123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159 |
- #!/bin/sh
- # Whether a certificate or CRLs needs updating
- expired=0
- # Default to checking expiry within 6 months
- offset="+6 months"
- # First command line argument is the new expiry time
- if [ "$1" != "" ]
- then
- offset=$1
- fi
- # Certificates that are expired and are intentionally or irrelevantly so.
- exp_expired="\
- /test/crit-cert.pem \
- /test/expired/expired-cert.pem \
- /test/expired/expired-ca.pem \
- /test/expired/expired-cert.der \
- /test/expired/expired-ca.der \
- /certeccrsa.pem \
- /certeccrsa.der
- "
- # Files that are not certificates or CRLs put get matched anyway
- ignore="\
- /test/cert-ext-ns.der \
- /rsa3072.der \
- /rsa2048.der \
- /1024/rsa1024.der \
- "
- # Get the date offset from now - earliest expiry - in seconds
- earliest=`date -d "$offset" +%s`
- # Compare the date with earliest allowed expiry.
- #
- # $1 Name of file being checked.
- # $2 Expiry date in file (notAfter or nextUpdate).
- check_expiry() {
- # Convert date to a number of seconds
- expiry=`date -d "$2" +%s`
- # Check expiry is not too soon
- if [ $expiry -lt $earliest ]
- then
- # Reset result
- result=expired
- # Ignore files that are expected to be expired
- for exp in $exp_expired
- do
- case $1 in
- *$exp)
- result=ignore
- break
- ;;
- esac
- done
- # Report any unexpected expiries
- if [ "$result" = "expired" ]
- then
- echo "$1 expires at:"
- echo " '$2' (< $offset)"
- expired=1
- fi
- fi
- }
- # Check file expiry.
- #
- # The file is of any format.
- # Try to guess from name what it is.
- #
- # $1 Name of file to check
- # $inform Command line argument to use with openssl for input file format
- check_file() {
- # Check file is not in list of files to ignore
- for i in $ignore
- do
- case $1 in
- *$i)
- return
- ;;
- esac
- done
- # Use pattern matching to guess format
- case $1 in
- *key*) ;;
- *dh*) ;;
- *params*) ;;
- *priv*) ;;
- *pub*) ;;
- *dsa*) ;;
- *crl*)
- # Get the nextUpdate field from the CRL
- next_update=`openssl crl -in $file $inform -noout -nextupdate 2>&1`
- if [ "$?" != "0" ]
- then
- # Didn't work so report failure
- echo "$file not a crl"
- else
- # Get the date after the equal sign and check file
- next_update="${next_update#*=}"
- check_expiry $file "$next_update"
- fi
- ;;
- *)
- # Get the notAfter field from the certificate
- not_after=`openssl x509 -in $file $inform -noout -enddate 2>&1`
- if [ "$?" != "0" ]
- then
- # Didn't work, maybe wasn't a certificate, so report failure
- echo "$file not a certificate"
- else
- # Get the date after the equal sign and check file
- not_after="${not_after#*=}"
- check_expiry $file "$not_after"
- fi
- ;;
- esac
- }
- # Check all PEM files
- inform="-inform PEM"
- pem_files=`find . -name '*.pem'`
- for file in $pem_files
- do
- check_file $file
- done
- # Check all DER files
- inform="-inform DER"
- der_files=`find . -name '*.der'`
- for file in $der_files
- do
- check_file $file
- done
- # try running test suite in the future
- faketime -v > /dev/null
- RESULT=$?
- if [ "$RESULT" = "0" ]; then
- FUTURE=$(date --date="1 years")
- echo ""
- echo "Trying to run tests with time set to \"$FUTURE\""
- ./configure --enable-all -q
- make -s
- faketime "${FUTURE}" ./tests/unit.test
- RESULT=$?
- if [ "$RESULT" != "0" ]; then
- echo "Running tests with future date failed"
- exit 1
- fi
- fi
- # Return result of check
- # 0 on success
- # 1 on failure
- return $expired
|