show-status

#!/usr/bin/env bash

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

# Christian Göttsche <cgzones@googlemail.com>

set -eu
set -o pipefail

umask 0077

BIN_DIR="$( cd "$( dirname "$BASH_SOURCE[0]" )" && pwd )"
source "$BIN_DIR/functions"
source "$BIN_DIR/defaults.conf"

ROOT_DIR="$(readlink -e "$BIN_DIR/..")"

echo -e "$NOTE Checking direcory $ROOT_DIR  ..."

if [ -L "$BIN_DIR/functions" ]; then
    echo -e "$NOTE Symlinked toolchain (dev mode)"
else
    echo -e "$NOTE Standalone toolchain"
fi

# check directory structure

if [ ! -d bin/templates ]; then
    echo -e "$ERR No 'bin/templates' directory!'";
    exit 2
fi

if [ ! -d ca ]; then
    echo -e "$ERR No 'ca' directory!'";
    exit 2
fi

if [ ! -f ca/ca.conf ]; then
    echo -e "$ERR No 'ca/ca.conf' file!'";
    exit 2
fi

if [ ! -f ca/ca.crt ]; then
    echo -e "$ERR No 'ca/ca.crt' file!'";
    exit 2
fi

if [ ! -f ca/ca.csr ]; then
    echo -e "$ERR No 'ca/ca.csr' file!'";
fi

if [ ! -f ca/chain.pem ]; then
    echo -e "$ERR No 'ca/chain.pem' file!'";
    exit 2
fi

if [ ! -f ca/root.crt ]; then
    echo -e "$ERR No 'ca/root.crt' file!'";
    exit 2
fi

if [ ! -d ca/archive ]; then
    echo -e "$ERR No 'ca/archives' directory!'";
    exit 2
fi

if [ ! -d ca/crl ]; then
    echo -e "$ERR No 'ca/crl' directory!'";
    exit 2
fi

if [ ! -d ca/db ]; then
    echo -e "$ERR No 'ca/db' directory!'";
    exit 2
fi

if [ ! -f ca/db/certificate.db ]; then
    echo -e "$ERR No 'ca/db/certificate.db' file!'";
    exit 2
fi

if [ ! -f ca/db/certificate.db.attr ]; then
    echo -e "$ERR No 'ca/db/certificate.db.attr' file!'";
    exit 2
fi

if [ ! -f ca/db/crl.srl ]; then
    echo -e "$ERR No 'ca/db/crl.srl' file!'";
    exit 2
fi

if [ ! -f ca/db/crt.srl ]; then
    echo -e "$ERR No 'ca/db/crt.srl' file!'";
    exit 2
fi

if [ ! -f ca/private/ca.key ] && [ -z "${CA_ENABLE_ENGINE}" ]; then
    echo -e "$ERR No 'ca/private/ca.key' file!'";
fi

if [ ! -d ca/private ]; then
    echo -e "$ERR No 'ca/private' directory!'";
    exit 2
fi

if [ ! -d certs ]; then
    echo -e "$ERR No 'certs' directory!'";
    exit 2
fi

CA_CRT="$ROOT_DIR/ca/ca.crt"

if openssl verify -CAfile "$CA_CRT" "$CA_CRT" >/dev/null 2>&1; then
    echo -e "$SUCC RootCA directory (found self-signed CA)"

    if [ ! -f "$ROOT_DIR/ca/archive/01.pem" ] || ! cmp "$CA_CRT" "$ROOT_DIR/ca/archive/01.pem" >/dev/null; then
        echo -e "$ERR Main certificate does not match first archiv entry!"
        exit 2
    fi

    rootCA=1 #signes itself
else
    echo -e "$SUCC SignCA directory (found signed CA)"
    rootCA=0
fi

cert_txt=$(openssl x509 -noout -in "$CA_CRT" -text)

echo -e "$NOTE     Name                        $CA_NAME"
echo -e "$NOTE     Domain                      $CA_DOMAIN"
subject=$(openssl x509 -noout -in "$CA_CRT" -subject) # ignore subject=
echo -e "$NOTE     Subject                     ${subject:8}"
if [ ! $rootCA -eq 1 ]; then
    issuer=$(openssl x509 -noout -in "$CA_CRT" -issuer) # ignore issuer=
    echo -e "$NOTE     Issuer                      ${issuer:7}"
fi
echo -e "$NOTE     Valid until                $(echo "$cert_txt" | grep 'Not After :' | cut -d ':' -f2-)"

echo -e "$NOTE     Bits                       $(echo "$cert_txt" | grep 'Public-Key:' | cut -d ':' -f2 | tr -d "()")"

srl=$(cat "$ROOT_DIR/ca/db/crt.srl")
certs=$((16#$srl - rootCA - 1))
echo -e "$NOTE     Signed Certificates        " $certs

if ! openssl crl -in "$ROOT_DIR/ca/ca.crl" -CAfile "$CA_CRT" >/dev/null 2>&1; then
    echo -e "$ERR Certificate revocation list not valid!"
    skip=1
else
    skip=
fi

if [ -z $skip ]; then
    if [ "$(openssl crl -in "$ROOT_DIR/ca/ca.crl" -text -noout | grep -c 'No Revoked Certificates.')" -eq 1 ]; then
        revoked_certs=0
    else
        revoked_certs=$(openssl crl -in "$ROOT_DIR/ca/ca.crl" -text -noout | grep -c 'Revocation Date: ')
    fi
    echo -e "$NOTE     Revoked Certificates        $revoked_certs"

    revoked_lists=$(($(cat "$ROOT_DIR/ca/db/crl.srl") - 1))
    echo -e "$NOTE     Revoke Certificates Lists  "  $revoked_lists
fi


skip=$rootCA
if [ $certs -gt 0 ]; then
    num=1
    echo
    while read -r line; do
        if [ $skip -eq 1 ]; then
            skip=0
        else

            if [[ "$line" == "V"* ]]; then
                ca_number=$(echo "$line" | tr -s ' \t' ' ' | cut -d ' ' -f 3)
                revoked="no"
            else
                ca_number=$(echo "$line" | tr -s ' \t' ' ' | cut -d ' ' -f 4)
                revoked="yes"
            fi

            ca_cname=$(openssl x509 -noout -subject -in "$ROOT_DIR/ca/archive/$ca_number.pem" -nameopt multiline | grep -P '^\s+commonName' | cut -d '=' -f 2-)

            txt=$(openssl x509 -in "$ROOT_DIR/ca/archive/$ca_number.pem" -noout -text)

            server_cert=$(echo "$txt" | grep -c 'TLS Web Server Authentication') || true
            sign_cert=$(echo "$txt" | grep -c 'Certificate Sign') || true
            client_cert=$(echo "$txt" | grep -c 'TLS Web Client Authentication') || true
            code_sign=$(echo "$txt" | grep -c 'Code Signing') || true
            valid_since=$(echo "$txt" | grep 'Not Before:' | cut -d ':' -f2- | sed -e 's/^[[:space:]]*//')
            valid_until=$(echo "$txt" | grep 'Not After :' | cut -d ':' -f2- | sed -e 's/^[[:space:]]*//')
            bits=$(echo "$txt" | grep 'Public-Key:' | cut -d ':' -f2 | tr -d "()")

            if [ "$server_cert" -ge 1 ]; then
                type="server"
                san="                SAN:            $(echo "$txt" | grep 'DNS:' | sed -e 's/^[[:space:]]*//')\n"
            elif [ "$sign_cert" -ge 1 ]; then
                type="signing"
                san=""
            elif [ "$client_cert" -ge 1 ]; then
                type="client"
                if [ $(echo "$txt" | grep -c 'email:') -eq 0 ]; then
                    san="                SAN:            no email address found\n"
                else
                    san="                SAN:            $(echo "$txt" | grep 'email:' | sed -e 's/^[[:space:]]*//')\n"
                fi
            elif [ "$code_sign" -ge 1 ]; then
                type="code signing"
                if [ $(echo "$txt" | grep -c 'email:') -eq 0 ]; then
                    san="                SAN:            no email address found\n"
                else
                    san="                SAN:            $(echo "$txt" | grep 'email:' | sed -e 's/^[[:space:]]*//')\n"
                fi
            else
                echo -e "$ERR unknown certificate type!!"
                exit 2
            fi

            sha1_hash=$(openssl x509 -noout -fingerprint -sha1 -in "$ROOT_DIR/ca/archive/$ca_number.pem" | cut -d '=' -f 2-)

            subj=$(openssl x509 -noout -in "$ROOT_DIR/ca/archive/$ca_number.pem" -subject | cut -d '=' -f 2-)


            echo -e -n "$NOTE       $ca_number - $type -$ca_cname"
            if [ $revoked = "yes" ]; then
                echo " - revoked"
            else
                echo
            fi
            echo -e "                Subject:        $subj"
            echo -e -n "$san"
            echo -e "                Revoked:        $revoked"
            echo -e "                Valid since:    $valid_since"
            echo -e "                Valid until:    $valid_until"
            echo -e "                Bits:          $bits"
            echo -e "                Type:           $type"
            echo -e "                SHA1 hash:      $sha1_hash"
            echo -e ""

        fi
        num=$((num+1))
    done < "$ROOT_DIR/ca/db/certificate.db"
fi

echo -e "$SUCC Status finished."