| #!/usr/bin/python | |
| # This Python 2 script analyzes an X509 certificate or | |
| # OpenVPN config file (with inline certs) and reports | |
| # if the embedded date lengths are valid per RFC 5280 | |
| # ( https://tools.ietf.org/html/rfc5280#section-4.1.2.5 ). | |
| # Specifically, it looks for the case where the seconds | |
| # field is omitted from the dates or where Zulu time | |
| # is not used. RFC 5280 explicitly demands the use of | |
| # seconds for certificates and CRLs, and requires that | |
| # dates be specified in GMT (Zulu time) with a trailing | |
| # 'Z' character. | |
| import sys, re, base64 | |
| if len(sys.argv) <= 1: | |
| raise ValueError("usage: certdate <cert-in-PEM-format-or-ovpn-profile> ...") | |
| for fn in sys.argv[1:]: | |
| print "===", fn, "===" | |
| cert_txt = open(fn).read() | |
| for i, cert in enumerate(re.findall(r"^-+BEGIN CERTIFICATE-+\s*$(.*?)^-+END CERTIFICATE-+\s*$", cert_txt, re.DOTALL|re.MULTILINE)): | |
| cert_binary = base64.b64decode(''.join(cert.splitlines())) | |
| print "Certificate #%d" % (i+1,) | |
| for date, tail in re.findall(r"(\d{10,})(Z|\+\d{4})", cert_binary): | |
| note = "" | |
| if tail.startswith('+'): | |
| note = ": invalid date per RFC 5280 because not in Greenwich Mean Time (Zulu) format" | |
| elif len(date) < 12: | |
| note = ": invalid date length per RFC 5280 because seconds are omitted" | |
| elif len(date) == 14: | |
| note = ": correct GeneralizedTime date length per RFC 5280" | |
| elif len(date) == 12: | |
| note = ": correct UTCTime date length per RFC 5280" | |
| print ' ', date+tail, note |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment