--- a/check_cert.pl Thu Dec 04 13:35:41 2008 +0000
+++ b/check_cert.pl Tue Jun 16 14:08:35 2009 +0000
@@ -15,13 +15,14 @@
sub print_usage();
my $ME = basename $0;
-my ($opt_w, $opt_c, $opt_V, $opt_h, $opt_b, @opt_certfiles);
+my ($opt_w, $opt_c, $opt_V, $opt_h, $opt_b, $opt_s, @opt_certfiles);
my ($w_time, $c_time, $result, $message, %certs);
my (@critical, @warning);
$opt_w = "1month";
$opt_c = "1week";
$opt_b = "/usr/bin/openssl";
+$opt_s = "md5WithRSAEncryption";
Getopt::Long::Configure('bundling');
GetOptions(
@@ -30,6 +31,7 @@
"b=s" => \$opt_b, "binary" => \$opt_b,
"w=s" => \$opt_w, "warning=s" => \$opt_w,
"c=s" => \$opt_c, "critical=s" => \$opt_c,
+ "s=s" => \$opt_s, "signature=s" => \$opt_s,
"f=s" => \@opt_certfiles, "certfile=s" => \@opt_certfiles);
if ($opt_V) {
@@ -61,10 +63,11 @@
print "CERT CRITICAL: $file - not exists or not read permission is granted\n";
exit $ERRORS{"CRITICAL"};
}
- my @cmd_x509 = ($opt_b, "x509", "-in", $file, "-noout", "-subject", "-enddate");
+ my $no_print = "no_header,no_version,no_serial,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_extensions";
+ my @cmd_x509 = ($opt_b, "x509", "-in", $file, "-noout", "-text", "-certopt", $no_print, "-subject", "-enddate");
my @cmd_pkcs12 = ($opt_b, "pkcs12", "-in", $file, "-clcerts", "-nokeys", "-nomacver", "-passin", "pass:");
- my @cmd_pipe = ($opt_b, "x509", "-noout", "-subject", "-enddate");
- my ($temp, $cn, $enddate, $rc);
+ my @cmd_pipe = ($opt_b, "x509", "-noout", "-text", "-certopt", $no_print, "-subject", "-enddate");
+ my ($temp, $sig, $cn, $enddate, $rc);
open(CERT, "-|") or do {
open(STDERR, ">&STDOUT");
exec(@cmd_x509);
@@ -73,6 +76,7 @@
# check x509 certificates
while(<CERT>) {
/unable to load certificate/ and $rc = 1 and last;
+ /Signature\sAlgorithm:\s($opt_s)\s+$/ and $sig = $1;
/^subject=\s.*CN=(.*)\s+$/ and $cn = $1;
/^notAfter=(.*)\s+$/ and $enddate = $1;
}
@@ -94,13 +98,14 @@
while(<READ>) {
/unable to load certificate/ and print "CERT CRITICAL: unable to load certificate\n" and exit $ERRORS{"CRITICAL"};
+ /Signature\sAlgorithm:\s($opt_s)\s+$/ and $sig = $1;
/^subject=\s.*CN=(.*)\s+$/ and $cn = $1;
/^notAfter=(.*)\s+$/ and $enddate = $1;
}
close(READ);
}
# fill the hash
- push ( @{$certs{$file}}, ($cn, $enddate) );
+ push ( @{$certs{$file}}, ($cn, $enddate, $sig) );
}
# calculate the time
@@ -124,9 +129,15 @@
# looking for stats
foreach (sort keys %certs) {
- if (@{$certs{$_}}[2] eq "WARNING") {
+ if (@{$certs{$_}}[2]) {
+ if (@{$certs{$_}}[2] eq "$opt_s") {
+ push (@critical, "file: $_, CN=@{$certs{$_}}[0] Signature Algorithm: @{$certs{$_}}[2]");
+ }
+ }
+
+ if (@{$certs{$_}}[3] eq "WARNING") {
push (@warning, "file: $_, CN=@{$certs{$_}}[0] expires @{$certs{$_}}[1]");
- } elsif (@{$certs{$_}}[2] eq "CRITICAL") {
+ } elsif (@{$certs{$_}}[3] eq "CRITICAL") {
push (@critical, "file: $_, CN=@{$certs{$_}}[0] expires @{$certs{$_}}[1]");
}
}
@@ -145,7 +156,7 @@
sub print_usage() {
print "Usage:\n";
- print " $ME [-b <binary>] [-w <time>] [-c <time>] [-f <file,file,file,...>]\n";
+ print " $ME [-b <binary>] [-w <time>] [-c <time>] [-s <signature algorithm>] [-f <file,file,file,...>]\n";
print " $ME [-h | --help]\n";
print " $ME [-V | --version]\n";
}
@@ -164,6 +175,8 @@
print " -c, --critical <time>\n";
print " Certificat should not be more than this time older (default: 1week)\n";
print " For time can be used year, month, day, hour, minute, second and weeks.\n";
+ print " -s, --signature <signature algorithm>\n";
+ print " Return CRITICAL stauts if <signature algorithm> is used.\n";
print " -f, --certfile <file,file,file, ...>\n";
print " Absolute path of x509 or pkcs12 openssl certificate files, use comma-separated lists for multiple files.\n";
print " -h, --help\n";