-
Notifications
You must be signed in to change notification settings - Fork 3
/
check-certificates.sh
executable file
·95 lines (82 loc) · 2.95 KB
/
check-certificates.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#!/bin/bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# This script will test your certificates, verifying that
# the options are set correctly in the config files, that the
# public and private keys match, and that the whole certificate
# chain can be verified up to the root certificate.
srv_cfg=server.config
if [ ! -f $srv_cfg ]; then
echo "You need to generate a valid $srv_cfg file."; exit 1
fi
fed_cfg=server.federation.config
if [ ! -f $fed_cfg ]; then
echo "You need to generate a valid $fed_cfg file."; exit 1
fi
function get()
{
# retrieve value from federation config file. may fail if a variable is set in both files
grep "^\s*$1\>" "$fed_cfg" "$srv_cfg"| sed 's/.*=\s*//g' | tail -1
}
if [ "$(get waveserver_disable_verification)" != "false" ]; then
echo "ERROR: waveserver_disable_verification should be set to false"
exit 1
fi
if [ "$(get waveserver_disable_signer_verification)" != "false" ]; then
echo "ERROR: waveserver_disable_signer_verification should be set to false"
exit 1
fi
if [ ! -e "$(get certificate_private_key)" ]; then
echo "ERROR: Private key \"$(get certificate_private_key)\" does not exist"
exit 1
fi
# Break apart the certificate list on the commas.
certlist=(`echo $(get certificate_files) | sed 's/,/ /g'`)
if [ "`openssl x509 -modulus -in ${certlist[0]} -noout`" != "`openssl \
rsa -in $(get certificate_private_key) -modulus -noout`" ]; then
echo "ERROR: Public and private key do not match!"
exit 1
fi
# Reverse the order of the list for passing into openssl.
len=${#certlist[@]}
for (( i = 0; $i < $len/2; i++ )); do
swap=$len-$i-1
tmp=${certlist[i]}
certlist[i]=${certlist[$swap]}
certlist[$swap]=$tmp
done
# Verify that each file in the certificate list exists.
for (( i=0; $i < $len; i++ )); do
if [ ! -e ${certlist[$i]} ]; then
echo "ERROR: Certificate file does not exist:" ${certlist[$i]}
exit 1
fi
done
# Verify the certificate chain.
if (( $len > 1 )); then
verifycmd="openssl verify -CAfile ${certlist[@]}"
else
verifycmd="openssl verify ${certlist[@]}"
fi
if $verifycmd | grep -q "OK$" ; then
echo "SUCCESS: The certificates have been verified and are working correctly"
exit 0
else
echo "ERROR: Certificate chain failed to verify"
$verifycmd
exit 1
fi