Python 2 script to check X509 certificate for incorrectly formatted validity dates
#!/usr/bin/python | |
# This Python 2 script analyzes an X509 certificate or | |
# OpenVPN config file (with inline certs) and reports | |
# if the embedded date lengths are valid per RFC 5280 | |
# ( https://tools.ietf.org/html/rfc5280#section-4.1.2.5 ). | |
# Specifically, it looks for the case where the seconds | |
# field is omitted from the dates or where Zulu time | |
# is not used. RFC 5280 explicitly demands the use of | |
# seconds for certificates and CRLs, and requires that | |
# dates be specified in GMT (Zulu time) with a trailing | |
# 'Z' character. | |
import sys, re, base64 | |
if len(sys.argv) <= 1: | |
raise ValueError("usage: certdate <cert-in-PEM-format-or-ovpn-profile> ...") | |
for fn in sys.argv[1:]: | |
print "===", fn, "===" | |
cert_txt = open(fn).read() | |
for i, cert in enumerate(re.findall(r"^-+BEGIN CERTIFICATE-+\s*$(.*?)^-+END CERTIFICATE-+\s*$", cert_txt, re.DOTALL|re.MULTILINE)): | |
cert_binary = base64.b64decode(''.join(cert.splitlines())) | |
print "Certificate #%d" % (i+1,) | |
for date, tail in re.findall(r"(\d{10,})(Z|\+\d{4})", cert_binary): | |
note = "" | |
if tail.startswith('+'): | |
note = ": invalid date per RFC 5280 because not in Greenwich Mean Time (Zulu) format" | |
elif len(date) < 12: | |
note = ": invalid date length per RFC 5280 because seconds are omitted" | |
elif len(date) == 14: | |
note = ": correct GeneralizedTime date length per RFC 5280" | |
elif len(date) == 12: | |
note = ": correct UTCTime date length per RFC 5280" | |
print ' ', date+tail, note |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
o.k.