%PDF- %PDF-
Direktori : /proc/self/root/etc/ansible/library/ |
Current File : //proc/self/root/etc/ansible/library/bx_cert |
#!/bin/bash # state: # check ----- check certificate files by openssl # cert: certificate # chain: chain # key: provate key export LANG=en_EN.UTF-8 export NOLOCALE=yes export PATH=/sbin:/bin:/usr/sbin:/usr/bin OPENSSL=/usr/bin/openssl [[ -z $DEBUG ]] && DEBUG=0 BASE_DIR=/opt/webdir LOGS_DIR=$BASE_DIR/logs TEMP_DIR=$BASE_DIR/temp TMP_DIR=$BASE_DIR/tmp [[ ! -d $TMP_DIR ]] && mkdir -m 700 $TMP_DIR LOG_FILE=$TMP_DIR/bx_cert$$.log TMP_FILE=$(mktemp $TMP_DIR/bx_certXXXXX) #set -x log(){ mess=$1 echo "$(date +%s) $mess" >> $LOG_FILE } debug(){ mess=$1 [[ $DEBUG -gt 0 ]] && log "$mess" } # print error message print_error() { msg="$1" log "$msg" echo "{\"changed\":false,\"failed\":true,\"msg\":\"$msg\"}" [[ -f $TMP_FILE ]] && rm -f $TMP_FILE exit 1 } # print ok print_ok() { msg="$1" echo "{\"changed\":false,\"msg\":\"$msg\"}" debug "$msg" [[ -f $TMP_FILE ]] && rm -f $TMP_FILE exit 0 } test_files() { [[ -x $OPENSSL ]] || \ print_error "Not found openssl command. Please run, yum install openssl." # test variables and file if [[ -z $cert ]]; then print_error "Option cert= cannot be empty." fi if [[ -z $priv ]]; then print_error "Option priv= cannot be empty." fi for file in "$cert" "$priv" "$chain"; do [[ (-n $file) && ( ! -f $file ) ]] && \ print_error "Cannot find file=$file" done # check rsa key if [[ $( grep -c "ENCRYPTED" $priv 2>/dev/null ) -gt 0 ]]; then print_error \ "Unsupported private key format; Private key must be PEM-encoded and unencrypted" fi $OPENSSL rsa -in "$priv" -check > $TMP_FILE 2>&1 rsa_rtn=$? [[ $rsa_rtn -gt 0 ]] && \ print_error "Testing private key=$priv return error: $rsa_rtn" # check certificate and chain file if [[ -n $chain ]]; then $OPENSSL verify -untrusted $chain $cert >$TMP_FILE 2>&1 ver_rtn=$? if [[ $ver_rtn -gt 0 ]]; then error_msg=$(tail -n1 $TMP_FILE) $OPENSSL verify -verbose -x509_strict -CAfile $chain $cert >$TMP_FILE 2>&1 if [[ $? -gt 0 ]]; then print_error \ "Testing certificate and chain return error: $ver_rtn $error_msg" fi fi else $OPENSSL x509 -in $cert -enddate -noout >$TMP_FILE 2>&1 ver_rtn=$? [[ $ver_rtn -gt 0 ]] && \ print_error \ "Testing certificate return error: $ver_rtn $(head -n1 $TMP_FILE)" enddate=$(date -d "$(cat $TMP_FILE | cut -d'=' -f2)" +%s) date=$(date +%s) [[ $enddate -le $date ]] && print_error \ "Certificate $cert has expired" fi # check certificate and private key cert_md5=$($OPENSSL x509 -noout -modulus -in $cert | $OPENSSL md5) priv_md5=$($OPENSSL rsa -noout -modulus -in $priv | $OPENSSL md5) if [[ $cert_md5 != "$priv_md5" ]]; then print_error \ "The certificate and private key do not match." fi print_ok "The certificate and private key are good." } # get ansible options source ${1} test_files