X-Git-Url: https://git.siccegge.de//index.cgi?p=dane-monitoring-plugins.git;a=blobdiff_plain;f=check_dane%2Fcert.py;h=a66a1344685d54a9f7e38363e1e5167f33d500e1;hp=289f514c3d1c8337b9a97ca5bf14d96a10d40d98;hb=92d97feaf1e3f2a31e8a110f1e793af2aacfcc36;hpb=c7b2c9dfdb27024ac028723834741d8d78d5225f diff --git a/check_dane/cert.py b/check_dane/cert.py index 289f514..a66a134 100644 --- a/check_dane/cert.py +++ b/check_dane/cert.py @@ -1,10 +1,43 @@ #!/usr/bin/python3 +from datetime import datetime +import logging +from ssl import cert_time_to_seconds + from pyasn1_modules import rfc2459 from pyasn1.codec.der import decoder, encoder +def verify_certificate(cert, args): + expiretimestamp = cert_time_to_seconds(cert['notAfter']) + starttimestamp = cert_time_to_seconds(cert['notBefore']) + + if datetime.utcfromtimestamp(starttimestamp) > datetime.utcnow(): + logging.error("Certificate will only be valid starting %s", cert['notBefore']) + return 2 + + if datetime.utcfromtimestamp(expiretimestamp) < datetime.utcnow(): + logging.error("Certificate will only be valid until %s", cert['notAfter']) + return 2 + + delta = datetime.utcfromtimestamp(expiretimestamp) - datetime.utcnow() + deltastr = str(delta).split(",") + + if delta.days < args.critdays: + logging.error("expires in %8s,%16s", deltastr[0], deltastr[1]) + return 2 + elif delta.days < args.warndays: + logging.warn("expires in %8s,%16s", deltastr[0], deltastr[1]) + return 1 + + return 0 def get_spki(certificate): cert = decoder.decode(certificate, asn1Spec=rfc2459.Certificate())[0] spki = cert['tbsCertificate']["subjectPublicKeyInfo"] return encoder.encode(spki) + +def add_certificate_options(argparser): + argparser.add_argument("--warndays", type=int, default=-1, + help="Days before certificate expiration to warn") + argparser.add_argument("--critdays", type=int, default=-1, + help="Days before certificate expiration to raise error")