]> git.siccegge.de Git - dane-monitoring-plugins.git/blob - check_dane/cert.py
9ba4175622d22580202fc86a56b254ad4e9dea9e
[dane-monitoring-plugins.git] / check_dane / cert.py
1 #!/usr/bin/python3
2
3 from datetime import datetime
4 import logging
5 from ssl import cert_time_to_seconds
6
7 from pyasn1_modules import rfc2459
8 from pyasn1.codec.der import decoder, encoder
9
10 def verify_certificate(cert, args):
11 expiretimestamp = cert_time_to_seconds(cert['notAfter'])
12 starttimestamp = cert_time_to_seconds(cert['notBefore'])
13
14 if datetime.utcfromtimestamp(starttimestamp) > datetime.utcnow():
15 logging.error("Certificate will only be valid starting %s", cert['notBefore'])
16 return 2
17
18 if datetime.utcfromtimestamp(expiretimestamp) < datetime.utcnow():
19 logging.error("Certificate will only be valid until %s", cert['notAfter'])
20 return 2
21
22 delta = datetime.utcfromtimestamp(expiretimestamp) - datetime.utcnow()
23 deltastr = str(delta).split(",")
24
25 if delta.days < args.critdays:
26 logging.error("expires in %8s,%16s", deltastr[0], deltastr[1])
27 return 2
28 elif delta.days < args.warndays:
29 logging.warning("expires in %8s,%16s", deltastr[0], deltastr[1])
30 return 1
31
32 return 0
33
34 def get_spki(certificate):
35 cert = decoder.decode(certificate, asn1Spec=rfc2459.Certificate())[0]
36 spki = cert['tbsCertificate']["subjectPublicKeyInfo"]
37 return encoder.encode(spki)
38
39 def add_certificate_options(argparser):
40 argparser.add_argument("--warndays", type=int, default=-1,
41 help="Days before certificate expiration to warn")
42 argparser.add_argument("--critdays", type=int, default=-1,
43 help="Days before certificate expiration to raise error")