|
@@ -0,0 +1,143 @@
|
|
|
+#!/bin/sh
|
|
|
+
|
|
|
+# Whether a certificate or CRLs needs updating
|
|
|
+expired=0
|
|
|
+# Default to checking expiry within 6 months
|
|
|
+offset="+6 months"
|
|
|
+
|
|
|
+# First command line argument is the new expiry time
|
|
|
+if [ "$1" != "" ]
|
|
|
+then
|
|
|
+ offset=$1
|
|
|
+fi
|
|
|
+
|
|
|
+# Certificates that are expired and are intentionally or irrelevantly so.
|
|
|
+exp_expired="\
|
|
|
+/test/crit-cert.pem \
|
|
|
+/test/expired/expired-cert.pem \
|
|
|
+/test/expired/expired-ca.pem \
|
|
|
+/test/expired/expired-cert.der \
|
|
|
+/test/expired/expired-ca.der \
|
|
|
+/certeccrsa.pem \
|
|
|
+/certeccrsa.der
|
|
|
+"
|
|
|
+
|
|
|
+# Files that are not certificates or CRLs put get matched anyway
|
|
|
+ignore="\
|
|
|
+/test/cert-ext-ns.der \
|
|
|
+/rsa3072.der \
|
|
|
+/rsa2048.der \
|
|
|
+/1024/rsa1024.der \
|
|
|
+"
|
|
|
+
|
|
|
+# Get the date offset from now - earliest expiry - in seconds
|
|
|
+earliest=`date -d "$offset" +%s`
|
|
|
+
|
|
|
+# Compare the date with earliest allowed expiry.
|
|
|
+#
|
|
|
+# $1 Name of file being checked.
|
|
|
+# $2 Expiry date in file (notAfter or nextUpdate).
|
|
|
+check_expiry() {
|
|
|
+ # Convert date to a number of seconds
|
|
|
+ expiry=`date -d "$2" +%s`
|
|
|
+
|
|
|
+ # Check expiry is not too soon
|
|
|
+ if [ $expiry -lt $earliest ]
|
|
|
+ then
|
|
|
+ # Reset result
|
|
|
+ result=expired
|
|
|
+ # Ignore files that are expected to be expired
|
|
|
+ for exp in $exp_expired
|
|
|
+ do
|
|
|
+ case $1 in
|
|
|
+ *$exp)
|
|
|
+ result=ignore
|
|
|
+ break
|
|
|
+ ;;
|
|
|
+ esac
|
|
|
+ done
|
|
|
+ # Report any unexpected expiries
|
|
|
+ if [ "$result" = "expired" ]
|
|
|
+ then
|
|
|
+ echo "$1 expires at:"
|
|
|
+ echo " '$2' (< $offset)"
|
|
|
+ expired=1
|
|
|
+ fi
|
|
|
+ fi
|
|
|
+}
|
|
|
+
|
|
|
+# Check file expiry.
|
|
|
+#
|
|
|
+# The file is of any format.
|
|
|
+# Try to guess from name what it is.
|
|
|
+#
|
|
|
+# $1 Name of file to check
|
|
|
+# $inform Command line argument to use with openssl for input file format
|
|
|
+check_file() {
|
|
|
+ # Check file is not in list of files to ignore
|
|
|
+ for i in $ignore
|
|
|
+ do
|
|
|
+ case $1 in
|
|
|
+ *$i)
|
|
|
+ return
|
|
|
+ ;;
|
|
|
+ esac
|
|
|
+ done
|
|
|
+
|
|
|
+ # Use pattern matching to guess format
|
|
|
+ case $1 in
|
|
|
+ *key*) ;;
|
|
|
+ *dh*) ;;
|
|
|
+ *params*) ;;
|
|
|
+ *priv*) ;;
|
|
|
+ *pub*) ;;
|
|
|
+ *dsa*) ;;
|
|
|
+ *crl*)
|
|
|
+ # Get the nextUpdate field from the CRL
|
|
|
+ next_update=`openssl crl -in $file $inform -noout -nextupdate 2>&1`
|
|
|
+ if [ "$?" != "0" ]
|
|
|
+ then
|
|
|
+ # Didn't work so report failure
|
|
|
+ echo "$file not a crl"
|
|
|
+ else
|
|
|
+ # Get the date after the equal sign and check file
|
|
|
+ next_update="${next_update#*=}"
|
|
|
+ check_expiry $file "$next_update"
|
|
|
+ fi
|
|
|
+ ;;
|
|
|
+ *)
|
|
|
+ # Get the notAfter field from the certificate
|
|
|
+ not_after=`openssl x509 -in $file $inform -noout -enddate 2>&1`
|
|
|
+ if [ "$?" != "0" ]
|
|
|
+ then
|
|
|
+ # Didn't work, maybe wasn't a certificate, so report failure
|
|
|
+ echo "$file not a certificate"
|
|
|
+ else
|
|
|
+ # Get the date after the equal sign and check file
|
|
|
+ not_after="${not_after#*=}"
|
|
|
+ check_expiry $file "$not_after"
|
|
|
+ fi
|
|
|
+ ;;
|
|
|
+ esac
|
|
|
+}
|
|
|
+
|
|
|
+# Check all PEM files
|
|
|
+inform="-inform PEM"
|
|
|
+pem_files=`find . -name '*.pem'`
|
|
|
+for file in $pem_files
|
|
|
+do
|
|
|
+ check_file $file
|
|
|
+done
|
|
|
+
|
|
|
+# Check all DER files
|
|
|
+inform="-inform DER"
|
|
|
+der_files=`find . -name '*.der'`
|
|
|
+for file in $der_files
|
|
|
+do
|
|
|
+ check_file $file
|
|
|
+done
|
|
|
+
|
|
|
+# Return result of check
|
|
|
+# 0 on success
|
|
|
+# 1 on failure
|
|
|
+return $expired
|