kindwolf.org Git repositories xavierg-snippets / master check-tls-x509-fullchains / check-fullchain.sh
master

Tree @master (Download .tar.gz)

check-fullchain.sh @masterraw · history · blame 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
#!/usr/bin/env bash

# Check the X.509 fullchain of a remote TLS server. Requires openssl.
#
# (c) 2021 - Xavier G.
# This program is free software. It comes without any warranty, to
# the extent permitted by applicable law. You can redistribute it
# and/or modify it under the terms of the Do What The Fuck You Want
# To Public License, Version 2, as published by Sam Hocevar. See
# http://www.wtfpl.net/ for more details.


function make_tmpdir {
	tmp_dir=$(mktemp --directory --suffix .check-fullchain)
	[ -z "${tmp_dir}" ] && _exit 99 "Cannot create temporary directory."
	cd "${tmp_dir}" || _exit 98 "Cannot enter temporary directory ${tmp_dir}."
}

function cleanup {
	[ -d "${tmp_dir}" ] || return
	rm -f "${tmp_dir}"/*.pem "${tmp_dir}/verify_out"
	rmdir "${tmp_dir}"
}

function _exit {
	rc="${1}"; shift
	[ "${rc}" -ne 0 ] && echo "$@";
	exit "${rc}"
}

function extract_pem {
	perl -nle '
		open($fh, q[>], sprintf(q[%d.pem], $i++)) if (m#^-+BEGIN CERTIFICATE-+$#);
		print $fh $_ if $fh;
		close($fh) if m#^-+END CERTIFICATE-+$#;
		# Require at least one cert to exit(0):
		END { exit(!$i); }
	'
}

function extract_identifier {
	perl -nle 'print $1 if m#((?:[0-9A-F]{2}:)+[0-9A-F]{2})#'
}

function x509_prop {
	local cert_file="${1}"; shift
	openssl x509 -in "${cert_file}" -noout "$@"
}

function x509_prop_ext {
	# Does openssl support the -ext option?
	if [ -z "${openssl_ext_support}" ]; then
		openssl_ext_support='yes'
		openssl x509 -in /dev/null -ext test 2>&1 | grep -qx 'unknown option -ext' && openssl_ext_support='no'
	fi

	local cert_file="${1}"; shift
	local extension="${1}"; shift

	if [ "${openssl_ext_support}" == 'yes' ]; then
		x509_prop "${cert_file}" -ext "${extension}"
	else
		# Simulate -ext by parsing the output of -text:
		[ "${extension}" == 'authorityKeyIdentifier' ] && title='Authority Key Identifier'
		[ "${extension}" == 'subjectAltName' ] && title='Subject Alternative Name'
		[ "${extension}" == 'subjectKeyIdentifier' ] && title='Subject Key Identifier'
		x509_prop "${cert_file}" -text | extract_extension "${title}"
		[ "${extension}" == 'authorityKeyIdentifier' ] && echo
	fi
}

function extract_extension {
	title="${1}" perl -nle '
		$p = ($1 eq $ENV{q[title]}) ? 100000 : 0 if m#^ {12}X509v3 ([^:]+)#;
		-- $p if m#^ {12}#;
		s#^ {12}## && print if $p > 0'
}

function x509_prop_val {
	x509_prop "$@" | perl -ple 's/^[^=]+=//'
}

function indent {
	sed 's/^/\t/' "$@"
}

function pem_show_properties {
	local pem="${1}"

	echo 'Properties:'
	{
		x509_prop_ext "${pem}" subjectKeyIdentifier
		x509_prop "${pem}" -serial -subject
		x509_prop_ext "${pem}" subjectAltName
		x509_prop "${pem}" -dates -fingerprint
	} | indent
}

function pem_check_chain {
	local pem="${1}"
	local prev_pem="${2}"

	echo ''
	echo 'Chain check:'
	{
		local subject prev_issuer
		subject=$(x509_prop_val "${pem}" -subject)
		prev_issuer=$(x509_prop_val "${prev_pem}" -issuer)
		if [ "${prev_issuer}" == "${subject}" ]; then
			echo "[ok] This certificate's subject matches the previous certificate's issuer."
		else
			echo "[!!] This certificate's subject does NOT match the previous certificate's issuer."
		fi

		local serial prev_auth_serial
		prev_auth_serial=$(x509_prop_ext "${prev_pem}" authorityKeyIdentifier | grep 'serial:' | extract_identifier)
		if [ -n "${prev_auth_serial}" ]; then
			serial=$(x509_prop_val "${pem}" -serial)
			if [ "${prev_auth_serial//:/}" == "${serial}" ]; then
				echo "[ok] This certificate's serial matches the previous certificate's authority serial."
			else
				echo "[!!] This certificate's serial does NOT match the previous certificate's authority serial."
			fi
		fi

		local subj_key_id prev_auth_key_id
		subj_key_id=$(x509_prop_ext "${pem}" subjectKeyIdentifier | extract_identifier)
		prev_auth_key_id=$(x509_prop_ext "${prev_pem}" authorityKeyIdentifier | grep 'keyid:' | extract_identifier)
		if [ "${prev_auth_key_id}" == "${subj_key_id}" ]; then
			echo "[ok] This certificate's subject key identifier matches the previous certificate's authority key identifier."
		else
			echo "[!!] This certificate's subject key identifier does NOT match the previous certificate's authority key identifier."
		fi

		# Use -CAfile instead of -trusted to ensure openssl will trust ONLY the
		# current certificate; this is useful is the previous certificate
		# happens to be in openssl's system-wide CA store.
		local verify_cmd=(openssl verify -partial_chain -CAfile "${pem}" "${prev_pem}")
		if "${verify_cmd[@]}" > verify_out 2>&1; then
			echo "[ok] ${verify_cmd[*]} succeeded"
		else
			echo "[!!] ${verify_cmd[*]} failed with exit code $?"
			indent verify_out
		fi
	} | indent
}

function pem_show_issuer {
	local pem="${1}"

	echo ''
	echo 'Issuer:'
	{
		x509_prop "${pem}" -issuer
		x509_prop_ext "${pem}" authorityKeyIdentifier
	} | indent
}

function analyse_pem {
	local pem="${1}"
	local prev_pem="${2}"

	pem_show_properties "${pem}"
	[ -n "${prev_pem}" ] && pem_check_chain "${pem}" "${prev_pem}"
	pem_show_issuer "${pem}"
}

function pem_is_self_signed {
	local pem="${1}"
	local subject issuer
	subject=$(x509_prop_val "${pem}" -subject)
	issuer=$(x509_prop_val "${pem}" -issuer)
	[ "${subject}" == "${issuer}" ]
}

function get_ca_path {
	ca_path="${CA_PATH:-/etc/ssl/certs}"
	[ -d "${ca_path}" ] || _exit 50 "${ca_path} is not a directory; please set CA_PATH."
}

function lookup_ca {
	get_ca_path
	local pem
	local issuer="${1}"; shift
	local issuer_hash="${1}"; shift
	for pem in "${ca_path}/${issuer_hash}".*; do
		[ "$(x509_prop_val "${pem}" -subject)" != "${issuer}" ] && continue
		# Found it:
		found_ca_path="${pem}"
		return 0
	done
	return 1
}

function pem_lookup_ca {
	local pem="${1}"
	lookup_ca "$(x509_prop_val "${pem}" -issuer)" "$(x509_prop_val "${pem}" -issuer_hash)"
}

# Usual boilerplate:
target="${1}"; shift
[ -z "${target}" ] && _exit 100 "Usage: ${0} host:port [s_client args...]"
[[ "${target}" =~ :[0-9]{1,5}$ ]] || target="${target}:${DEFAULT_PORT:-443}"
trap cleanup EXIT
make_tmpdir

# Get X.509 certificates (as PEM files) from the provided network target:
openssl s_client -connect "${target}" "$@" -showcerts 2> /dev/null < /dev/null | extract_pem || _exit 90

# Iterate over those certificates:
while read -r pem; do
	echo "${pem/.pem/}:"
	analyse_pem "${pem}" "${prev_pem}" | indent
	prev_pem="${pem}"
done < <(find . -type f -name '*.pem' -printf '%P\n' | sort -n)

# Handle the lack of root CA certificate at the end of the delivered fullchain:
if ! pem_is_self_signed "${prev_pem}"; then
	# The last certificate is not self-signed, i.e. it is not the root CA certificate.
	# Look up the root CA certificate within the local CA path:
	if pem_lookup_ca "${prev_pem}"; then
		# Found it -- now analyse it as if it had been provided by the remote server:
		pem="${found_ca_path}"
		echo "$(readlink -f "${pem}"):"
		analyse_pem "${pem}" "${prev_pem}" | indent
	fi
fi
_exit 0