diff options
| author | Max Rees <maxcrees@me.com> | 2020-06-02 18:50:54 -0500 |
|---|---|---|
| committer | Max Rees <maxcrees@me.com> | 2020-06-02 19:20:34 -0500 |
| commit | 8608030429e674ac33afc4c85fb80bba6d68bd91 (patch) | |
| tree | c79ddccbe97beb73515750eabc92941f7e42cfe0 | |
| parent | 4023193aac8706830d99720de6628cc0d8eabd84 (diff) | |
| download | ca-certificates-8608030429e674ac33afc4c85fb80bba6d68bd91.tar.gz ca-certificates-8608030429e674ac33afc4c85fb80bba6d68bd91.tar.bz2 ca-certificates-8608030429e674ac33afc4c85fb80bba6d68bd91.tar.xz ca-certificates-8608030429e674ac33afc4c85fb80bba6d68bd91.zip | |
Add machinery to detect expired certificates
| -rw-r--r-- | blacklist.txt | 8 | ||||
| -rw-r--r-- | certdata2pem.py | 36 |
2 files changed, 39 insertions, 5 deletions
diff --git a/blacklist.txt b/blacklist.txt index 6ddc6b9..9c0b4fd 100644 --- a/blacklist.txt +++ b/blacklist.txt @@ -36,3 +36,11 @@ "VeriSign Class 3 Public Primary Certification Authority - G4" "VeriSign Class 3 Public Primary Certification Authority - G5" "VeriSign Universal Root Certification Authority" + +# Expired certificates +# Not Valid Before: Tue May 30 10:48:38 2000 +# Not Valid After : Sat May 30 10:48:38 2020 +"AddTrust External Root" +# Not Valid Before: Wed Mar 26 11:18:17 2008 +# Not Valid After : Wed Mar 25 11:03:10 2020 +"Staat der Nederlanden Root CA - G2" diff --git a/certdata2pem.py b/certdata2pem.py index 0b02b2a..5af0def 100644 --- a/certdata2pem.py +++ b/certdata2pem.py @@ -21,11 +21,17 @@ # USA. import base64 +import datetime +import io import os.path +import pathlib import re import sys import textwrap -import io + +DATE_FMT = "%a %b %d %H:%M:%S %Y" +VERSION = pathlib.Path(__file__).parent / "VERSION" +VERSION = datetime.datetime.strptime(VERSION.read_text().strip(), "%Y%m%d") objects = [] @@ -43,9 +49,6 @@ for line in io.open('certdata.txt', 'rt', encoding='utf8'): if line.startswith('BEGINDATA'): in_data = True continue - # Ignore comment lines. - if line.startswith('#'): - continue # Empty lines are significant if we are inside an object. if in_obj and len(line.strip()) == 0: objects.append(obj) @@ -54,6 +57,17 @@ for line in io.open('certdata.txt', 'rt', encoding='utf8'): continue if len(line.strip()) == 0: continue + if line.startswith("# Not Valid Before: "): + line = line.replace("# Not Valid Before: ", "", 1).strip() + obj["before"] = datetime.datetime.strptime(line, DATE_FMT) + continue + if line.startswith("# Not Valid After : "): + line = line.replace("# Not Valid After : ", "", 1).strip() + obj["after"] = datetime.datetime.strptime(line, DATE_FMT) + continue + # Ignore comment lines. + if line.startswith('#'): + continue if in_multiline: if not line.startswith('END'): if type == 'MULTILINE_OCTAL': @@ -97,13 +111,23 @@ if os.path.exists('blacklist.txt'): # Build up trust database. trust = dict() +next_expiring = None for obj in objects: if obj['CKA_CLASS'] != 'CKO_NSS_TRUST': continue if obj['CKA_LABEL'] in blacklist: print("Certificate %s blacklisted, ignoring." % obj['CKA_LABEL']) elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_TRUSTED_DELEGATOR': - trust[obj['CKA_LABEL']] = True + if VERSION < obj["before"] or VERSION > obj["after"]: + print('!'*74) + print("EXPIRED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']) + print('!'*74) + else: + if not next_expiring: + next_expiring = obj + elif obj['after'] < next_expiring['after']: + next_expiring = obj + trust[obj['CKA_LABEL']] = True elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED': print('!'*74) print("UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']) @@ -113,6 +137,8 @@ for obj in objects: (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'], obj['CKA_TRUST_EMAIL_PROTECTION'])) +print('Next expiring certificate:', next_expiring['CKA_LABEL'], next_expiring['after']) + for obj in objects: if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: |