From 6992090cda2b5daf26de8e2e33dbc808b75fed6a Mon Sep 17 00:00:00 2001
From: kytv <kytv@mail.i2p>
Date: Sat, 30 Mar 2013 02:22:23 +0000
Subject: [PATCH] various updates to checkcerts script
- add support for 'openssl'
- parse expiration date, failing if expired or if expires within 30 days
- warn at 60
---
tests/scripts/checkcerts.sh | 83 +++++++++++++++++++++++++++++--------
1 file changed, 66 insertions(+), 17 deletions(-)
diff --git a/tests/scripts/checkcerts.sh b/tests/scripts/checkcerts.sh
index 6191294673..45e86f6bcf 100755
--- a/tests/scripts/checkcerts.sh
+++ b/tests/scripts/checkcerts.sh
@@ -1,30 +1,79 @@
+#!/bin/sh
#
-# Run 'certtool -i' on all certificate files
-# Returns nonzero on failure
+# Run 'openssl x509' or 'certtool -i' on all certificate files
+# Returns nonzero on failure. Fails if cert cannot be read or is older than
+# $SOON (default 30).
#
# zzz 2011-08
+# kytv 2013-03
# public domain
#
+# How soon is too soon for a cert to expire?
+# By default <= 30 will fail. 60 < x < 30 will warn.
+WARN=60
+SOON=30
+
+
+if [ $(which 1openssl) ]; then
+ OPENSSL=1
+elif [ $(which certtool) ]; then : ;else
+ echo "ERROR: Neither certtool nor openssl were found..." >&2
+ exit 1
+fi
+
+CHECKCERT() {
+ if [ $OPENSSL ]; then
+ DATA=$(openssl x509 -enddate -noout -in $1| cut -d'=' -f2-)
+ else
+ DATA=$(certtool -i < "$1" | sed -e '/Not\sAfter/!d' -e 's/^.*:\s\(.*\)/\1/')
+ fi
+ # While this isn't strictly needed it'll ensure that the output is consistent,
+ # regardles of the tool used.
+ date -u -d "$(echo $DATA)" '+%F %H:%M'
+}
+
+
cd `dirname $0`/../../installer/resources/certificates
-for i in *
+NOW=$(date -u '+%s')
+
+for i in *.crt
do
- echo "Checking $i ..."
- EXPIRES=`certtool -i < $i | grep 'Not After'`
- if [ $? -ne 0 ]
- then
- echo "********* FAILED CHECK FOR $i *************"
- FAIL=1
- fi
- echo $EXPIRES
- # TODO - parse and fail if it expires soon
+ echo "Checking $i ..."
+ EXPIRES=`CHECKCERT $i`
+ if [ -z "$EXPIRES" ]; then
+ echo "********* FAILED CHECK FOR $i *************"
+ FAIL=1
+ else
+ SECS=$(date -u -d "$EXPIRES" '+%s')
+ DAYS="$(expr \( $SECS - $NOW \) / 86400)"
+ if [ $DAYS -ge $SOON ]; then
+ echo "Expires in $DAYS days ($EXPIRES)"
+ elif [ $DAYS -le $SOON ] && [ $DAYS -gt 0 ]; then
+ echo "****** Check for $i failed, expires in $DAYS days (<= ${SOON}d) ($EXPIRES) ******"
+ FAIL=1
+ elif [ $DAYS -le $WARN ] && [ $DAYS -ge $SOON ]; then
+ echo "****** WARNING: $i expires in $DAYS days (<= ${WANT}d) ($EXPIRES) ******"
+ elif [ $DAYS -eq 1 ]; then
+ DAYS=$(echo $DAYS | sed 's/^-//')
+ echo "****** Check for $I failed, expires in $DAYS day ($EXPIRES) ******"
+ FAIL=1
+ elif [ $DAYS -eq 0 ]; then
+ echo "****** Check for $i failed, expires today ($EXPIRES) ******"
+ FAIL=1
+ elif [ $DAYS -le 0 ]; then
+ DAYS=$(echo $DAYS | sed 's/^-//')
+ echo "****** Check for $i failed, expired $DAYS days ago ($EXPIRES) ******"
+ FAIL=1
+ fi
+ fi
done
-if [ "$FAIL" != "" ]
-then
- echo "******** At least one file failed check *********"
+if [ -n "$FAIL" ]; then
+ echo "******** At least one file failed check *********"
else
- echo "All files passed"
+ echo "All files passed"
fi
-exit $FAIL
+
+[ -n $FAIL ] && exit $FAIL
--
GitLab