-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvalidate_certificate.sh
executable file
·122 lines (105 loc) · 4.34 KB
/
validate_certificate.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#!/bin/bash
# ANSI color codes
GREEN='\033[0;32m'
RED='\033[0;31m'
NC='\033[0m' # No color
# Function to log verification result with color
log_verification_result() {
cert_name="$1"
result="$2"
if [ "$result" == "Passed" ]; then
echo -e "\nVerification of $cert_name: ${GREEN}$result${NC}"
else
echo -e "\nVerification of $cert_name: ${RED}$result${NC}"
fi
}
# Function to extract certificate subject alternative names (SAN)
extract_san() {
cert_file="$1"
san=$(openssl x509 -noout -text -in "$cert_file" | grep -oP 'DNS:\K[^,]*' | tr '\n' ' ')
echo "$san"
}
# Function to extract extended key usage
extract_extended_key_usage() {
cert_file="$1"
extended_key_usage=$(openssl x509 -noout -text -in "$cert_file" | awk '/Extended Key Usage:/{flag=1;next}/^\s*$/{flag=0}flag')
echo "$extended_key_usage"
}
# Function to validate certificate
validate_certificate() {
ca_crt="$1"
server_crt="$2"
min_validity_days="$3"
# Verify certificate content
if grep -q 'PRIVATE KEY' "$server_crt" && grep -q 'PRIVATE KEY' "$server_crt"; then
log_verification_result "$server_crt RSA PRIVATE KEY" "Passed"
else
log_verification_result "$server_crt RSA PRIVATE KEY" "Failed: don't have private key"
exit 1
fi
if grep -q 'BEGIN CERTIFICATE' "$server_crt" && grep -q 'END CERTIFICATE' "$server_crt"; then
log_verification_result "$server_crt CERTIFICATE" "Passed"
else
log_verification_result "$server_crt CERTIFICATE" "Failed: don't have certificate"
exit 1
fi
# Verify certificate chain
verify_result=$(openssl verify -CAfile "$ca_crt" "$server_crt" 2>&1)
if [ $? -ne 0 ]; then
log_verification_result "Certificate chain(openssl verify -CAfile $ca_crt $server_crt)" "Failed: $verify_result"
exit 1
else
log_verification_result "Certificate chain(openssl verify -CAfile $ca_crt $server_crt)" "Passed"
fi
# Verify server name
server_name=$(hostname)
san_domains=$(extract_san "$server_crt")
#log_verification_result "Certificate domain" "Certificate SAN: $san_domains, Server Domain: $server_name"
match_found=false
for san_domain in $san_domains; do
if [[ "$san_domain" == *"*"* ]]; then
# Handle wildcard domain
wildcard_domain=${san_domain#*.}
if [[ "$server_name" == *"$wildcard_domain" ]]; then
match_found=true
break
fi
elif [ "$san_domain" == "$server_name" ]; then
match_found=true
break
fi
done
if [ "$match_found" == "false" ]; then
log_verification_result "Certificate name(Certificate SAN: $san_domains, Server Domain: $server_name)" "Failed: Certificate name doesn't match server name"
exit 1
else
log_verification_result "Certificate name(Certificate SAN: $san_domains, Server Domain: $server_name)" "Passed"
fi
# Verify certificate validity period
cert_not_after=$(openssl x509 -noout -enddate -in "$server_crt" | cut -d= -f2)
cert_not_after_timestamp=$(date -d "$cert_not_after" +%s)
current_timestamp=$(date +%s)
validity_days="$(( (cert_not_after_timestamp - current_timestamp) / 86400 ))" # Calculate validity in days
if [ "$validity_days" -le "$min_validity_days" ]; then
log_verification_result "Certificate period validity(pem:$validity_days,req:$min_validity_days)" "Failed: Certificate not valid for at least $min_validity_days days"
exit 1
else
log_verification_result "Certificate period validity(pem:$validity_days,req:$min_validity_days)" "Passed"
fi
# Verify Extended Key Usage
extended_key_usage=$(extract_extended_key_usage "$server_crt")
if [[ "$extended_key_usage" != *"TLS Web Server Authentication"* || "$extended_key_usage" != *"TLS Web Client Authentication"* ]]; then
log_verification_result "Extended Key Usage" "Failed: Certificate lacks required Extended Key Usage"
exit 1
else
log_verification_result "Extended Key Usage" "Passed"
fi
echo -e "\n${GREEN}Certificate validation passed.${NC}\n"
}
# Check if required arguments are provided
if [ $# -ne 3 ]; then
echo "Usage: $0 <ca.crt> <server.pem> <min_validity_days>"
exit 1
fi
# Call the validate_certificate function
validate_certificate "$1" "$2" "$3"