jamesyonan/certdate.py

## certdate.py
#!/usr/bin/python
# This Python 2 script analyzes an X509 certificate or
# OpenVPN config file (with inline certs) and reports
# if the embedded date lengths are valid per RFC 5280
# ( https://tools.ietf.org/html/rfc5280#section-4.1.2.5 ).
# Specifically, it looks for the case where the seconds
# field is omitted from the dates or where Zulu time
# is not used.  RFC 5280 explicitly demands the use of
# seconds for certificates and CRLs, and requires that
# dates be specified in GMT (Zulu time) with a trailing
# 'Z' character.
import sys, re, base64
if len(sys.argv) <= 1:
    raise ValueError("usage: certdate <cert-in-PEM-format-or-ovpn-profile> ...")
for fn in sys.argv[1:]:
    print "===", fn, "==="
    cert_txt = open(fn).read()
    for i, cert in enumerate(re.findall(r"^-+BEGIN CERTIFICATE-+\s*$(.*?)^-+END CERTIFICATE-+\s*$", cert_txt, re.DOTALL|re.MULTILINE)):
        cert_binary = base64.b64decode(''.join(cert.splitlines()))
        print "Certificate #%d" % (i+1,)
        for date, tail in re.findall(r"(\d{10,})(Z|\+\d{4})", cert_binary):
            note = ""
            if tail.startswith('+'):
                note = ": invalid date per RFC 5280 because not in Greenwich Mean Time (Zulu) format"
            elif len(date) < 12:
                note = ": invalid date length per RFC 5280 because seconds are omitted"
            elif len(date) == 14:
                note = ": correct GeneralizedTime date length per RFC 5280"
            elif len(date) == 12:
                note = ": correct UTCTime date length per RFC 5280"
            print ' ', date+tail, note
	#!/usr/bin/python
	# This Python 2 script analyzes an X509 certificate or
	# OpenVPN config file (with inline certs) and reports
	# if the embedded date lengths are valid per RFC 5280
	# ( https://tools.ietf.org/html/rfc5280#section-4.1.2.5 ).
	# Specifically, it looks for the case where the seconds
	# field is omitted from the dates or where Zulu time
	# is not used. RFC 5280 explicitly demands the use of
	# seconds for certificates and CRLs, and requires that
	# dates be specified in GMT (Zulu time) with a trailing
	# 'Z' character.
	import sys, re, base64
	if len(sys.argv) <= 1:
	raise ValueError("usage: certdate <cert-in-PEM-format-or-ovpn-profile> ...")
	for fn in sys.argv[1:]:
	print "===", fn, "==="
	cert_txt = open(fn).read()
	for i, cert in enumerate(re.findall(r"^-+BEGIN CERTIFICATE-+\s$(.?)^-+END CERTIFICATE-+\s*$", cert_txt, re.DOTALL\|re.MULTILINE)):
	cert_binary = base64.b64decode(''.join(cert.splitlines()))
	print "Certificate #%d" % (i+1,)
	for date, tail in re.findall(r"(\d{10,})(Z\|\+\d{4})", cert_binary):
	note = ""
	if tail.startswith('+'):
	note = ": invalid date per RFC 5280 because not in Greenwich Mean Time (Zulu) format"
	elif len(date) < 12:
	note = ": invalid date length per RFC 5280 because seconds are omitted"
	elif len(date) == 14:
	note = ": correct GeneralizedTime date length per RFC 5280"
	elif len(date) == 12:
	note = ": correct UTCTime date length per RFC 5280"
	print ' ', date+tail, note