Files
@ b996dd49a6c7
Branch filter:
Location: majic-scripts/x509/ldapcrl_checkserial.sh
b996dd49a6c7
8.6 KiB
text/x-sh
Noticket: Updated help for Factorio Manager, and bumped the script version to 0.2.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 | #!/bin/bash
#
# ldapcrl_checkserial.sh
#
# Copyright (C) 2013, PrimeKey Solutions AB
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
program="ldapcrl_checkserial.sh"
version="0.1"
function usage() {
cat <<EOF
$program $version, a semi-interactive utility for checking if a CRL in LDAP
contains a specific serial number.
Usage: $program [OPTIONS] issuer serial
$program is a semi-interactive utility for checking if a CRL in LDAP contains a
specific serial number. It is useful for verifying that new CRLs are being
published to the LDAP when revoking certificates. The utility is non-interactive
unless the user is required to provide credentials for the ldapsearch utility.
The script expects two positional arguments:
issuer
The issuer argument should be set to the issuer DN of the certification
authority that has issued the CRL. This parameter will be used for locating
the CRLs in the directory tree that have been issued by target CA.
serial
The serial argument should be set to the serial number of the certificate
that has been revoked. The certificate should have been issued by the
specified issuer. This serial number will be looked-up in the matching
CRLs.
The script works by traversing the LDAP tree, looking for all entries that have
a CRL attribute. By default the script is expecting the CRLs to be located in
the attribute 'certificateRevocationList' (this can be overridden). Each CRL
will be checked for presence of the specified serial number.
Once the script is finished traversing the LDAP tree, it will output a summary
about the number of processed CRLs, and an informative message about whether the
check has failed or not. The script will return a non-zero error code if the
check has failed.
The check is considred as failed if one of the following conditions are met:
- There was no CRL in the LDAP direcotry issued by the specified CA.
- At least one CRL in the LDAP direcotry that was issued by the specified CA
does not contain the specified serial number.
The check is considred as successful if and only if there was at least on CRL
issued by the specified CA in the LDAP directory, and all of the CRLs issued by
the specified CA in the LDAP directory contain the specified serial number.
The script relies on using the ldapsearch utility from OpenLDAP for traversing
the LDAP directory. Any configuration settings specified in the global or local
(user's) LDAP client configuration file will be applied during
search. Additional parameters can be passed to the ldapsearch utility as well by
using the -L flag.
$program accepts the following options:
-L ldapop Pass additional option to the ldapsearch utility used for
retrieving the CRL from the LDAP database. This option can be
specified multiple times.
-a attr LDAP attribute that should contain the CRL. Default is
'certificateRevocationList'.
-v show script version and licensing information
-h show usage help
Please report bugs and send feature requests to <branko.majic@primekey.se>.
EOF
}
function version() {
cat <<EOF
$program, version $version
+-----------------------------------------------------------------------+
| Copyright (C) 2013, PrimeKey Solutions AB |
| |
| This program is free software: you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation, either version 3 of the License, or |
| (at your option) any later version. |
| |
| This program is distributed in the hope that it will be useful, |
| but WITHOUT ANY WARRANTY; without even the implied warranty of |
| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| GNU General Public License for more details. |
| |
| You should have received a copy of the GNU General Public License |
| along with this program. If not, see <http://www.gnu.org/licenses/>. |
+-----------------------------------------------------------------------+
EOF
}
# If no arguments were given, just show usage help.
if [[ -z $1 ]]; then
usage
exit 0
fi
# Set-up default parameters
ldapOptions=()
crlAttribute="certificateRevocationList"
# Parse the arguments
while getopts "L:a:vh" opt; do
case "$opt" in
L) ldapOptions+=("$OPTARG");;
a) crlAttribute="$OPTARG";;
v) version
exit 0;;
h) usage
exit 0;;
*) usage
exit 1;;
esac
done
i=$OPTIND
shift $(($i-1))
# Read the positional arguments.
issuer="$1"
serial="$2"
# Verify the arguments.
if [[ -z $issuer ]]; then
echo "Issuer was not specified." >&2
exit 3
fi
if [[ -z $serial ]]; then
echo "Serial number was not specified." >&2
exit 3
fi
if [[ ! $serial =~ ^[0123456789abcdefABCDEF]+$ ]]; then
echo "Invalid serial number specified: '$serial'" >&2
echo "Serial number may contain the following characters: 0123456789abcdefABCDEF" >&2
exit 3
fi
# Start assembling the ldapsearch command. Remove the cruft from output
# (comments etc), and also disable wrapping of long line.x
command=("ldapsearch" "-LLL" "-oldif-wrap=no")
# Pass the user-provided options.
command+=("${ldapOptions[@]}")
# Look only for entities that have the request CRL attribute, and return only
# that attribute.
command+=("(${crlAttribute}=*)")
command+=("${crlAttribute}")
# Perform the ldap search. Store the result. Bail-out if an error has happened.
if ! searchResult=$("${command[@]}"); then
echo "Failed to perform ldapsearch with the provided options." >&2
exit 10
fi
# Keep track of how many CRLs from the issuer have been processed, how many of
# those did contain (matched) the serial number, and how many of those did _not_
# contain the serial number (non-matches).
processed=0
matches=0
nonMatches=0
# Output a useful begin message.
echo "CRL Issuer: $issuer"
echo "Serial number: $serial"
echo
# Parse the LDAP search result.
while read line; do
# Have we encountered the DN attribute?
if [[ $line =~ ^dn: ]]; then
dn="${line#*: }"
# Have we encountered the CRL?
elif [[ $line =~ ^$crlAttribute ]]; then
crl="${line#*:: }"
# If we have reached a blank line, that means we can process our DN and CRL now.
elif [[ $line =~ ^$ && dn != "" && crl != "" ]]; then
# Get the CRL issuer from the list.
crlIssuer=$(echo $crl | base64 --decode | openssl crl -noout -inform DER -issuer | sed -e 's#^issuer=/##;s#/#,#g')
# If the CRL was issued by requested issuer, process it.
if [[ $crlIssuer == $issuer ]]; then
echo "Located CRL for issuer under DN '$dn'."
let processed++
# Check if the requested serial number is present in the CRL.
if echo "$crl" | base64 --decode| openssl crl -inform DER -noout -text | grep 'Serial Number' \
| sed -e 's/[[:blank:]]*Serial Number: //' | grep -q -i "^${serial}$"; then
echo "Serial number present."
let matches++
else
echo "Serial number not present."
let nonMatches++
fi
fi
# Reset the parameters used for parsing.
unset dn crl
fi
done < <(echo -e "${searchResult}\n")
echo
echo "Total number of CRLs with designated issuer in LDAP: $processed"
echo "Number of CRLs that did contain the serial number: $matches"
echo "Number of CRLs that did not contain the serial number: $nonMatches"
echo
if [[ $processed == 0 ]]; then
echo "No CRL was found in LDAP directory with the specified issuer DN."
exit 11
elif [[ $matches != $processed ]]; then
echo "Not all CRLs have passed the test."
exit 12
else
echo "All CRLs have passed the test."
exit 0
fi
|