Add checks for certificate expiry

[dane-monitoring-plugins.git] / check_dane / cert.py

diff --git a/check_dane/cert.py b/check_dane/cert.py
index 289f514c3d1c8337b9a97ca5bf14d96a10d40d98..a66a1344685d54a9f7e38363e1e5167f33d500e1 100644 (file)
--- a/check_dane/cert.py
+++ b/check_dane/cert.py
@@ -1,10 +1,43 @@
 #!/usr/bin/python3
 
+from datetime import datetime
+import logging
+from ssl import cert_time_to_seconds
+
 from pyasn1_modules import rfc2459
 from pyasn1.codec.der import decoder, encoder
 
+def verify_certificate(cert, args):
+    expiretimestamp = cert_time_to_seconds(cert['notAfter'])
+    starttimestamp = cert_time_to_seconds(cert['notBefore'])
+
+    if datetime.utcfromtimestamp(starttimestamp) > datetime.utcnow():
+        logging.error("Certificate will only be valid starting %s", cert['notBefore'])
+        return 2
+
+    if datetime.utcfromtimestamp(expiretimestamp) < datetime.utcnow():
+        logging.error("Certificate will only be valid until %s", cert['notAfter'])
+        return 2
+
+    delta = datetime.utcfromtimestamp(expiretimestamp) - datetime.utcnow()
+    deltastr = str(delta).split(",")
+
+    if delta.days < args.critdays:
+        logging.error("expires in %8s,%16s", deltastr[0], deltastr[1])
+        return 2
+    elif delta.days < args.warndays:
+        logging.warn("expires in %8s,%16s", deltastr[0], deltastr[1])
+        return 1
+
+    return 0
 
 def get_spki(certificate):
     cert = decoder.decode(certificate, asn1Spec=rfc2459.Certificate())[0]
     spki = cert['tbsCertificate']["subjectPublicKeyInfo"]
     return encoder.encode(spki)
+
+def add_certificate_options(argparser):
+    argparser.add_argument("--warndays", type=int, default=-1,
+                           help="Days before certificate expiration to warn")
+    argparser.add_argument("--critdays", type=int, default=-1,
+                           help="Days before certificate expiration to raise error")