GitList

Browse code

Introduce x509_prop_ext.

Xavier G authored on17/03/2021 19:28:26
Showing1 changed files

check-tls-x509-fullchains/check-fullchain.sh index 1d19715..3f70bd2 100755

check-tls-x509-fullchains/check-fullchain.sh

History View file @18b9e54

@@ -47,6 +47,12 @@ function x509_prop {
                      	openssl x509 -in "${cert_file}" -noout "$@"
+                     }
                     +function x509_prop_ext {
                     +	local cert_file="${1}"; shift
                     +	local extension="${1}"; shift
                     +	x509_prop "${cert_file}" -ext "${extension}"
                     +}
+                    +
                      function x509_prop_val {
                      	x509_prop "$@" | perl -ple 's/^[^=]+=//'
+                     }
@@ -60,9 +66,9 @@ function pem_show_properties {
                      	echo 'Properties:'
+                     	{
                     -		x509_prop "${pem}" -ext subjectKeyIdentifier
                     +		x509_prop_ext "${pem}" subjectKeyIdentifier
                      		x509_prop "${pem}" -serial -subject
                     -		x509_prop "${pem}" -ext subjectAltName
                     +		x509_prop_ext "${pem}" subjectAltName
                      		x509_prop "${pem}" -dates -fingerprint
                      	} | indent
+                     }
@@ -84,7 +90,7 @@ function pem_check_chain {
                      		fi
                      		local serial prev_auth_serial
                     -		prev_auth_serial=$(x509_prop "${prev_pem}" -ext authorityKeyIdentifier | grep 'serial:' | extract_identifier)
                     +		prev_auth_serial=$(x509_prop_ext "${prev_pem}" authorityKeyIdentifier | grep 'serial:' | extract_identifier)
                      		if [ -n "${prev_auth_serial}" ]; then
                      			serial=$(x509_prop_val "${pem}" -serial)
                      			if [ "${prev_auth_serial//:/}" == "${serial}" ]; then
@@ -95,8 +101,8 @@ function pem_check_chain {
                      		fi
                      		local subj_key_id prev_auth_key_id
                     -		subj_key_id=$(x509_prop "${pem}" -ext subjectKeyIdentifier | extract_identifier)
                     -		prev_auth_key_id=$(x509_prop "${prev_pem}" -ext authorityKeyIdentifier | grep 'keyid:' | extract_identifier)
                     +		subj_key_id=$(x509_prop_ext "${pem}" subjectKeyIdentifier | extract_identifier)
                     +		prev_auth_key_id=$(x509_prop_ext "${prev_pem}" authorityKeyIdentifier | grep 'keyid:' | extract_identifier)
                      		if [ "${prev_auth_key_id}" == "${subj_key_id}" ]; then
                      			echo "[ok] This certificate's subject key identifier matches the previous certificate's authority key identifier."
                      		else
@@ -120,7 +126,7 @@ function pem_show_issuer {
                      	echo 'Issuer:'
+                     	{
                      		x509_prop "${pem}" -issuer
                     -		x509_prop "${pem}" -ext authorityKeyIdentifier
                     +		x509_prop_ext "${pem}" authorityKeyIdentifier
                      	} | indent
+                     }