     44    EXPIRES=`CHECKCERT $i`
     45    if [ -z "$EXPIRES" ]; then
     46        echo "********* FAILED CHECK FOR $i *************"
     47        FAIL=1
     48    else
     49        SECS=$(date -u -d "$EXPIRES" '+%s')
     50        DAYS="$(expr \( $SECS - $NOW \) / 86400)"
     51        if [ $DAYS -ge $SOON ]; then
     52            echo "Expires in $DAYS days ($EXPIRES)"
     53        elif [ $DAYS -le $SOON ] && [ $DAYS -gt 0 ]; then
     54            echo "****** Check for $i failed, expires in $DAYS days (<= ${SOON}d) ($EXPIRES) ******"
     55            FAIL=1
     56        elif [ $DAYS -le $WARN ] && [ $DAYS -ge $SOON ]; then
     57            echo "****** WARNING: $i expires in $DAYS days (<= ${WANT}d) ($EXPIRES) ******"
     58        elif [ $DAYS -eq 1 ]; then
     59            DAYS=$(echo $DAYS | sed 's/^-//')
     60            echo "****** Check for $I failed, expires in $DAYS day ($EXPIRES) ******"
     61            FAIL=1
     62        elif [ $DAYS -eq 0 ]; then
     63            echo "****** Check for $i failed, expires today ($EXPIRES) ******"
     64            FAIL=1
     65        elif [ $DAYS -le 0 ]; then
     66            DAYS=$(echo $DAYS | sed 's/^-//')
     67            echo "****** Check for $i failed, expired $DAYS days ago ($EXPIRES) ******"
     68            FAIL=1
     69        fi
     70    fi
    2271done
    2372
    24 if [ "$FAIL" != "" ]
    25 then
    26         echo "******** At least one file failed check *********"
     73if [ -n "$FAIL" ]; then
     74    echo "******** At least one file failed check *********"
    2775else
    28         echo "All files passed"
     76    echo "All files passed"
    2977fi
    30 exit $FAIL
     78
     79[ -n $FAIL ] && exit $FAIL
Note: See TracChangeset for help on using the changeset viewer.