various updates to checkcerts script

- add support for 'openssl' - parse expiration date, failing if expired or if expires within 30 days - warn at 60

various updates to checkcerts script
6992090c · kytv · 9b0c4815 · 6992090c
Commit 6992090c authored 12 years ago by kytv
--- a/tests/scripts/checkcerts.sh
+++ b/tests/scripts/checkcerts.sh
+#!/bin/sh
 #
-# Run 'certtool -i' on all certificate files
-# Returns nonzero on failure
+# Run 'openssl x509' or 'certtool -i' on all certificate files
+# Returns nonzero on failure. Fails if cert cannot be read or is older than
+# $SOON (default 30).
 #
 # zzz 2011-08
+# kytv 2013-03
 # public domain
 #

+# How soon is too soon for a cert to expire?
+# By default <= 30 will fail. 60 < x < 30 will warn.
+WARN=60
+SOON=30
+
+
+if [ $(which 1openssl) ]; then
+    OPENSSL=1
+elif [ $(which certtool) ]; then : ;else
+    echo "ERROR: Neither certtool nor openssl were found..." >&2
+    exit 1
+fi
+
+CHECKCERT() {
+    if [ $OPENSSL ]; then
+        DATA=$(openssl x509 -enddate -noout -in $1| cut -d'=' -f2-)
+    else
+        DATA=$(certtool -i < "$1" | sed -e '/Not\sAfter/!d' -e 's/^.*:\s\(.*\)/\1/')
+    fi
+    # While this isn't strictly needed it'll ensure that the output is consistent,
+    # regardles of the tool used.
+    date -u -d "$(echo $DATA)" '+%F %H:%M'
+}
+
+
 cd `dirname $0`/../../installer/resources/certificates

-for i in *
+NOW=$(date -u '+%s')
+
+for i in *.crt
 do
-	echo "Checking $i ..."
-	EXPIRES=`certtool -i < $i | grep 'Not After'`
-        if [ $? -ne 0 ]
-	then
-		echo "********* FAILED CHECK FOR $i *************"
-		FAIL=1
-	fi
-	echo $EXPIRES
-	# TODO - parse and fail if it expires soon
+    echo "Checking $i ..."
+    EXPIRES=`CHECKCERT $i`
+    if [ -z "$EXPIRES" ]; then
+        echo "********* FAILED CHECK FOR $i *************"
+        FAIL=1
+    else
+        SECS=$(date -u -d "$EXPIRES" '+%s')
+        DAYS="$(expr \( $SECS - $NOW \) / 86400)"
+        if [ $DAYS -ge $SOON ]; then
+            echo "Expires in $DAYS days ($EXPIRES)"
+        elif [ $DAYS -le $SOON ] && [ $DAYS -gt 0 ]; then
+            echo "****** Check for $i failed, expires in $DAYS days (<= ${SOON}d) ($EXPIRES) ******"
+            FAIL=1
+        elif [ $DAYS -le $WARN ] && [ $DAYS -ge $SOON ]; then
+            echo "****** WARNING: $i expires in $DAYS days (<= ${WANT}d) ($EXPIRES) ******"
+        elif [ $DAYS -eq 1 ]; then
+            DAYS=$(echo $DAYS | sed 's/^-//')
+            echo "****** Check for $I failed, expires in $DAYS day ($EXPIRES) ******"
+            FAIL=1
+        elif [ $DAYS -eq 0 ]; then
+            echo "****** Check for $i failed, expires today ($EXPIRES) ******"
+            FAIL=1
+        elif [ $DAYS -le 0 ]; then
+            DAYS=$(echo $DAYS | sed 's/^-//')
+            echo "****** Check for $i failed, expired $DAYS days ago ($EXPIRES) ******"
+            FAIL=1
+        fi
+    fi
 done

-if [ "$FAIL" != "" ]
-then
-	echo "******** At least one file failed check *********"
+if [ -n "$FAIL" ]; then
+    echo "******** At least one file failed check *********"
 else
-	echo "All files passed"
+    echo "All files passed"
 fi
-exit $FAIL
+
+[ -n $FAIL ] && exit $FAIL