You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
78 lines
1.7 KiB
78 lines
1.7 KiB
5 years ago
|
#!/usr/bin/perl -w
|
||
|
|
||
|
use warnings;
|
||
|
use strict;
|
||
|
use Getopt::Long;
|
||
|
use LWP::Simple qw($ua getstore);
|
||
|
|
||
|
my $cert;
|
||
|
my $ca = '/etc/radius/certs/ca.pem';
|
||
|
my $crl;
|
||
|
my $issuer;
|
||
|
|
||
|
GetOptions(
|
||
|
'certificate=s' => \$cert,
|
||
|
'cacert=s' => \$ca,
|
||
|
'crl=s' => \$crl,
|
||
|
'issuer=s' => \$issuer
|
||
|
);
|
||
|
|
||
|
# Set a 5 sec timeout to fetch the CRL
|
||
|
$ua->timeout(5);
|
||
|
|
||
|
if ($crl){
|
||
|
if ($crl =~ m{^/}){
|
||
|
if (!-e $crl){
|
||
|
print STDERR "$crl doesn't exist, can't verify\n";
|
||
|
exit 1;
|
||
|
}
|
||
|
} elsif ($crl =~ m{^https?://}) {
|
||
|
my $crl_file = '/run/radiusd/tls/crl.pem';
|
||
|
my $age = 99999;
|
||
|
if (-e $crl_file){
|
||
|
$age = time - ( stat($crl_file) )[9];
|
||
|
}
|
||
|
if (!-e $crl_file or $age > 900){
|
||
|
my $code = getstore($crl,$crl_file);
|
||
|
if ($code != 200 && $age > 7200){
|
||
|
print STDERR "Can't fetch the CRL at $crl\n";
|
||
|
exit 1;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
my $cmd = "openssl verify -trusted $ca -purpose sslclient";
|
||
|
$cmd .= " -crl_check -CRLfile $crl" if ($crl and $crl =~ m{^/});
|
||
|
$cmd .= " -crl_check -CRLfile /run/radiusd/tls/crl.pem" if ($crl and $crl =~ m{^https?://});
|
||
|
$cmd .= " $cert";
|
||
|
my $ca_check = qx($cmd);
|
||
|
if ($? != 0){
|
||
|
print "openssl verify command returned non zero\n";
|
||
|
print $ca_check;
|
||
|
exit 1;
|
||
|
}
|
||
|
chomp($ca_check);
|
||
|
if ($ca_check !~ m/^$cert:\s+OK$/){
|
||
|
print "openssl failed to verify $cert against $ca\n";
|
||
|
exit 1;
|
||
|
}
|
||
|
|
||
|
my $expire_check = qx(openssl x509 -in $cert -checkend 0);
|
||
|
if ($? != 0 || $expire_check !~ m/^Certificate will not expire/){
|
||
|
print "certificate is expired\n";
|
||
|
exit 1;
|
||
|
}
|
||
|
|
||
|
if ($issuer){
|
||
|
my $issuer_check = qx(openssl x509 -in $cert -noout -issuer);
|
||
|
chomp($issuer_check);
|
||
|
$issuer_check =~ s/^issuer=\s//;
|
||
|
unless ($issuer_check eq $issuer){
|
||
|
print "Certificate is signed by $issuer_check instead of $issuer\n";
|
||
|
exit 1;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
exit 0;
|