diff options
| author | Jan Pokorný <jpokorny@redhat.com> | 2013-04-10 17:49:57 +0200 |
|---|---|---|
| committer | Jan Pokorný <jpokorny@redhat.com> | 2013-04-10 17:49:57 +0200 |
| commit | 873c71572a4e9496a48f14388786faa09514826e (patch) | |
| tree | 3b087aa58a6fdfc5a53d2f8e4498ed3c20a5700c /scripts/certs/cert-check | |
| parent | 081ea50281a0785223389810c0703f5ac65df5af (diff) | |
| download | dotfiles-873c71572a4e9496a48f14388786faa09514826e.tar.gz dotfiles-873c71572a4e9496a48f14388786faa09514826e.tar.xz dotfiles-873c71572a4e9496a48f14388786faa09514826e.zip | |
Scripts: add script for in-depth certificate check
Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
Diffstat (limited to 'scripts/certs/cert-check')
| -rwxr-xr-x | scripts/certs/cert-check | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/scripts/certs/cert-check b/scripts/certs/cert-check new file mode 100755 index 0000000..682c8fa --- /dev/null +++ b/scripts/certs/cert-check @@ -0,0 +1,50 @@ +#!/bin/bash + +# trivial check if server cert is OK incl. best effort to download +# referenced certificates and CRLs in chain +# +# jpokorny@redhat.com +# +# TODO: +# - currently, only cl[tl] files supported, not immediate PEM etc.; +# also any reference to external resource has to start with URI +# (is it a convention or a single case?) +# - couldn't get rid of dependency on temporary file as it is read +# twice in two substituted commands and neither env. variable nor +# file descriptor sharing is suitable (stdin can be read only once, +# generally, there is a race between the two?) + +set -eu + +WGET="wget -nv" +CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt + +_download_cert() { + local server=$1 + local port=443 # https + [ $# -ge 2 ] && $port=$2 + # sleep so as to prevent premature socket close + ( echo; sleep 2 ) \ + | openssl s_client -connect "${server}:${port}" -crlf 2>/dev/null +} + +cert_check() { + ( [ -f "$1" ] && cat -- "$1" || _download_cert "$@" ) \ + | sed -ne '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \ + | ( cat >/tmp/.$$; + openssl verify -CAfile \ + <(awk '/-BEGIN CERTIFICATE-/{if(++i > 1){exit;}}{print;}' /tmp/.$$ \ + | openssl x509 -noout -text \ + | sed -n 's|.*URI:\(.\+\.cr[tl]\)|\1|p' \ + | xargs -I '{}' bash -c " case '{}' in \ + *crt) ${WGET} -O- '{}' | openssl x509 -inform DER -outform PEM;; \ + *crl) ${WGET} -O- '{}' | openssl crl -inform DER -outform PEM;; \ + *) echo 'Sorry, {} not supported' >&2; \ + esac" \ + | cat "${CA_BUNDLE}" -) \ + <(awk '/-BEGIN CERTIFICATE-/{if(++i > 1){exit;}}{print;}' /tmp/.$$); + rm -- /tmp/.$$ ) +} + +[[ "${BASH_SOURCE[0]}" != "${0}" ]] || \ + [ $# -ge 1 ] && cert_check "$@" || echo "usage: $0 file-or-server [port=443]" |