Last active
June 29, 2021 01:46
-
-
Save jamesyonan/90b8b5a6a70bcc4779ffa7be66d3c6a6 to your computer and use it in GitHub Desktop.
Python 2 script to check X509 certificate for incorrectly formatted validity dates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# This Python 2 script analyzes an X509 certificate or | |
# OpenVPN config file (with inline certs) and reports | |
# if the embedded date lengths are valid per RFC 5280 | |
# ( https://tools.ietf.org/html/rfc5280#section-4.1.2.5 ). | |
# Specifically, it looks for the case where the seconds | |
# field is omitted from the dates or where Zulu time | |
# is not used. RFC 5280 explicitly demands the use of | |
# seconds for certificates and CRLs, and requires that | |
# dates be specified in GMT (Zulu time) with a trailing | |
# 'Z' character. | |
import sys, re, base64 | |
if len(sys.argv) <= 1: | |
raise ValueError("usage: certdate <cert-in-PEM-format-or-ovpn-profile> ...") | |
for fn in sys.argv[1:]: | |
print "===", fn, "===" | |
cert_txt = open(fn).read() | |
for i, cert in enumerate(re.findall(r"^-+BEGIN CERTIFICATE-+\s*$(.*?)^-+END CERTIFICATE-+\s*$", cert_txt, re.DOTALL|re.MULTILINE)): | |
cert_binary = base64.b64decode(''.join(cert.splitlines())) | |
print "Certificate #%d" % (i+1,) | |
for date, tail in re.findall(r"(\d{10,})(Z|\+\d{4})", cert_binary): | |
note = "" | |
if tail.startswith('+'): | |
note = ": invalid date per RFC 5280 because not in Greenwich Mean Time (Zulu) format" | |
elif len(date) < 12: | |
note = ": invalid date length per RFC 5280 because seconds are omitted" | |
elif len(date) == 14: | |
note = ": correct GeneralizedTime date length per RFC 5280" | |
elif len(date) == 12: | |
note = ": correct UTCTime date length per RFC 5280" | |
print ' ', date+tail, note |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
o.k.