Create a gist now

Instantly share code, notes, and snippets.

Python 2 script to check X509 certificate for incorrectly formatted validity dates
# This Python 2 script analyzes an X509 certificate or
# OpenVPN config file (with inline certs) and reports
# if the embedded date lengths are valid per RFC 5280
# ( ).
# Specifically, it looks for the case where the seconds
# field is omitted from the dates or where Zulu time
# is not used. RFC 5280 explicitly demands the use of
# seconds for certificates and CRLs, and requires that
# dates be specified in GMT (Zulu time) with a trailing
# 'Z' character.
import sys, re, base64
if len(sys.argv) <= 1:
raise ValueError("usage: certdate <cert-in-PEM-format-or-ovpn-profile> ...")
for fn in sys.argv[1:]:
print "===", fn, "==="
cert_txt = open(fn).read()
for i, cert in enumerate(re.findall(r"^-+BEGIN CERTIFICATE-+\s*$(.*?)^-+END CERTIFICATE-+\s*$", cert_txt, re.DOTALL|re.MULTILINE)):
cert_binary = base64.b64decode(''.join(cert.splitlines()))
print "Certificate #%d" % (i+1,)
for date, tail in re.findall(r"(\d{10,})(Z|\+\d{4})", cert_binary):
note = ""
if tail.startswith('+'):
note = ": invalid date per RFC 5280 because not in Greenwich Mean Time (Zulu) format"
elif len(date) < 12:
note = ": invalid date length per RFC 5280 because seconds are omitted"
elif len(date) == 14:
note = ": correct GeneralizedTime date length per RFC 5280"
elif len(date) == 12:
note = ": correct UTCTime date length per RFC 5280"
print ' ', date+tail, note

This comment has been minimized.

Show comment
Hide comment

taweesakteejantuk66 Nov 27, 2017


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment