Changeset b9e9c07 for tests


Ignore:
Timestamp:
May 9, 2014 10:21:15 AM (6 years ago)
Author:
kytv <kytv@…>
Branches:
master
Children:
292b0a81
Parents:
837bf9e
Message:

checkremotecerts.sh: clean-ups, compatibility updates

It now works with either gnutls or openssl, and both gnutls v2 and gnutls v3.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • tests/scripts/checkremotecerts.sh

    r837bf9e rb9e9c07  
    33set -u
    44
    5 if ! which openssl > /dev/null 2>&1 || ! which gnutls-cli > /dev/null 2>&1; then
    6     echo "This script (currently) requires both gnutls and openssl" >&2
    7     exit
    8 fi
    9 
    10 if pidof /usr/bin/tor > /dev/null 2>&1 && which torify > /dev/null 2>&1; then
    11     echo "-- Detected Tor, will try using it --"
    12     GNUTLS="torify gnutls-cli"
    13 else
    14     GNUTLS="gnutls-cli"
    15 fi
    16 
    175BASEDIR="$(dirname $0)/../../"
    186cd "$BASEDIR"
    197RESEEDHOSTS=$(sed -e '/\s\+"https:\/\/[-a-z0-9.]/!d' -e 's/.*"https:\/\/\([-a-z0-9.]\+\).*/\1/' router/java/src/net/i2p/router/networkdb/reseed/Reseeder.java)
     8CERTHOME="installer/resources/certificates"
    209CACERTS=$(mktemp)
    2110WORK=$(mktemp -d)
    2211FAIL=0
    23 CERTHOME="installer/resources/certificates"
     12MAX=5
     13OPENSSL=0
     14CERTTOOL=0
    2415
     16check_for_prog() {
     17    if which $1 > /dev/null 2>&1 ; then
     18        return 0
     19    else
     20        return 1
     21    fi
     22}
     23
     24if pidof /usr/bin/tor > /dev/null 2>&1 && check_for_prog torify; then
     25    echo "-- Detected Tor, will try using it --"
     26    GNUTLS_BIN="torify gnutls-cli"
     27    OPENSSL_BIN="torify openssl"
     28else
     29    GNUTLS_BIN="gnutls-cli"
     30    OPENSSL_BIN="openssl"
     31fi
     32
     33if check_for_prog certtool1; then
     34    CERTTOOL=1
     35    echo "-- Checking certificates with GnuTLS --"
     36elif check_for_prog openssl; then
     37    OPENSSL=1
     38    echo "-- Checking certificates with OpenSSL --"
     39fi
     40
     41if [ $CERTTOOL -ne 1 ] && [ $OPENSSL -ne 1 ]; then
     42    echo "ERROR: This script requires either gnutls or openssl" >&2
     43    exit
     44fi
    2545
    2646assemble_ca() {
     
    5373
    5474normalize(){
    55     # The format displayed by gnutls-cli. This function is not used yet.
     75    # Convert fingerprint to the format output by GnuTLS
    5676    sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/'
    5777}
    5878
    59 check() {
    60 for HOST in $RESEEDHOSTS; do
    61     echo -n "Checking $HOST..."
    62     # Using --insecure here for those cases in which our
    63     retry $GNUTLS --insecure --print-cert --x509cafile="$CACERTS" "$HOST"  < /dev/null > "$WORK/$HOST.test"
    64     if $(grep -q 'The certificate issuer is unknown' "$WORK/$HOST.test"); then
    65         # If we end up here it's for one of two probable reasons:
    66         # 1) the the CN in the certificate doesn't match the hostname.
    67         # 2) the certificate is invalid
    68         if [ -e "$CERTHOME/ssl/$HOST.crt" ]; then
    69             openssl x509 -in "$CERTHOME/ssl/$HOST.crt" -fingerprint -noout > "$WORK/$HOST.expected.finger"
    70             openssl x509 -in "$WORK/$HOST.test" -fingerprint -noout > "$WORK/$HOST.real.finger"
    71             if [ "$(cat "$WORK/$HOST.expected.finger")" != "$(cat "$WORK/$HOST.real.finger")" ]; then
    72                 echo -n "invalid certificate for $HOST"
    73                 FAIL=1
    74                 echo $HOST >> $WORK/bad
    75             fi
    76         else
    77             echo "Untrusted certficate and certificate not found at $CERTHOME/ssl" >&2
     79connect() {
     80    if [ $OPENSSL -eq 1 ]; then
     81        retry $OPENSSL_BIN s_client -connect "$1:443" -no_ign_eof -CAfile $CACERTS -servername $1 < /dev/null 2>/dev/null
     82    else
     83        retry $GNUTLS_BIN --insecure --print-cert --x509cafile "$CACERTS" "$1"  < /dev/null 2>/dev/null
     84    fi
     85}
     86
     87extract_finger() {
     88    if [ $CERTTOOL -eq 1 ]; then
     89        # Roughly equivalent to "grep -A1 "SHA-1 fingerprint" | head -n 2 | grep -o '[a-f0-9]{40}'"
     90        certtool -i < $1 | sed -n '/SHA-1 fingerprint/{n;p;q}' | sed 's/\s\+\([a-f0-9]\{40\}\)/\1/'
     91    else
     92        openssl x509 -in $1 -fingerprint -noout | normalize
     93    fi
     94}
     95
     96verify_fingerprint() {
     97    if [ -e "$CERTHOME/ssl/$1.crt" ]; then
     98        EXPECTED=$(extract_finger "$CERTHOME/ssl/$1.crt")
     99        FOUND=$(extract_finger "$WORK/$1")
     100        if [ "$EXPECTED" != "$FOUND" ]; then
     101            echo -n "invalid certificate. Expected $EXPECTED, got $FOUND"
    78102            FAIL=1
    79103            echo $HOST >> $WORK/bad
    80104        fi
     105    else
     106        echo "Untrusted certficate and certificate not found at $CERTHOME/ssl" >&2
     107        FAIL=1
     108        echo $HOST >> $WORK/bad
    81109    fi
    82     echo
    83 done
     110}
     111
     112cleanup() {
     113    rm -rf $CACERTS $WORK
     114    exit $FAIL
     115}
     116
     117check_hosts() {
     118    for HOST in $RESEEDHOSTS; do
     119        echo -n "Checking $HOST..."
     120        connect "$HOST"  < /dev/null > "$WORK/$HOST"
     121
     122        # OpenSSL returns "return code: 0 (ok)"
     123        # GnuTLS returns "certificate is trusted"
     124        # GnuTLS v2 has the word "Peer" before certificate, v3 has the word "The" before it
     125        if ! grep -q 'Verify return code: 0 (ok)\|certificate is trusted' "$WORK/$HOST"; then
     126            # If we end up here it's for one of two probable reasons:
     127            # 1) the the CN in the certificate doesn't match the hostname.
     128            # 2) the certificate is invalid
     129
     130            # OpenSSL returns code 21 with self-signed certs.
     131            # GnuTLS returns "certificate issuer is unknown"
     132            # As noted above, GnuTLS v2 has the word "Peer" before certificate, v3 has the word "The" before it
     133
     134            # If the CN just doesn't match the hostname, pass
     135            if ! grep -q 'Verify return code: 21\|certificate issuer is unknown' "$WORK/$HOST"; then : ;else
     136                verify_fingerprint $HOST
     137            fi
     138        fi
     139        echo
     140    done
    84141}
    85142
    86143assemble_ca
    87 check
     144check_hosts
     145cleanup
    88146
    89 rm -rf $CACERTS $WORK
    90 exit $FAIL
Note: See TracChangeset for help on using the changeset viewer.