check_dane/cert.py

   1 #!/usr/bin/python3
   2
   3 from datetime import datetime
   4 import logging
   5 from ssl import cert_time_to_seconds
   6
   7 from pyasn1_modules import rfc2459
   8 from pyasn1.codec.der import decoder, encoder
   9
  10 def verify_certificate(cert, args):
  11     expiretimestamp = cert_time_to_seconds(cert['notAfter'])
  12     starttimestamp = cert_time_to_seconds(cert['notBefore'])
  13
  14     if datetime.utcfromtimestamp(starttimestamp) > datetime.utcnow():
  15         logging.error("Certificate will only be valid starting %s", cert['notBefore'])
  16         return 2
  17
  18     if datetime.utcfromtimestamp(expiretimestamp) < datetime.utcnow():
  19         logging.error("Certificate will only be valid until %s", cert['notAfter'])
  20         return 2
  21
  22     delta = datetime.utcfromtimestamp(expiretimestamp) - datetime.utcnow()
  23     deltastr = str(delta).split(",")
  24
  25     if delta.days < args.critdays:
  26         logging.error("expires in %8s,%16s", deltastr[0], deltastr[1])
  27         return 2
  28     elif delta.days < args.warndays:
  29         logging.warning("expires in %8s,%16s", deltastr[0], deltastr[1])
  30         return 1
  31
  32     return 0
  33
  34 def get_spki(certificate):
  35     cert = decoder.decode(certificate, asn1Spec=rfc2459.Certificate())[0]
  36     spki = cert['tbsCertificate']["subjectPublicKeyInfo"]
  37     return encoder.encode(spki)
  38
  39 def add_certificate_options(argparser):
  40     argparser.add_argument("--warndays", type=int, default=-1,
  41                            help="Days before certificate expiration to warn")
  42     argparser.add_argument("--critdays", type=int, default=-1,
  43                            help="Days before certificate expiration to raise error")