X-Git-Url: https://git.siccegge.de//index.cgi?p=dane-monitoring-plugins.git;a=blobdiff_plain;f=check_dane%2Fcert.py;h=9ba4175622d22580202fc86a56b254ad4e9dea9e;hp=289f514c3d1c8337b9a97ca5bf14d96a10d40d98;hb=51d6a5e599dcccbe4c6ee381c54d25c432a36e7f;hpb=43ff512931d365648e65d2a8e88ecfd15fbf2752 diff --git a/check_dane/cert.py b/check_dane/cert.py index 289f514..9ba4175 100644 --- a/check_dane/cert.py +++ b/check_dane/cert.py @@ -1,10 +1,43 @@ #!/usr/bin/python3 +from datetime import datetime +import logging +from ssl import cert_time_to_seconds + from pyasn1_modules import rfc2459 from pyasn1.codec.der import decoder, encoder +def verify_certificate(cert, args): + expiretimestamp = cert_time_to_seconds(cert['notAfter']) + starttimestamp = cert_time_to_seconds(cert['notBefore']) + + if datetime.utcfromtimestamp(starttimestamp) > datetime.utcnow(): + logging.error("Certificate will only be valid starting %s", cert['notBefore']) + return 2 + + if datetime.utcfromtimestamp(expiretimestamp) < datetime.utcnow(): + logging.error("Certificate will only be valid until %s", cert['notAfter']) + return 2 + + delta = datetime.utcfromtimestamp(expiretimestamp) - datetime.utcnow() + deltastr = str(delta).split(",") + + if delta.days < args.critdays: + logging.error("expires in %8s,%16s", deltastr[0], deltastr[1]) + return 2 + elif delta.days < args.warndays: + logging.warning("expires in %8s,%16s", deltastr[0], deltastr[1]) + return 1 + + return 0 def get_spki(certificate): cert = decoder.decode(certificate, asn1Spec=rfc2459.Certificate())[0] spki = cert['tbsCertificate']["subjectPublicKeyInfo"] return encoder.encode(spki) + +def add_certificate_options(argparser): + argparser.add_argument("--warndays", type=int, default=-1, + help="Days before certificate expiration to warn") + argparser.add_argument("--critdays", type=int, default=-1, + help="Days before certificate expiration to raise error")