#!/bin/bash
#
# ldapcrl_checkserial.sh
#
# Copyright (C) 2013, PrimeKey Solutions AB
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

program="ldapcrl_checkserial.sh"
version="0.1"

function usage() {
    cat <<EOF
$program $version, a semi-interactive utility for checking if a CRL in LDAP
contains a specific serial number.

Usage: $program [OPTIONS] issuer serial

$program is a semi-interactive utility for checking if a CRL in LDAP contains a
specific serial number. It is useful for verifying that new CRLs are being
published to the LDAP when revoking certificates. The utility is non-interactive
unless the user is required to provide credentials for the ldapsearch utility.

The script expects two positional arguments:

    issuer

    The issuer argument should be set to the issuer DN of the certification
    authority that has issued the CRL. This parameter will be used for locating
    the CRLs in the directory tree that have been issued by target CA.

    serial

    The serial argument should be set to the serial number of the certificate
    that has been revoked. The certificate should have been issued by the
    specified issuer. This serial number will be looked-up in the matching
    CRLs.

The script works by traversing the LDAP tree, looking for all entries that have
a CRL attribute. By default the script is expecting the CRLs to be located in
the attribute 'certificateRevocationList' (this can be overridden). Each CRL
will be checked for presence of the specified serial number.

Once the script is finished traversing the LDAP tree, it will output a summary
about the number of processed CRLs, and an informative message about whether the
check has failed or not. The script will return a non-zero error code if the
check has failed.

The check is considred as failed if one of the following conditions are met:

    - There was no CRL in the LDAP direcotry issued by the specified CA.
    - At least one CRL in the LDAP direcotry that was issued by the specified CA
      does not contain the specified serial number.

The check is considred as successful if and only if there was at least on CRL
issued by the specified CA in the LDAP directory, and all of the CRLs issued by
the specified CA in the LDAP directory contain the specified serial number.

The script relies on using the ldapsearch utility from OpenLDAP for traversing
the LDAP directory. Any configuration settings specified in the global or local
(user's) LDAP client configuration file will be applied during
search. Additional parameters can be passed to the ldapsearch utility as well by
using the -L flag.

$program accepts the following options:

    -L ldapop Pass additional option to the ldapsearch utility used for
              retrieving the CRL from the LDAP database. This option can be
              specified multiple times.

    -a attr   LDAP attribute that should contain the CRL. Default is
              'certificateRevocationList'.

    -v        show script version and licensing information
    -h        show usage help


Please report bugs and send feature requests to <branko.majic@primekey.se>.
EOF
}

function version() {
        cat <<EOF
$program, version $version

+-----------------------------------------------------------------------+
| Copyright (C) 2013, PrimeKey Solutions AB                             |
|                                                                       |
| This program is free software: you can redistribute it and/or modify  |
| it under the terms of the GNU General Public License as published by  |
| the Free Software Foundation, either version 3 of the License, or     |
| (at your option) any later version.                                   |
|                                                                       |
| This program is distributed in the hope that it will be useful,       |
| but WITHOUT ANY WARRANTY; without even the implied warranty of        |
| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         |
| GNU General Public License for more details.                          |
|                                                                       |
| You should have received a copy of the GNU General Public License     |
| along with this program.  If not, see <http://www.gnu.org/licenses/>. |
+-----------------------------------------------------------------------+

EOF
}

# If no arguments were given, just show usage help.
if [[ -z $1 ]]; then
    usage
    exit 0
fi

# Set-up default parameters
ldapOptions=()
crlAttribute="certificateRevocationList"

# Parse the arguments
while getopts "L:a:vh" opt; do
    case "$opt" in
        L) ldapOptions+=("$OPTARG");;
        a) crlAttribute="$OPTARG";;
        v) version
           exit 0;;
        h) usage
           exit 0;;
        *) usage
           exit 1;;
    esac
done
i=$OPTIND
shift $(($i-1))

# Read the positional arguments.
issuer="$1"
serial="$2"

# Verify the arguments.
if [[ -z $issuer ]]; then
    echo "Issuer was not specified." >&2
    exit 3
fi
if [[ -z $serial ]]; then
    echo "Serial number was not specified." >&2
    exit 3
fi
if [[ ! $serial =~ ^[0123456789abcdefABCDEF]+$ ]]; then
    echo "Invalid serial number specified: '$serial'" >&2
    echo "Serial number may contain the following characters: 0123456789abcdefABCDEF" >&2
    exit 3
fi

# Start assembling the ldapsearch command. Remove the cruft from output
# (comments etc), and also disable wrapping of long line.x
command=("ldapsearch" "-LLL" "-oldif-wrap=no")
# Pass the user-provided options.
command+=("${ldapOptions[@]}")
# Look only for entities that have the request CRL attribute, and return only
# that attribute.
command+=("(${crlAttribute}=*)")
command+=("${crlAttribute}")

# Perform the ldap search. Store the result. Bail-out if an error has happened.
if ! searchResult=$("${command[@]}"); then
    echo "Failed to perform ldapsearch with the provided options." >&2
    exit 10
fi

# Keep track of how many CRLs from the issuer have been processed, how many of
# those did contain (matched) the serial number, and how many of those did _not_
# contain the serial number (non-matches).
processed=0
matches=0
nonMatches=0

# Output a useful begin message.
echo "CRL Issuer:    $issuer"
echo "Serial number: $serial"
echo

# Parse the LDAP search result.
while read line; do
    # Have we encountered the DN attribute?
    if [[ $line =~ ^dn: ]]; then
        dn="${line#*: }"
    # Have we encountered the CRL?    
    elif [[ $line =~ ^$crlAttribute ]]; then
        crl="${line#*:: }"
    # If we have reached a blank line, that means we can process our DN and CRL now.
    elif [[ $line =~ ^$ && dn != "" && crl != "" ]]; then
        # Get the CRL issuer from the list.
        crlIssuer=$(echo $crl | base64 --decode | openssl crl -noout -inform DER -issuer | sed -e 's#^issuer=/##;s#/#,#g')

        # If the CRL was issued by requested issuer, process it.
        if [[ $crlIssuer == $issuer ]]; then
            echo "Located CRL for issuer under DN '$dn'."
            let processed++

            # Check if the requested serial number is present in the CRL.
            if echo "$crl" | base64 --decode| openssl crl -inform DER -noout -text | grep 'Serial Number' \
                | sed -e 's/[[:blank:]]*Serial Number: //' | grep -q -i "^${serial}$"; then
                echo "Serial number present."
                let matches++
            else
                echo "Serial number not present."
                let nonMatches++
            fi
        fi

        # Reset the parameters used for parsing.
        unset dn crl
    fi
done < <(echo -e "${searchResult}\n")
echo
echo "Total number of CRLs with designated issuer in LDAP:     $processed"
echo "Number of CRLs that did contain the serial number:       $matches"
echo "Number of CRLs that did not contain the serial number:   $nonMatches"
echo
if [[ $processed == 0 ]]; then
    echo "No CRL was found in LDAP directory with the specified issuer DN."
    exit 11
elif [[ $matches != $processed ]]; then
    echo "Not all CRLs have passed the test."
    exit 12
else
    echo "All CRLs have passed the test."
    exit 0
fi