# HG changeset patch # User arnold # Date 1245161315 0 # Node ID b4dbae8f141c26d6e2d841cd639c1d8e215661d5 # Parent 8c08150c2371d9829abd0b422ee3c2f3b72ab0d6 Return CRITICAL stauts if is used. diff -r 8c08150c2371 -r b4dbae8f141c check_cert.pl --- a/check_cert.pl Thu Dec 04 13:35:41 2008 +0000 +++ b/check_cert.pl Tue Jun 16 14:08:35 2009 +0000 @@ -15,13 +15,14 @@ sub print_usage(); my $ME = basename $0; -my ($opt_w, $opt_c, $opt_V, $opt_h, $opt_b, @opt_certfiles); +my ($opt_w, $opt_c, $opt_V, $opt_h, $opt_b, $opt_s, @opt_certfiles); my ($w_time, $c_time, $result, $message, %certs); my (@critical, @warning); $opt_w = "1month"; $opt_c = "1week"; $opt_b = "/usr/bin/openssl"; +$opt_s = "md5WithRSAEncryption"; Getopt::Long::Configure('bundling'); GetOptions( @@ -30,6 +31,7 @@ "b=s" => \$opt_b, "binary" => \$opt_b, "w=s" => \$opt_w, "warning=s" => \$opt_w, "c=s" => \$opt_c, "critical=s" => \$opt_c, + "s=s" => \$opt_s, "signature=s" => \$opt_s, "f=s" => \@opt_certfiles, "certfile=s" => \@opt_certfiles); if ($opt_V) { @@ -61,10 +63,11 @@ print "CERT CRITICAL: $file - not exists or not read permission is granted\n"; exit $ERRORS{"CRITICAL"}; } - my @cmd_x509 = ($opt_b, "x509", "-in", $file, "-noout", "-subject", "-enddate"); + my $no_print = "no_header,no_version,no_serial,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_extensions"; + my @cmd_x509 = ($opt_b, "x509", "-in", $file, "-noout", "-text", "-certopt", $no_print, "-subject", "-enddate"); my @cmd_pkcs12 = ($opt_b, "pkcs12", "-in", $file, "-clcerts", "-nokeys", "-nomacver", "-passin", "pass:"); - my @cmd_pipe = ($opt_b, "x509", "-noout", "-subject", "-enddate"); - my ($temp, $cn, $enddate, $rc); + my @cmd_pipe = ($opt_b, "x509", "-noout", "-text", "-certopt", $no_print, "-subject", "-enddate"); + my ($temp, $sig, $cn, $enddate, $rc); open(CERT, "-|") or do { open(STDERR, ">&STDOUT"); exec(@cmd_x509); @@ -73,6 +76,7 @@ # check x509 certificates while() { /unable to load certificate/ and $rc = 1 and last; + /Signature\sAlgorithm:\s($opt_s)\s+$/ and $sig = $1; /^subject=\s.*CN=(.*)\s+$/ and $cn = $1; /^notAfter=(.*)\s+$/ and $enddate = $1; } @@ -94,13 +98,14 @@ while() { /unable to load certificate/ and print "CERT CRITICAL: unable to load certificate\n" and exit $ERRORS{"CRITICAL"}; + /Signature\sAlgorithm:\s($opt_s)\s+$/ and $sig = $1; /^subject=\s.*CN=(.*)\s+$/ and $cn = $1; /^notAfter=(.*)\s+$/ and $enddate = $1; } close(READ); } # fill the hash - push ( @{$certs{$file}}, ($cn, $enddate) ); + push ( @{$certs{$file}}, ($cn, $enddate, $sig) ); } # calculate the time @@ -124,9 +129,15 @@ # looking for stats foreach (sort keys %certs) { - if (@{$certs{$_}}[2] eq "WARNING") { + if (@{$certs{$_}}[2]) { + if (@{$certs{$_}}[2] eq "$opt_s") { + push (@critical, "file: $_, CN=@{$certs{$_}}[0] Signature Algorithm: @{$certs{$_}}[2]"); + } + } + + if (@{$certs{$_}}[3] eq "WARNING") { push (@warning, "file: $_, CN=@{$certs{$_}}[0] expires @{$certs{$_}}[1]"); - } elsif (@{$certs{$_}}[2] eq "CRITICAL") { + } elsif (@{$certs{$_}}[3] eq "CRITICAL") { push (@critical, "file: $_, CN=@{$certs{$_}}[0] expires @{$certs{$_}}[1]"); } } @@ -145,7 +156,7 @@ sub print_usage() { print "Usage:\n"; - print " $ME [-b ] [-w