check_dates.sh 3.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143
  1. #!/bin/sh
  2. # Whether a certificate or CRLs needs updating
  3. expired=0
  4. # Default to checking expiry within 6 months
  5. offset="+6 months"
  6. # First command line argument is the new expiry time
  7. if [ "$1" != "" ]
  8. then
  9. offset=$1
  10. fi
  11. # Certificates that are expired and are intentionally or irrelevantly so.
  12. exp_expired="\
  13. /test/crit-cert.pem \
  14. /test/expired/expired-cert.pem \
  15. /test/expired/expired-ca.pem \
  16. /test/expired/expired-cert.der \
  17. /test/expired/expired-ca.der \
  18. /certeccrsa.pem \
  19. /certeccrsa.der
  20. "
  21. # Files that are not certificates or CRLs put get matched anyway
  22. ignore="\
  23. /test/cert-ext-ns.der \
  24. /rsa3072.der \
  25. /rsa2048.der \
  26. /1024/rsa1024.der \
  27. "
  28. # Get the date offset from now - earliest expiry - in seconds
  29. earliest=`date -d "$offset" +%s`
  30. # Compare the date with earliest allowed expiry.
  31. #
  32. # $1 Name of file being checked.
  33. # $2 Expiry date in file (notAfter or nextUpdate).
  34. check_expiry() {
  35. # Convert date to a number of seconds
  36. expiry=`date -d "$2" +%s`
  37. # Check expiry is not too soon
  38. if [ $expiry -lt $earliest ]
  39. then
  40. # Reset result
  41. result=expired
  42. # Ignore files that are expected to be expired
  43. for exp in $exp_expired
  44. do
  45. case $1 in
  46. *$exp)
  47. result=ignore
  48. break
  49. ;;
  50. esac
  51. done
  52. # Report any unexpected expiries
  53. if [ "$result" = "expired" ]
  54. then
  55. echo "$1 expires at:"
  56. echo " '$2' (< $offset)"
  57. expired=1
  58. fi
  59. fi
  60. }
  61. # Check file expiry.
  62. #
  63. # The file is of any format.
  64. # Try to guess from name what it is.
  65. #
  66. # $1 Name of file to check
  67. # $inform Command line argument to use with openssl for input file format
  68. check_file() {
  69. # Check file is not in list of files to ignore
  70. for i in $ignore
  71. do
  72. case $1 in
  73. *$i)
  74. return
  75. ;;
  76. esac
  77. done
  78. # Use pattern matching to guess format
  79. case $1 in
  80. *key*) ;;
  81. *dh*) ;;
  82. *params*) ;;
  83. *priv*) ;;
  84. *pub*) ;;
  85. *dsa*) ;;
  86. *crl*)
  87. # Get the nextUpdate field from the CRL
  88. next_update=`openssl crl -in $file $inform -noout -nextupdate 2>&1`
  89. if [ "$?" != "0" ]
  90. then
  91. # Didn't work so report failure
  92. echo "$file not a crl"
  93. else
  94. # Get the date after the equal sign and check file
  95. next_update="${next_update#*=}"
  96. check_expiry $file "$next_update"
  97. fi
  98. ;;
  99. *)
  100. # Get the notAfter field from the certificate
  101. not_after=`openssl x509 -in $file $inform -noout -enddate 2>&1`
  102. if [ "$?" != "0" ]
  103. then
  104. # Didn't work, maybe wasn't a certificate, so report failure
  105. echo "$file not a certificate"
  106. else
  107. # Get the date after the equal sign and check file
  108. not_after="${not_after#*=}"
  109. check_expiry $file "$not_after"
  110. fi
  111. ;;
  112. esac
  113. }
  114. # Check all PEM files
  115. inform="-inform PEM"
  116. pem_files=`find . -name '*.pem'`
  117. for file in $pem_files
  118. do
  119. check_file $file
  120. done
  121. # Check all DER files
  122. inform="-inform DER"
  123. der_files=`find . -name '*.der'`
  124. for file in $der_files
  125. do
  126. check_file $file
  127. done
  128. # Return result of check
  129. # 0 on success
  130. # 1 on failure
  131. return $expired