ansible-roles/roles/radius_server/files/rad_check_client_cert

#!/usr/bin/perl -w

use warnings;
use strict;
use Getopt::Long;
use LWP::Simple qw($ua getstore);

my $cert;
my $ca = '/etc/radius/certs/ca.pem';
my $crl;
my $issuer;

GetOptions(
  'certificate=s' => \$cert,
  'cacert=s' => \$ca,
  'crl=s' => \$crl,
  'issuer=s' => \$issuer
);

# Set a 5 sec timeout to fetch the CRL
$ua->timeout(5);

if ($crl){
  if ($crl =~ m{^/}){
    if (!-e $crl){
      print STDERR "$crl doesn't exist, can't verify\n";
      exit 1;
    }
  } elsif ($crl =~ m{^https?://}) {
    my $crl_file = '/run/radiusd/tls/crl.pem';
    my $age = 99999;
    if (-e $crl_file){
      $age = time - ( stat($crl_file) )[9];
    }
    if (!-e $crl_file or $age > 900){
      my $code = getstore($crl,$crl_file);
      if ($code != 200 && $age > 7200){
        print STDERR "Can't fetch the CRL at $crl\n";
        exit 1;
      }
    }
  }
}

my $cmd = "openssl verify -trusted $ca -purpose sslclient";
$cmd .= " -crl_check -CRLfile $crl" if ($crl and $crl =~ m{^/});
$cmd .= " -crl_check -CRLfile /run/radiusd/tls/crl.pem" if ($crl and $crl =~ m{^https?://});
$cmd .= " $cert";
my $ca_check = qx($cmd);
if ($? != 0){
  print "openssl verify command returned non zero\n";
  print $ca_check;
  exit 1;
}
chomp($ca_check);
if ($ca_check !~ m/^$cert:\s+OK$/){
  print "openssl failed to verify $cert against $ca\n";
  exit 1;
}

my $expire_check = qx(openssl x509 -in $cert -checkend 0);
if ($? != 0 || $expire_check !~ m/^Certificate will not expire/){
  print "certificate is expired\n";
  exit 1;
}

if ($issuer){
  my $issuer_check = qx(openssl x509 -in $cert -noout -issuer);
  chomp($issuer_check);
  $issuer_check =~ s/^issuer=\s*//;
  unless ($issuer_check eq $issuer){
    print "Certificate is signed by $issuer_check instead of $issuer\n";
    exit 1;
  }
}

exit 0;