source: TI12-security/trunk/ssl_cert_verification_utils/sslcertcheck.sh @ 7820

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/ssl_cert_verification_utils/sslcertcheck.sh@7820
Revision 7820, 2.4 KB checked in by pjkersha, 10 years ago (diff)

Bash script to check the validity of a certificate from a given server running over SSL.

  • Property svn:executable set to *
  • Property svn:keywords set to Id
Line 
1#!/bin/bash
2#
3# Get an SSL certificate from a server and verify it against a set of trusted CA
4# certificates and check it for time validity.
5#
6# Author: P J Kershaw
7#
8# Date: 14/01/2011
9#
10# Copyright: (C) 2011 STFC
11#
12# License: BSD
13#
14# $Id$
15cmdline_opt=`getopt -o hc:p: --long help,connect:,CApath:: -n "$0" -- "$@"`
16
17usage="Usage: $(basename $0) [-h|--help] [-c|--connect \"host1:port1 host2:port2 ... hostN:portN\"] [-p|--CApath dir]"
18if [ $? != 0 ] ; then
19    echo $usage >&2 ;
20    exit 1 ;
21fi
22
23# Note the quotes around `$cmdline_opt': they are essential!
24eval set -- "$cmdline_opt"
25
26while true ; do
27    case "$1" in
28        -h|--help) echo $usage ; exit 0 ;;
29        -c|--connect) connect_strings=$2 ; shift 2 ;;
30        -p|--CApath) ca_dir=$2 ; shift 2 ;;
31        --) shift ; break ;;
32        *) echo "Internal error!" ; exit 1 ;;
33    esac
34done
35
36if [ -z "$connect_strings" ]; then
37    echo No connection string set >&2 ;
38    echo $usage >&2 ;
39    exit 1 ;
40fi
41
42if [ "$ca_dir" ]; then
43    verify_arg="-CApath $ca_dir"
44fi
45
46# Check each connection in turn ...
47exit_code=0;
48for connect_string in $connect_strings; do
49    echo -n "Checking \"$connect_string\"" ;
50    output=$(echo | openssl s_client -connect $connect_string $verify_arg 2>&1)
51    openssl_exit_code=$?
52    if [ "$openssl_exit_code" -ne "0" ]; then
53        echo ": $output" >&2 ;
54        exit_code=1 ;
55        continue ;
56    fi
57
58    verify_return_msg=$(echo "$output" | grep "Verify return code:"|awk -F': ' '{print $2}')
59    verify_return_code=$(echo $verify_return_msg | awk '{print $1}')
60    cert_output=$(echo "$output" | sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -subject -enddate)
61
62    subject=$(echo "$cert_output" | grep subject | awk -F'subject= ' '{print $2}')
63    expiry_date=$(echo "$cert_output" | grep notAfter | awk -F'notAfter=' '{print $2}')
64
65    expiry_date_secs=$(date --date="$expiry_date" +%s)
66    current_date_secs=$(date +%s)
67    # Test expired case
68    #current_date_secs=$(date --date="Wed Jan 12 14:22:05 GMT 2020" +%s)
69
70    echo -n ", certificate \"$subject\": " ;
71    if [ "$verify_return_code" -ne 0 ]; then
72        echo $verify_return_msg ;
73        exit_code=1 ;
74    fi
75 
76    if [ "$expiry_date_secs" -lt "$current_date_secs" ]; then
77        echo certificate has expired ;
78        exit_code=1 ;
79    fi
80
81    if [ "$exit_code" -eq "0" ]; then
82        echo "OK" ;
83    fi
84done ;
85
86exit $exit_code ;
Note: See TracBrowser for help on using the repository browser.