# HG changeset patch # User arnold # Date 1350309756 -7200 # Node ID 0aa961b42ea7e5f67b357acd9c8275d299d0b7d4 # Parent fe368de5cf81c6d4e859748ef635e25635daae34 [sid] diff -r fe368de5cf81 -r 0aa961b42ea7 check_cert.pl --- a/check_cert.pl Mon Oct 15 12:36:02 2012 +0200 +++ b/check_cert.pl Mon Oct 15 16:02:36 2012 +0200 @@ -33,6 +33,7 @@ $ENV{LC_ALL} = "C"; sub process_file(); +sub excluded_files(); sub print_help(); sub print_usage(); sub version($$); @@ -50,7 +51,8 @@ my $VERSION = "0.5"; my $hash_file = "/var/tmp/" . basename($0) . ".known.db"; my %known; -my %certs = (); +my %certs = (); +my @excludes = (); my $no_print = "no_header,no_version,no_serial,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_extensions"; my @cmd_x509 = ( @@ -71,7 +73,7 @@ "signature" => "md5WithRSAEncryption", "warning" => "1month", "critical" => "1week", - "excluded" => "", + "exclude" => "", "debug" => 0 ); @@ -103,6 +105,8 @@ %known = () if $opt{init}; my @directorys = split(/,/, join(',', $opt{directory})) if $opt{directory}; + + excluded_files(); find({ wanted => \&process_file }, @directorys); # calculate the time @@ -153,7 +157,7 @@ exit $ERRORS{"CRITICAL"}; } elsif (@warning) { - print "CERT WARNING: @warning\n"; + print "CERT WARNING: " . join("\n", @warning) . "\n"; exit $ERRORS{"WARNING"}; } else { @@ -166,6 +170,18 @@ exit; } +sub excluded_files() { + if ($opt{exclude}) { + open(EXCLUDES, "$opt{exclude}") || die "Can't open: $!"; + while () { + /^(#.*)?$/ and next; + chomp; + push @excludes, $_; + } + close(EXCLUDES); + } +} + sub process_file() { return if not -f; @@ -176,7 +192,6 @@ my ($rc, $temp, $signature, $subject, $enddate); # excluded files - my @excludes = split(/,/, join(',', $opt{exclude})) if $opt{exclude}; foreach my $exclude_file (@excludes) { if ($exclude_file eq $File::Find::name) { $known{$File::Find::name} = $id; @@ -304,6 +319,8 @@ =head1 SYNOPSIS +check_cert [B<-i>|B<--init>] + check_cert [B<-b>|B<--binary>] check_cert [B<-d>|B<--directory>] @@ -328,6 +345,10 @@ =over +=item B<-i>|B<--init> + +Initiate file-data hash. + =item B<-b>|B<--binary> Path to openssl binary (default: /usr/bin/openssl). @@ -350,7 +371,7 @@ =item B<-e>|B<--exclude> -Absolute path of excluded files, use comma-separated lists for multiple files. +Absolute path of file to read excluded files. =item B<-D>|B<--debug> diff -r fe368de5cf81 -r 0aa961b42ea7 exclude.example --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/exclude.example Mon Oct 15 16:02:36 2012 +0200 @@ -0,0 +1,31 @@ +/etc/ssl/certs/06d75f4b.0 +/etc/ssl/certs/10d149a2.0 +/etc/ssl/certs/128b9c8d.0 +/etc/ssl/certs/256fd83b.0 +/etc/ssl/certs/31044350.0 +/etc/ssl/certs/408e388a.0 +/etc/ssl/certs/4643210f.0 +/etc/ssl/certs/54edfa5d.0 +/etc/ssl/certs/819a45f6.0 +/etc/ssl/certs/95750816.0 +/etc/ssl/certs/97b4211c.0 +/etc/ssl/certs/ABAecom_=sub.__Am._Bankers_Assn.=_Root_CA.pem +/etc/ssl/certs/b8609e8a.0 +/etc/ssl/certs/beTRUSTed_Root_CA.pem +/etc/ssl/certs/brasil.gov.br.pem +/etc/ssl/certs/c9bc75ba.0 +/etc/ssl/certs/Digital_Signature_Trust_Co._Global_CA_2.pem +/etc/ssl/certs/Digital_Signature_Trust_Co._Global_CA_4.pem +/etc/ssl/certs/f64d9715.0 +/etc/ssl/certs/f73e89fd.0 +/etc/ssl/certs/GTE_CyberTrust_Root_CA.pem +/etc/ssl/certs/IPS_Servidores_root.pem +/etc/ssl/certs/signet_ca1_pem.pem +/etc/ssl/certs/signet_ca3_pem.pem +/etc/ssl/certs/signet_ocspklasa3_pem.pem +/etc/ssl/certs/signet_tsa1_pem.pem +/etc/ssl/certs/spi-ca-2003.pem +/etc/ssl/certs/TC_TrustCenter__Germany__Class_2_CA.pem +/etc/ssl/certs/TC_TrustCenter__Germany__Class_3_CA.pem +/etc/ssl/certs/Verisign_RSA_Secure_Server_CA.pem +/etc/ssl/certs/Verisign_Time_Stamping_Authority_CA.pem