# HG changeset patch
# User Matthias Förste <foerste@schlittermann.de>
# Date 1546861436 -3600
# Node ID af056e82c644820cb772ea1aacd19d4ec8ca38f2
# Parent  9501cc7d9177227ceb1b459e3b38aa9739ef0134
reverted inadvertent changes in default branch

diff -r 9501cc7d9177 -r af056e82c644 .hgignore
--- a/.hgignore	Fri Mar 27 11:03:05 2015 +0100
+++ b/.hgignore	Mon Jan 07 12:43:56 2019 +0100
@@ -4,7 +4,4 @@
 ^debian/files
 ^debian/nagios-plugin-cert[/.]
 ^config\.(sub|guess)$
-^Makefile|Build$
-^_build/
-^MANIFEST$
-^MYMETA\.(yml|json)$
+^Makefile$
diff -r 9501cc7d9177 -r af056e82c644 Build.PL
--- a/Build.PL	Fri Mar 27 11:03:05 2015 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,19 +0,0 @@
-#!/usr/bin/perl
-
-use strict;
-use warnings;
-
-use Module::Build;
-
-my $build = Module::Build->new
-(
-    dist_name => 'nagios-plugin-cert',
-    dist_author => 'Matthias Förste',
-    dist_version_from => 'lib/nagios/plugins/ius/check_cert',
-    requires => {
-        'Nagios::Plugin' => 0,
-        'Crypt::OpenSSL::PKCS12' => 0,
-        'Crypt::OpenSSL::X509' => 0
-    },
-);
-$build->create_build_script;
diff -r 9501cc7d9177 -r af056e82c644 MANIFEST.SKIP
--- a/MANIFEST.SKIP	Fri Mar 27 11:03:05 2015 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,76 +0,0 @@
-
-#!start included /usr/share/perl/5.14/ExtUtils/MANIFEST.SKIP
-# Avoid version control files.
-\bRCS\b
-\bCVS\b
-\bSCCS\b
-,v$
-\B\.svn\b
-\B\.git\b
-\B\.gitignore\b
-\b_darcs\b
-\B\.cvsignore$
-
-# Avoid VMS specific MakeMaker generated files
-\bDescrip.MMS$
-\bDESCRIP.MMS$
-\bdescrip.mms$
-
-# Avoid Makemaker generated and utility files.
-\bMANIFEST\.bak
-\bMakefile$
-\bblib/
-\bMakeMaker-\d
-\bpm_to_blib\.ts$
-\bpm_to_blib$
-\bblibdirs\.ts$         # 6.18 through 6.25 generated this
-
-# Avoid Module::Build generated and utility files.
-\bBuild$
-\b_build/
-\bBuild.bat$
-\bBuild.COM$
-\bBUILD.COM$
-\bbuild.com$
-
-# Avoid temp and backup files.
-~$
-\.old$
-\#$
-\b\.#
-\.bak$
-\.tmp$
-\.#
-\.rej$
-
-# Avoid OS-specific files/dirs
-# Mac OSX metadata
-\B\.DS_Store
-# Mac OSX SMB mount metadata files
-\B\._
-
-# Avoid Devel::Cover and Devel::CoverX::Covered files.
-\bcover_db\b
-\bcovered\b
-
-# Avoid MYMETA files
-^MYMETA\.
-#!end included /usr/share/perl/5.14/ExtUtils/MANIFEST.SKIP
-
-# Avoid configuration metadata file
-^MYMETA\.
-
-# Avoid Module::Build generated and utility files.
-\bBuild$
-\bBuild.bat$
-\b_build
-\bBuild.COM$
-\bBUILD.COM$
-\bbuild.com$
-^MANIFEST\.SKIP
-
-# Avoid archives of this distribution
-\bnagios-plugin-cert-[\d\.\_]+
-
-# Avoid mercurial version control files
-^.hg(/|(ignore|tags)$)
diff -r 9501cc7d9177 -r af056e82c644 Makefile.in
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/Makefile.in	Mon Jan 07 12:43:56 2019 +0100
@@ -0,0 +1,26 @@
+SCRIPTS = check_cert
+CLEANFILES = ${SCRIPTS}
+DESTDIR =
+prefix = !prefix!
+
+plugindir = ${prefix}/lib/nagios/plugins/ius
+
+.PHONY:	all clean install
+
+all:	${SCRIPTS}
+
+clean:
+	-rm -f ${CLEANFILES}
+
+install:	all
+	install -d -m 0755 ${DESTDIR}/${plugindir}
+	install -m 0755 $(SCRIPTS) ${DESTDIR}/${plugindir}/
+
+%:	%.pl
+	@perl -c $<
+	@cp -f $< $@
+	@chmod +x $@
+
+%:	%.sh
+	@cp -f $< $@
+	@chmod +x $@
diff -r 9501cc7d9177 -r af056e82c644 check_cert.pl
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/check_cert.pl	Mon Jan 07 12:43:56 2019 +0100
@@ -0,0 +1,243 @@
+#!/usr/bin/perl -w
+
+use strict;
+use warnings;
+use File::Basename;
+use Getopt::Long;
+use Date::Manip;
+use IPC::Open2;
+use lib "/usr/lib/nagios/plugins";
+use utils qw (%ERRORS &print_revision &support);
+
+sub print_help();
+sub print_usage();
+
+my $ME = basename $0;
+my ( $opt_w, $opt_c, $opt_V, $opt_h, $opt_b, $opt_s, @opt_certfiles );
+my ( $w_time, $c_time, $result, $message, %certs );
+my ( @critical, @warning, @ok );
+
+$opt_w = "1month";
+$opt_c = "1week";
+$opt_b = "/usr/bin/openssl";
+$opt_s = "md5WithRSAEncryption";
+
+Getopt::Long::Configure('bundling');
+GetOptions(
+    "V"           => \$opt_V,
+    "version"     => \$opt_V,
+    "h"           => \$opt_h,
+    "help"        => \$opt_h,
+    "b=s"         => \$opt_b,
+    "binary"      => \$opt_b,
+    "w=s"         => \$opt_w,
+    "warning=s"   => \$opt_w,
+    "c=s"         => \$opt_c,
+    "critical=s"  => \$opt_c,
+    "s=s"         => \$opt_s,
+    "signature=s" => \$opt_s,
+    "f=s"         => \@opt_certfiles,
+    "certfile=s"  => \@opt_certfiles
+);
+
+if ($opt_V) {
+    print_revision( $ME, "1.2" );
+    exit $ERRORS{"OK"};
+}
+
+if ($opt_h) {
+    print_help();
+    exit $ERRORS{"OK"};
+}
+
+# check openssl binary
+unless ( -x $opt_b ) {
+    print "CERT CRITICAL: OpenSSL not found or not executable - $opt_b\n";
+    exit $ERRORS{"CRITICAL"};
+}
+
+unless (@opt_certfiles) {
+    print "CERT WARNING: Not defined any certificate files\n";
+    exit $ERRORS{"WARNING"};
+}
+
+@opt_certfiles = split( /,/, join( ',', @opt_certfiles ) );
+
+# extract certificate data
+foreach my $file (@opt_certfiles) {
+    unless ( -r $file ) {
+        print
+"CERT CRITICAL: $file - not exists or not read permission is granted\n";
+        exit $ERRORS{"CRITICAL"};
+    }
+    my $no_print =
+"no_header,no_version,no_serial,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_extensions";
+    my @cmd_x509 = (
+        $opt_b,     "x509",     "-in",      $file,
+        "-noout",   "-text",    "-certopt", $no_print,
+        "-subject", "-enddate", "-purpose"
+    );
+    my @cmd_pkcs12 = (
+        $opt_b,     "pkcs12",  "-in",       $file,
+        "-clcerts", "-nokeys", "-nomacver", "-passin",
+        "pass:"
+    );
+    my @cmd_pipe = (
+        $opt_b,     "x509",    "-noout",   "-text",
+        "-certopt", $no_print, "-subject", "-enddate",
+        "-purpose"
+    );
+    my ( $temp, $sig, $cn, $enddate, $rc, $cert_type );
+    open( CERT, "-|" ) or do {
+        open( STDERR, ">&STDOUT" );
+        exec(@cmd_x509);
+    };
+
+    # check x509 certificates
+    while (<CERT>) {
+        /unable to load certificate/ and $rc = 1 and last;
+        /Signature\sAlgorithm:\s($opt_s)\s+$/ and $sig       = $1;
+        /^subject=\s.*CN=(.*)\s+$/            and $cn        = $1;
+        /^notAfter=(.*)\s+$/                  and $enddate   = $1;
+        /^(SSL\sclient)\s:\sYes$/             and $cert_type = $1;
+        /^(SSL\sserver)\s:\sYes$/             and $cert_type = $1;
+    }
+    close(CERT);
+
+    # check pkcs12 certificates
+    if ($rc) {
+        open( PKCS12, "@cmd_pkcs12 |" );
+
+        while (<PKCS12>) {
+            $temp .= $_;
+        }
+        close(PKCS12);
+
+        local ( *READ, *WRITE );
+        open2( \*READ, \*WRITE, @cmd_pipe ) or die "Can't fork: $!\n";
+        print WRITE $temp;
+        close(WRITE);
+
+        while (<READ>) {
+            /unable to load certificate/
+              and print "CERT CRITICAL: unable to load certificate\n"
+              and exit $ERRORS{"CRITICAL"};
+            /Signature\sAlgorithm:\s($opt_s)\s+$/ and $sig       = $1;
+            /^subject=\s.*CN=(.*)\s+$/            and $cn        = $1;
+            /^notAfter=(.*)\s+$/                  and $enddate   = $1;
+            /^(SSL\sclient)\s:\sYes$/             and $cert_type = $1;
+            /^(SSL\sserver)\s:\sYes$/             and $cert_type = $1;
+        }
+        close(READ);
+    }
+
+    # fill the hash
+    push( @{ $certs{$file} }, ( $cn, $enddate, $sig, $cert_type ) );
+}
+
+# calculate the time
+$w_time = DateCalc( "today", "+ $opt_w" );
+$c_time = DateCalc( "today", "+ $opt_c" );
+
+# check expire date
+foreach ( sort keys %certs ) {
+    my $enddate;
+    if ( @{ $certs{$_} }[1] =~ /(\w+\s+\d+\s+\d+:\d+:\d+\s+\d+)/ ) {
+        $enddate = $1;
+    }
+    $enddate = ParseDate($enddate);
+    unless ($enddate) {
+        print "CERT CRITICAL: Can't parse enddate\n";
+        exit $ERRORS{"CRITICAL"};
+    }
+
+    &Date_Cmp( $enddate, $w_time ) > 0 and push( @{ $certs{$_} }, "OK" ), next;
+    &Date_Cmp( $enddate, $c_time ) > 0
+      and push( @{ $certs{$_} }, "WARNING" ), next;
+    push( @{ $certs{$_} }, "CRITICAL" );
+}
+
+# looking for stats
+foreach ( sort keys %certs ) {
+    if ( @{ $certs{$_} }[2] ) {
+        if ( @{ $certs{$_} }[2] eq "$opt_s" ) {
+            push( @warning,
+"file: $_, CN=@{$certs{$_}}[0] Signature Algorithm: @{$certs{$_}}[2]"
+            );
+        }
+    }
+
+    if ( @{ $certs{$_} }[4] eq "WARNING" ) {
+        push( @warning,
+"file: $_, CN=@{$certs{$_}}[0] expires @{$certs{$_}}[1] type: @{$certs{$_}}[3]"
+        );
+    }
+    elsif ( @{ $certs{$_} }[4] eq "CRITICAL" ) {
+        push( @critical,
+"file: $_, CN=@{$certs{$_}}[0] expires @{$certs{$_}}[1] type: @{$certs{$_}}[3]"
+        );
+    }
+    else {
+        push( @ok,
+"file: $_, CN=@{$certs{$_}}[0] expires @{$certs{$_}}[1] type: @{$certs{$_}}[3]"
+        );
+    }
+}
+
+# return the state
+if (@critical) {
+    print "CERT CRITICAL: @critical\n";
+    exit $ERRORS{"CRITICAL"};
+}
+elsif (@warning) {
+    print "CERT WARNING: @warning\n";
+    exit $ERRORS{"WARNING"};
+}
+else {
+    print "CERT OK: @ok\n";
+    exit $ERRORS{"OK"};
+}
+
+sub print_usage() {
+    print "Usage:\n";
+    print
+"  $ME [-b <binary>] [-w <time>] [-c <time>] [-s <signature algorithm>] [-f <file,file,file,...>]\n";
+    print "  $ME [-h | --help]\n";
+    print "  $ME [-V | --version]\n";
+}
+
+sub print_help() {
+    print_revision( $ME, "1.2" );
+    print "Copyright (c) 2010 Christian Arnold\n\n";
+    print "This plugin checks the expire date for openssl certificates.\n\n";
+    print_usage();
+    print "\n";
+    print "  -b, --binary <binary>\n";
+    print "     Path of openssl binary (default: /usr/bin/openssl)\n";
+    print "  -w, --warning <time>\n";
+    print
+"     Certificat should not be more than this time older (default: 1month)\n";
+    print
+"     For time can be used year, month, day, hour, minute, second and weeks.\n";
+    print "  -c, --critical <time>\n";
+    print
+"     Certificat should not be more than this time older (default: 1week)\n";
+    print
+"     For time can be used year, month, day, hour, minute, second and weeks.\n";
+    print "  -s, --signature <signature algorithm>\n";
+    print
+"     Return WARNING status if <signature algorithm> is used (default: md5WithRSAEncryption).\n";
+    print "  -f, --certfile <file,file,file, ...>\n";
+    print
+"     Absolute path of x509 or pkcs12 openssl certificate files, use comma-separated lists for multiple files.\n";
+    print "  -h, --help\n";
+    print "     Print detailed help screen\n";
+    print "  -V, --version\n";
+    print "     Print version information\n";
+    print "\n";
+    support();
+}
+
+exit;
+
+# vim:sts=4 sw=4 aw ai sm:
diff -r 9501cc7d9177 -r af056e82c644 configure
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/configure	Mon Jan 07 12:43:56 2019 +0100
@@ -0,0 +1,16 @@
+#! /bin/sh
+
+prefix=/usr/local
+
+tmp=`getopt -n $0 -o p: -l prefix: -- "$@"`
+eval set -- $tmp
+
+while true; do
+	o="$1"; shift
+	case "$o" in
+		-p|--prefix)	prefix="$1"; shift;;
+		--) break;;
+	esac
+done
+
+perl -pe "s{!prefix!}{$prefix}g" < Makefile.in > Makefile
diff -r 9501cc7d9177 -r af056e82c644 debian/compat
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/debian/compat	Mon Jan 07 12:43:56 2019 +0100
@@ -0,0 +1,1 @@
+5
diff -r 9501cc7d9177 -r af056e82c644 debian/control
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/debian/control	Mon Jan 07 12:43:56 2019 +0100
@@ -0,0 +1,12 @@
+Source: nagios-plugin-cert
+Section: net
+Priority: extra
+Maintainer: Christian Arnold <arnold@schlittermann.de>
+Build-Depends: debhelper (>= 5), autotools-dev, libdate-manip-perl, nagios-plugins-common
+Standards-Version: 3.7.2
+
+Package: nagios-plugin-cert
+Architecture: all
+Depends: perl, libdate-manip-perl, openssl
+Description: nagios plugin to check openssl certificates
+ This plugin checks the expire date of x509 and pkcs12 certificates.
diff -r 9501cc7d9177 -r af056e82c644 debian/rules
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/debian/rules	Mon Jan 07 12:43:56 2019 +0100
@@ -0,0 +1,107 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+# Sample debian/rules that uses debhelper.
+# This file was originally written by Joey Hess and Craig Small.
+# As a special exception, when this file is copied by dh-make into a
+# dh-make output file, you may use that output file without restriction.
+# This special exception was added by Craig Small in version 0.37 of dh-make.
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+
+# These are used for cross-compiling and for saving the configure script
+# from having to guess our platform (since we know it already)
+DEB_HOST_GNU_TYPE   ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
+DEB_BUILD_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
+
+
+CFLAGS = -Wall -g
+
+ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
+	CFLAGS += -O0
+else
+	CFLAGS += -O2
+endif
+
+config.status: configure
+	dh_testdir
+	# Add here commands to configure the package.
+	./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info CFLAGS="$(CFLAGS)" LDFLAGS="-Wl,-z,defs"
+
+
+build: build-stamp
+
+build-stamp:  config.status
+	dh_testdir
+
+	# Add here commands to compile the package.
+	$(MAKE)
+	#docbook-to-man debian/nagios-plugin-cert.sgml > nagios-plugin-cert.1
+
+	touch $@
+
+clean:
+	dh_testdir
+	dh_testroot
+	rm -f build-stamp 
+
+	# Add here commands to clean up after the build process.
+	-$(MAKE) distclean
+ifneq "$(wildcard /usr/share/misc/config.sub)" ""
+	cp -f /usr/share/misc/config.sub config.sub
+endif
+ifneq "$(wildcard /usr/share/misc/config.guess)" ""
+	cp -f /usr/share/misc/config.guess config.guess
+endif
+
+
+	dh_clean 
+
+install: build
+	dh_testdir
+	dh_testroot
+	dh_clean -k 
+	dh_installdirs
+
+	# Add here commands to install the package into debian/nagios-plugin-cert.
+	$(MAKE) prefix=$(CURDIR)/debian/nagios-plugin-cert/usr install
+
+
+# Build architecture-independent files here.
+binary-indep: build install
+# We have nothing to do by default.
+
+# Build architecture-dependent files here.
+binary-arch: build install
+	dh_testdir
+	dh_testroot
+	dh_installchangelogs 
+	dh_installdocs
+	dh_installexamples
+#	dh_install
+#	dh_installmenu
+#	dh_installdebconf	
+#	dh_installlogrotate
+#	dh_installemacsen
+#	dh_installpam
+#	dh_installmime
+#	dh_python
+#	dh_installinit
+#	dh_installcron
+#	dh_installinfo
+	dh_installman
+	dh_link
+	dh_strip
+	dh_compress
+	dh_fixperms
+#	dh_perl
+#	dh_makeshlibs
+	dh_installdeb
+	dh_shlibdeps
+	dh_gencontrol
+	dh_md5sums
+	dh_builddeb
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install 
diff -r 9501cc7d9177 -r af056e82c644 lib/nagios/plugins/ius/check_cert
--- a/lib/nagios/plugins/ius/check_cert	Fri Mar 27 11:03:05 2015 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,98 +0,0 @@
-#!/usr/bin/perl
-
-#    Copyright (C) 2015  Matthias Förste
-#
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-#    Matthias Förste <foerste@schlittermann.de>
-
-=encoding utf8
-=cut
-
-use strict;
-use warnings;
-
-#use Getopt::Long;
-use Pod::Usage;
-
-use Nagios::Plugin;
-
-package Nagios::Plugin::IUS::Cert
-$VERSION = 2.0;
-
-my $np = Nagios::Plugin->new(  
-         usage => pod2usage ( -verbose => 0, -exitval => 0)
-     );
-
-GetOptions(
-    "h|help" => sub { pod2usage( -verbose => 0, -exitval => 0 ) },
-    "m|man"  => sub {
-        pod2usage(
-            -verbose   => 2,
-            -exitval   => 0,
-            -noperldoc => ( `perldoc -V 2>/dev/null`, $? != 0 )[-1]
-        );
-    },
-) or pod2usage();
-
-__END__
-
-=pod
-
-=head1 NAME
-
-check_cert - check ssl certificate expiry
-
-=head1 SYNOPSIS
-
-check_cert [options] [directories]
-
-check_cert -m|--man
-           -h|--help
-
-=head1 DESCRIPTION
-
-This script checks the expiry of openssl certificates.
-
-=head1 OPTIONS
-
-=over
-
-=item B<-b|--binary> I<path>
-
-Path to the openssl binary (default: /usr/bin/openssl)
-
-=item B<-w|--warning> I<time>
-
-Return status I<warning> if certificate expires in less than <time>.
-
-=item B<-w|--critical> I<time>
-
-Return status I<critical> if certificate expires in less than <time>.
-
-=back
-
-=head1 NOTES
-
-Time Ranges may be given as <number><suffix>, where <suffix> can be one of s, m, h or d for seconds, minutes, hours or days (default).
-
-=head1 FILES
-
-List or describe any files which may be used by 'check_cert' here.
-
-=head1 AUTHOR
-
-Matthias Förste <foerste@schlittermann.de>
-
-=cut