From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH 2/3] zabbix_agentd: Add helper script to get and verify certificate details Date: Wed, 28 Feb 2024 20:48:06 +0100 Message-ID: <63cc8dff-1199-41df-8cdf-817792e08966@ipfire.org> In-Reply-To: <20240228191952.28258-3-robin.roevens@disroot.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2274231235281650396==" List-Id: --===============2274231235281650396== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Adolf Belka On 28/02/2024 19:58, Robin Roevens wrote: > Add script to parse openssl output on certificates and return it as JSON fo= r consumption by the Zabbix agent. > --- > .../ipfire_certificate_detail.sh | 91 +++++++++++++++++++ > 1 file changed, 91 insertions(+) > create mode 100755 config/zabbix_agentd/ipfire_certificate_detail.sh > > diff --git a/config/zabbix_agentd/ipfire_certificate_detail.sh b/config/zab= bix_agentd/ipfire_certificate_detail.sh > new file mode 100755 > index 000000000..9ca0ef5de > --- /dev/null > +++ b/config/zabbix_agentd/ipfire_certificate_detail.sh > @@ -0,0 +1,91 @@ > +#!/bin/bash > +##########################################################################= ##### > +# ipfire_certificate_detail.sh - Get certificate details and validation re= sults > +# in JSON format for use by Zabbix agent > +# > +# Author: robin.roevens (at) disroot.org > +# Version: 1.0 > +# > +# Copyright (C) 2007-2024 IPFire Team > +# > +# This program is free software: you can redistribute it and/or modify > +# it under the terms of the GNU General Public License as published by > +# the Free Software Foundation, either version 3 of the License, or > +# (at your option) any later version. > +# > +# This program is distributed in the hope that it will be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > +# > +# You should have received a copy of the GNU General Public License > +# along with this program. If not, see . > +# > +##########################################################################= ##### > + > +# Required binaries > +OPENSSL=3D/usr/bin/openssl > +DATE=3D/bin/date > + > +# Parameter checking > +[[ $1 ]] || { echo "{\"error\":\"No CA certificate file given.\"}"; exit 1= ; } > +[[ -f $1 ]] || { echo "{\"error\":\"CA certificate not found: $1.\"}"; exi= t 1; } > +[[ -r $1 ]] || { echo "{\"error\":\"No read permission on CA certificate: = $1.\"}"; exit 1; } > +[[ $2 ]] || { echo "{\"error\":\"No certificate file given.\"}"; exit 1; } > +[[ -f $2 ]] || { echo "{\"error\":\"Certificate not found: $2.\"}"; exit 1= ; } > +[[ -r $2 ]] || { echo "{\"error\":\"No read permission on certificate $2.\= "}"; exit 1; } > +[[ -x $OPENSSL ]] || { echo "{\"error\":\"$OPENSSL binary not found or no = permission.\"}"; exit 1; } > +[[ -x $DATE ]] || { echo "{\"error\":\"$DATE binary not found or no permis= sion.\"}"; exit 1; } > + > +cafile=3D$1 > +cert=3D$2 > + > +# Parse certificate details > +cert_details=3D$(${OPENSSL} x509 -in "${cert}" -noout -text -certopt no_he= ader,no_sigdump) > +version=3D$(echo "${cert_details}" | grep "Version:" | sed 's/^ \+Version:= \([0-9]\+\) (.\+)$/\1/g') > +serial_number=3D$(echo "${cert_details}" | grep -A1 "Serial Number:" | tr = -d '\n' | sed 's/^ \+Serial Number:\(\( \(.*\) ([0-9]\+x[0-9]\+).*\)\|\( \+\(= .*\)$\)\)/\3\5/g') > +signature_algorithm=3D$(echo "${cert_details}" | grep "Signature Algorithm= :" | sed 's/^ \+Signature Algorithm: //g') > +issuer=3D$(echo "${cert_details}" | grep "Issuer:" | sed 's/^ \+Issuer: //= g' | sed 's/"/\\"/g') > +not_before_value=3D$(echo "${cert_details}" | grep "Not Before:" | sed 's/= ^ \+Not Before: //g') > +not_before_timestamp=3D$(${DATE} -d "${not_before_value}" +%s) > +not_after_value=3D$(echo "${cert_details}" | grep "Not After :" | sed 's/^= \+Not After : //g') > +not_after_timestamp=3D$(${DATE} -d "${not_after_value}" +%s) > +subject=3D$(echo "${cert_details}" | grep "Subject:" | sed 's/^ \+Subject:= //g' | sed 's/"/\\"/g') > +public_key_algorithm=3D$(echo "${cert_details}" | grep "Public Key Algorit= hm:" | sed 's/^ \+Public Key Algorithm: //g') > + > +# Verify certificate > +cert_verify=3D$(${OPENSSL} verify -CAfile "${cafile}" "${cert}" 2>&1) > +if [[ $? !=3D 0 ]]; then > + result_value=3D"invalid" > + result_message=3D"failed to verify certificate: x509: $(echo "${cert_veri= fy}" | grep -E "error [0-9]+" | sed 's/^.\+: \(.\+\)/\1/g')" > +else > + result_value=3D"valid" > + result_message=3D"certificate verified successfully" > +fi > + > +# Generate fingerprints > +sha1_fingerprint=3D$(${OPENSSL} x509 -in "${cert}" -noout -fingerprint -sh= a1 | cut -d=3D -f2) > +sha256_fingerprint=3D$(${OPENSSL} x509 -in "${cert}" -noout -fingerprint -= sha256 | cut -d=3D -f2) > + > +# Print certificate details in JSON > +echo -n "{\"x509\":{" > +echo -n "\"version\":\"${version}\"," > +echo -n "\"serial_number\":\"${serial_number}\"," > +echo -n "\"signature_algorithm\":\"${signature_algorithm}\"," > +echo -n "\"issuer\":\"${issuer}\"," > +echo -n "\"not_before\":{" > +echo -n "\"value\":\"${not_before_value}\"," > +echo -n "\"timestamp\":\"${not_before_timestamp}\"}," > +echo -n "\"not_after\":{" > +echo -n "\"value\":\"${not_after_value}\"," > +echo -n "\"timestamp\":\"${not_after_timestamp}\"}," > +echo -n "\"subject\":\"${subject}\"," > +echo -n "\"public_key_algorithm\":\"${public_key_algorithm}\"}," > +echo -n "\"result\":{" > +echo -n "\"value\":\"${result_value}\"," > +echo -n "\"message\":\"${result_message}\"}," > +echo -n "\"sha1_fingerprint\":\"${sha1_fingerprint}\"," > +echo -n "\"sha256_fingerprint\":\"${sha256_fingerprint}\"" > +echo -n "}" > + > +exit 0 > \ No newline at end of file --===============2274231235281650396==--