-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathotcli
executable file
·130 lines (125 loc) · 5.35 KB
/
otcli
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/bin/bash
DIR=$(cd $(dirname $0); pwd -P)
source ${DIR}/config.sh
function usage {
echo "USAGE:"
echo "$(basename $0) show url port : Show content of certificatei from the given url"
echo "$(basename $0) dnl url port : Download the certificate chain from the given url"
echo "$(basename $0) chain url port : Display the certificate chain from the given url"
echo "$(basename $0) show cert : Show the content of a cert file"
echo "$(basename $0) rmpw key : Remove password from key file"
echo "$(basename $0) purpose cert : Show the content of a cert file"
echo "$(basename $0) verify ca_cert cert : Verify if certificate matches ca certificate"
echo "$(basename $0) info cert : Display the important information about the certificate"
echo "$(basename $0) hash cert : get hash of cert"
echo "$(basename $0) hashlink cert : create a hashlink to the cert"
echo "$(basename $0) fingerprint cert : get fingerprint of cert"
echo "$(basename $0) p12info p12 : get info/content about p12 file"
echo "$(basename $0) p12unpack p12 : get key and certs from p12 file"
echo "$(basename $0) cer2crt cer : convert a cer to crt"
echo "$(basename $0) check_revoc cert int_cert : check the revocation status of a cert"
echo "$(basename $0) help"
}
if [ "$1" == "help" -o $# -lt 1 ]; then
usage
fi
if [ "$1" == "show" -a "$2" != "" -a "$3" != "" ]; then
URL="$2"
PORT="$3"
${OPENSSL} s_client -showcerts -connect ${URL}:${PORT} </dev/null 2>/dev/null | ${OPENSSL} x509 -text
elif [ "$1" == "dnl" -a "$2" != "" -a "$3" != "" ]; then
URL="$2"
PORT="$3"
${OPENSSL} s_client -showcerts -connect ${URL}:${PORT} </dev/null 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
elif [ "$1" == "chain" -a "$2" != "" -a "$3" != "" ]; then
URL="$2"
PORT="$3"
${OPENSSL} s_client -showcerts -connect ${URL}:${PORT} </dev/null 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/!p'
elif [ "$1" == "show" -a "$2" != "" ]; then
CERT="$2"
${OPENSSL} x509 -noout -text -in "${CERT}" | less
elif [ "$1" == "rmpw" -a "$2" != "" ]; then
KEY="$2"
${OPENSSL} rsa -in ${KEY} -out ${KEY}.tmp
mv ${KEY}.tmp ${KEY}
elif [ "$1" == "purpose" -a "$2" != "" ]; then
CERT="$2"
${OPENSSL} x509 -noout -purpose -in "${CERT}" | less
elif [ "$1" == "info" -a "$2" != "" ]; then
CERT="$2"
while read line
do
if echo $line | grep "^Issuer:" 2>&1 >/dev/null; then
ISSUER=$(echo ${line} | sed -E 's/Issuer: (.*)/\1/')
fi
if echo $line | grep "^Subject:" 2>&1 >/dev/null; then
SUBJECT=$(echo ${line} | sed -E 's/Subject: (.*)/\1/')
fi
if echo $line | grep "^Not Before:" 2>&1 >/dev/null; then
FROM=$(echo ${line} | sed -E 's/Not Before: (.*)/\1/')
fi
if echo $line | grep "^Not After :" 2>&1 >/dev/null; then
TO=$(echo ${line} | sed -E 's/Not After : (.*)/\1/')
fi
done < <(${OPENSSL} x509 -noout -text -in "${CERT}" | sed -E 's,^[[:space:]]+,,')
printf "%-11s: %s\n" "Issuer" "${ISSUER}"
printf "%-11s: %s\n" "Subject" "${SUBJECT}"
if [ "${ISSUER}" == "${SUBJECT}" ]; then
printf "%-11s: %s\n" "Selfsigned" "Yes"
else
printf "%-11s: %s\n" "Selfsigned" "No"
fi
printf "%-11s: %s\n" "Valid from" "${FROM}"
printf "%-11s: %s\n" "Valid to" "${TO}"
elif [ "$1" == "verify" -a "$2" != "" -a "$3" != "" ]; then
CACERT="$2"
CERT="$3"
${OPENSSL} verify -CAfile "${CACERT}" "${CERT}"
elif [ "$1" == "hash" -a "$2" != "" ]; then
CERT="$2"
${OPENSSL} x509 -noout -hash -in "${CERT}"
elif [ "$1" == "hashlink" -a "$2" != "" ]; then
CERT="$2"
HASH=$(${OPENSSL} x509 -noout -hash -in "${CERT}")
ln -s "${CERT}" "${HASH}.0"
# on windows use mklink "${HASH}.0" "${CERT}"
elif [ "$1" == "fingerprint" -a "$2" != "" ]; then
CERT="$2"
${OPENSSL} x509 -noout -fingerprint -sha1 -in "${CERT}" | sed -e 's/\://g'
elif [ "$1" == "p12info" -a "$2" != "" ]; then
P12="$2"
${OPENSSL} pkcs12 -info -in ${P12}
elif [ "$1" == "p12unpack" -a "$2" != "" ]; then
P12="$2"
CERT=${P12%.*}
${OPENSSL} pkcs12 -in ${P12} -nocerts -out ${CERT}.key.pem
${OPENSSL} pkcs12 -in ${P12} -nokeys -out ${CERT}.crt.pem
elif [ "$1" == "cer2crt" ]; then
CER="$2"
CERT=${CER%.*}
${OPENSSL} x509 -inform DER -in ${CER} -out ${CERT}.crt
elif [ "$1" == "check_revoc" ]; then
echo "Checking OCSP"
echo "-------------"
CERT="$2"
INT_CERT="$3"
OCSP_URI=$(${OPENSSL} x509 -in ${CERT} -noout -ocsp_uri)
echo "ocsp_uri: ${OCSP_URI}"
${OPENSSL} ocsp -no_nonce -issuer ${INT_CERT} -cert ${CERT} -url ${OCSP_URI} -VAfile ${INT_CERT}
echo ""
echo "Checking CRL"
echo "------------"
CRL=$(${OPENSSL} x509 -in ${CERT} -noout -text | grep crl | xargs | sed -E 's,^URI:,,')
SERIAL=$(${OPENSSL} x509 -in ${CERT} -noout -serial | cut -d'=' -f2)
echo "crl: ${CRL}"
echo "serial: ${SERIAL}"
CRL_FILE=$(mktemp)
curl -s ${CRL} --output ${CRL_FILE}
${OPENSSL} crl -inform DER -text -in ${CRL_FILE} | grep ${SERIAL} 2>&1 >/dev/null
if [ $? -eq 0 ]; then
echo "Certificate with serial '${SERIAL}' FOUND in revocation list"
else
echo "Certificate with serial '${SERIAL}' is NOT in revocation list"
fi
rm -f ${CRL_FILE}
fi