-
Notifications
You must be signed in to change notification settings - Fork 1
/
get-sha1
executable file
·84 lines (68 loc) · 2.58 KB
/
get-sha1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#!/bin/bash
# Connect to a remote SSL-capable server, extract its certificate and
# display its SHA-1 --> SHA-2 transition status
set -o pipefail
set -e
# Update to supply trusted cert data (-CApath or -CAfile)
CAARG='-CApath /etc/ssl/certs'
hostname=${1}
port=${2:-443}
if [ "!${hostname}!" == "!!" ]; then
echo "Usage: ${0} <hostname> [<port>]" >&2
exit 255
fi
# Conect to target
set +e
response=$(echo | openssl s_client -connect "${hostname}":"${port}" ${CAARG} 2>&1)
rc=$?
if [ ${rc} -ne 0 ]; then
echo "${response}" >&2
exit ${rc}
fi
set -e
# Extract and decode certificate from response
certificate=$(echo "${response}" | sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p')
verify=$(echo "${response}" | sed -n 's/ *Verify return code *: *//p')
decoded=$(echo "$certificate" | openssl x509 -noout -text -certopt no_sigdump)
# extract exiry date and signature algorythm from certificaet
expiry=$(echo "${decoded}" | sed -n 's/ *Not After *: *//p')
expiry_epoc=$(date --date="${expiry}" +%s)
algorythm=$(echo "${decoded}" | sed -n 's/ *Signature Algorithm: *//p')
echo "${algorythm} - expires ${expiry} - verify ${verify}"
return=0
# If certificate already expired
if [ ${expiry_epoc} -lt $(date +%s) ]; then
echo "ERROR - certificate has expired"
return=3
# Else if it's an SHA-2 certificate
elif [ "${algorythm}" = "sha256WithRSAEncryption" ]; then
echo "OK - already using SHA-2"
# Else if it's an SHA-1 certificate
elif [ "${algorythm}" = "sha1WithRSAEncryption" ]; then
# Status depends on expiry date
if [ ${expiry_epoc} -lt $(date --date 2016-01-01 +%s) ]; then
echo "OK - certificate expires before deadline"
elif [ ${expiry_epoc} -lt $(date --date 2016-06-01 +%s) ]; then
echo "PROBLEM - warning icon in Chrome 41+ (from Jan/Feb 2015)"
return=1
elif [ ${expiry_epoc} -lt $(date --date 2016-12-31 +%s) ]; then
echo "PROBLEM - warning icon in Chrome 40+ (from December 2014)"
return=1
elif [ ${expiry_epoc} -lt $(date --date 2017-01-01 +%s) ]; then
echo "PROBLEM - warning icon in Chrome 40+ (from December 2014)"
echo "Automatic replacement by Janet (issued with less that 3-year life)"
return=1
else
echo "PROBLEM - warning icon in Chrome 39 (from November 2014)"
echo " null security icon in Chrome 40 (from December 2014)"
echo " error icon in Chrome 42+ (from April 2015)"
echo " rejected by all major browsers from Jan 2017"
echo "Automatic replacement by Janet"
return=2
fi
# Else we don't know what it is
else
echo "ERROR - unrecognised signature algorythm"
return=3
fi
exit ${return}