Create a gist now

Instantly share code, notes, and snippets.

Python 2 script to check X509 certificate for incorrectly formatted validity dates
# This Python 2 script analyzes an X509 certificate or
# OpenVPN config file (with inline certs) and reports
# if the embedded date lengths are valid per RFC 5280
# ( ).
# Specifically, it looks for the case where the seconds
# field is omitted from the dates or where Zulu time
# is not used. RFC 5280 explicitly demands the use of
# seconds for certificates and CRLs, and requires that
# dates be specified in GMT (Zulu time) with a trailing
# 'Z' character.
import sys, re, base64
if len(sys.argv) <= 1:
raise ValueError("usage: certdate <cert-in-PEM-format-or-ovpn-profile> ...")
for fn in sys.argv[1:]:
print "===", fn, "==="
cert_txt = open(fn).read()
for i, cert in enumerate(re.findall(r"^-+BEGIN CERTIFICATE-+\s*$(.*?)^-+END CERTIFICATE-+\s*$", cert_txt, re.DOTALL|re.MULTILINE)):
cert_binary = base64.b64decode(''.join(cert.splitlines()))
print "Certificate #%d" % (i+1,)
for date, tail in re.findall(r"(\d{10,})(Z|\+\d{4})", cert_binary):
note = ""
if tail.startswith('+'):
note = ": invalid date per RFC 5280 because not in Greenwich Mean Time (Zulu) format"
elif len(date) < 12:
note = ": invalid date length per RFC 5280 because seconds are omitted"
elif len(date) == 14:
note = ": correct GeneralizedTime date length per RFC 5280"
elif len(date) == 12:
note = ": correct UTCTime date length per RFC 5280"
print ' ', date+tail, note
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment