new file mode 100755

@@ -0,0 +1,194 @@

+#!/usr/bin/env bash

+

+# Check the X.509 fullchain of a remote TLS server. Requires openssl.

+#

+# (c) 2021 - Xavier G.

+# This program is free software. It comes without any warranty, to

+# the extent permitted by applicable law. You can redistribute it

+# and/or modify it under the terms of the Do What The Fuck You Want

+# To Public License, Version 2, as published by Sam Hocevar. See

+# http://www.wtfpl.net/ for more details.

+

+

+function make_tmpdir {

+	tmp_dir=$(mktemp --directory --suffix .check-fullchain)

+	[ -z "${tmp_dir}" ] && _exit 99 "Cannot create temporary directory."

+	cd "${tmp_dir}" || _exit 98 "Cannot enter temporary directory ${tmp_dir}."

+}

+

+function cleanup {

+	[ -d "${tmp_dir}" ] || return

+	rm -f "${tmp_dir}"/*.pem "${tmp_dir}/verify_out"

+	rmdir "${tmp_dir}"

+}

+

+function _exit {

+	rc="${1}"; shift

+	[ "${rc}" -ne 0 ] && echo "$@";

+	exit "${rc}"

+}

+

+function extract_pem {

+	perl -nle '

+		open($fh, q[>], sprintf(q[%d.pem], $i++)) if (m#^-+BEGIN CERTIFICATE-+$#);

+		print $fh $_ if $fh;

+		close($fh) if m#^-+END CERTIFICATE-+$#;

+		# Require at least one cert to exit(0):

+		END { exit(!$i); }

+	'

+}

+

+function extract_identifier {

+	perl -nle 'print $1 if m#((?:[0-9A-F]{2}:)+[0-9A-F]{2})#'

+}

+

+function x509_prop {

+	local cert_file="${1}"; shift

+	openssl x509 -in "${cert_file}" -noout "$@"

+}

+

+function x509_prop_val {

+	x509_prop "$@" | perl -ple 's/^[^=]+=//'

+}

+

+function indent {

+	sed 's/^/\t/' "$@"

+}

+

+function pem_show_properties {

+	local pem="${1}"

+

+	echo 'Properties:'

+	{

+		x509_prop "${pem}" -ext subjectKeyIdentifier -serial

+		x509_prop "${pem}" -subject -ext subjectAltName -dates -fingerprint

+	} | indent

+}

+

+function pem_check_chain {

+	local pem="${1}"

+	local prev_pem="${2}"

+

+	echo ''

+	echo 'Chain check:'

+	{

+		local subject prev_issuer

+		subject=$(x509_prop_val "${pem}" -subject)

+		prev_issuer=$(x509_prop_val "${prev_pem}" -issuer)

+		if [ "${prev_issuer}" == "${subject}" ]; then

+			echo "[ok] This certificate's subject matches the previous certificate's issuer."

+		else

+			echo "[!!] This certificate's subject does NOT match the previous certificate's issuer."

+		fi

+

+		local serial prev_auth_serial

+		prev_auth_serial=$(x509_prop "${prev_pem}" -ext authorityKeyIdentifier | grep 'serial:' | extract_identifier)

+		if [ -n "${prev_auth_serial}" ]; then

+			serial=$(x509_prop_val "${pem}" -serial)

+			if [ "${prev_auth_serial//:/}" == "${serial}" ]; then

+				echo "[ok] This certificate's serial matches the previous certificate's authority serial."

+			else

+				echo "[!!] This certificate's serial does NOT match the previous certificate's authority serial."

+			fi

+		fi

+

+		local subj_key_id prev_auth_key_id

+		subj_key_id=$(x509_prop "${pem}" -ext subjectKeyIdentifier | extract_identifier)

+		prev_auth_key_id=$(x509_prop "${prev_pem}" -ext authorityKeyIdentifier | grep 'keyid:' | extract_identifier)

+		if [ "${prev_auth_key_id}" == "${subj_key_id}" ]; then

+			echo "[ok] This certificate's subject key identifier matches the previous certificate's authority key identifier."

+		else

+			echo "[!!] This certificate's subject key identifier does NOT match the previous certificate's authority key identifier."

+		fi

+

+		local verify_cmd=(openssl verify -partial_chain -trusted "${pem}" "${prev_pem}")

+		if "${verify_cmd[@]}" > verify_out 2>&1; then

+			echo "[ok] ${verify_cmd[*]} succeeded"

+		else

+			echo "[!!] ${verify_cmd[*]} failed with exit code $?"

+			indent verify_out

+		fi

+	} | indent

+}

+

+function pem_show_issuer {

+	local pem="${1}"

+

+	echo ''

+	echo 'Issuer:'

+	{

+		x509_prop "${pem}" -issuer

+		x509_prop "${pem}" -ext authorityKeyIdentifier

+	} | indent

+}

+

+function analyse_pem {

+	local pem="${1}"

+	local prev_pem="${2}"

+

+	pem_show_properties "${pem}"

+	[ -n "${prev_pem}" ] && pem_check_chain "${pem}" "${prev_pem}"

+	pem_show_issuer "${pem}"

+}

+

+function pem_is_self_signed {

+	local pem="${1}"

+	local subject issuer

+	subject=$(x509_prop_val "${pem}" -subject)

+	issuer=$(x509_prop_val "${pem}" -issuer)

+	[ "${subject}" == "${issuer}" ]

+}

+

+function get_ca_path {

+	ca_path="${CA_PATH:-/etc/ssl/certs}"

+	[ -d "${ca_path}" ] || _exit 50 "${ca_path} is not a directory; please set CA_PATH."

+}

+

+function lookup_ca {

+	get_ca_path

+	local pem

+	local issuer="${1}"; shift

+	local issuer_hash="${1}"; shift

+	for pem in "${ca_path}/${issuer_hash}".*; do

+		[ "$(x509_prop_val "${pem}" -subject)" != "${issuer}" ] && continue

+		# Found it:

+		found_ca_path="${pem}"

+		return 0

+	done

+	return 1

+}

+

+function pem_lookup_ca {

+	local pem="${1}"

+	lookup_ca "$(x509_prop_val "${pem}" -issuer)" "$(x509_prop_val "${pem}" -issuer_hash)"

+}

+

+# Usual boilerplate:

+target="${1}"; shift

+[ -z "${target}" ] && _exit 100 "Usage: ${0} host:port [s_client args...]"

+[[ "${target}" =~ :[0-9]{1,5}$ ]] || target="${target}:${DEFAULT_PORT:-443}"

+trap cleanup EXIT

+make_tmpdir

+

+# Get X.509 certificates (as PEM files) from the provided network target:

+openssl s_client -connect "${target}" "$@" -showcerts 2> /dev/null < /dev/null | extract_pem || _exit 90

+

+# Iterate over those certificates:

+while read -r pem; do

+	echo "${pem/.pem/}:"

+	analyse_pem "${pem}" "${prev_pem}" | indent

+	prev_pem="${pem}"

+done < <(find . -type f -name '*.pem' -printf '%P\n' | sort -n)

+

+# Handle the lack of root CA certificate at the end of the delivered fullchain:

+if ! pem_is_self_signed "${prev_pem}"; then

+	# The last certificate is not self-signed, i.e. it is not the root CA certificate.

+	# Look up the root CA certificate within the local CA path:

+	if pem_lookup_ca "${prev_pem}"; then

+		# Found it -- now analyse it as if it had been provided by the remote server:

+		pem="${found_ca_path}"

+		echo "$(readlink -f "${pem}"):"

+		analyse_pem "${pem}" "${prev_pem}" | indent

+	fi

+fi

+_exit 0