Created
September 17, 2019 05:51
-
-
Save markz0r/e4be65bec0d131372a27b21387eeb7c1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# chain_collector.sh [domain] [port] | |
# output to stdout | |
if [ $# -ne 2 ]; then | |
echo "USAGE: chain_collector.sh [domain] [port]" | |
exit 1 | |
fi | |
SOURCE="${BASH_SOURCE[0]}" | |
while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink | |
DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" | |
SOURCE="$(readlink "$SOURCE")" | |
[[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located | |
done | |
DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" | |
echo "WORKING DIR OF SCRIPT: ${DIR}" | |
SERVER= $1:$2 | |
TFILE="/tmp/$(basename $0).$$.tmp" | |
OUTPUT_DIR="${DIR}/${1}_${2}" | |
if [ -d $OUTPUT_DIR ]; then | |
rm -rf $OUTPUT_DIR | |
fi | |
mkdir $OUTPUT_DIR | |
openssl s_client -showcerts -servername $1 -connect $SERVER 2>/dev/null </dev/null > $TFILE | |
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "tmpcert." c ".pem"}' < $TFILE | |
i=1 | |
for X in tmpcert.*.pem; do | |
if openssl x509 -noout -in $X 2>/dev/null ; then | |
echo "#############################" | |
cn=$(openssl x509 -noout -subject -in $X | sed -e 's#.*CN=\(\)#\1#') | |
echo CN: $cn | |
cp $X $OUTPUT_DIR/${cn// /_}.$((i-1)).pem | |
cert_expiry_date=$(openssl x509 -noout -enddate -in $X \ | |
| awk -F= ' /notAfter/ { printf("%s\n",$NF); } ') | |
seconds_until_expiry=$(echo "$(date --date="$cert_expiry_date" +%s) - $(date +%s)" |bc) | |
days_until_expiry=$(echo "$seconds_until_expiry/(60*60*24)" |bc) | |
echo Days until expiry: $days_until_expiry | |
echo $(openssl x509 -noout -text -in $X | grep -m1 "Signature Algorithm:" | head) | |
echo $(openssl x509 -noout -issuer -in $X) | |
if [ -a tmpcert.$i.pem ]; then | |
echo Parent: $(openssl x509 -noout -subject -in tmpcert.$i.pem | sed -e 's#.*CN=\(\)#\1#') | |
echo Parent Valid? $(openssl verify -verbose -CAfile tmpcert.$i.pem $X) | |
else | |
echo "Parent Valid? This is the trust anchor" | |
fi | |
echo "#############################" | |
if | |
((i++)) | |
done | |
rm -f tmpcert.*.pem $TFILE |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment