Python 2 script to check X509 certificate for incorrectly formatted validity dates

certdate.py

#!/usr/bin/python
# This Python 2 script analyzes an X509 certificate or
# OpenVPN config file (with inline certs) and reports
# if the embedded date lengths are valid per RFC 5280
# ( https://tools.ietf.org/html/rfc5280#section-4.1.2.5 ).
# Specifically, it looks for the case where the seconds
# field is omitted from the dates or where Zulu time
# is not used.  RFC 5280 explicitly demands the use of
# seconds for certificates and CRLs, and requires that
# dates be specified in GMT (Zulu time) with a trailing
# 'Z' character.
import sys, re, base64
if len(sys.argv) <= 1:
    raise ValueError("usage: certdate <cert-in-PEM-format-or-ovpn-profile> ...")
for fn in sys.argv[1:]:
    print "===", fn, "==="
    cert_txt = open(fn).read()
    for i, cert in enumerate(re.findall(r"^-+BEGIN CERTIFICATE-+\s*$(.*?)^-+END CERTIFICATE-+\s*$", cert_txt, re.DOTALL|re.MULTILINE)):
        cert_binary = base64.b64decode(''.join(cert.splitlines()))
        print "Certificate #%d" % (i+1,)
        for date, tail in re.findall(r"(\d{10,})(Z|\+\d{4})", cert_binary):
            note = ""
            if tail.startswith('+'):
                note = ": invalid date per RFC 5280 because not in Greenwich Mean Time (Zulu) format"
            elif len(date) < 12:
                note = ": invalid date length per RFC 5280 because seconds are omitted"
            elif len(date) == 14:
                note = ": correct GeneralizedTime date length per RFC 5280"
            elif len(date) == 12:
                note = ": correct UTCTime date length per RFC 5280"
            print ' ', date+tail, note

o.k.