diff options
Diffstat (limited to 'sys/jobs/pki-expiry/pki-expiry.sh')
| -rw-r--r-- | sys/jobs/pki-expiry/pki-expiry.sh | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/sys/jobs/pki-expiry/pki-expiry.sh b/sys/jobs/pki-expiry/pki-expiry.sh new file mode 100644 index 0000000..0e95a26 --- /dev/null +++ b/sys/jobs/pki-expiry/pki-expiry.sh @@ -0,0 +1,108 @@ +#!/usr/bin/env bash +# +function will_expire() { + expiry_status="" + expiry_vars="$(openssl "$openssl_cmd" -in "$object_path" -noout "${openssl_var_opts[@]}")" + + expiry_date="$(echo "$expiry_vars" | grep "^$openssl_expiry_var=" | sed 's/^.\+=//g')" + if [ -z "$expiry_date" ]; then + return 1 + fi + + expiry_secs="$(date +%s -d "$expiry_date")" + diff="$((expiry_secs - now))" + + if [ "$diff" -gt "$1" ]; then + return 1 + elif [ "$diff" -lt 0 ]; then + remaining=0 + else + remaining="$((diff / 86400))" + fi + + total_matches="$((total_matches + 1))" + + if [ -z "$min_expiry" ]; then + min_expiry="$remaining" + elif [ "$remaining" -lt "$min_expiry" ]; then + min_expiry="$remaining" + fi +} + +function has_expired() { + if ! will_expire 0; then + return 1 + fi + + expiry_status="has expired" +} + +function will_expire_days() { + if ! will_expire "$(($1 * 86400))"; then + return 1 + fi + + expiry_status="will expire in $remaining days" +} + +function check_object() { + object_id="$(basename "$1")" + object_path="$1" + + if has_expired || will_expire_days 3 || will_expire_days 7 || will_expire_days 15 || will_expire_days 30; then + { + echo + echo "$object_repr '$object_id' $expiry_status" + echo "$expiry_vars" + } >>"$mail_out" + fi +} + +function check_dir() { + object_repr="$2" + + for path in "$PKI_PUBLIC/$1"/*; do + check_object "$path" + done +} + +if [ -z "$PKI_PUBLIC" ]; then + echo "$0: \$PKI_PUBLIC not set" + exit 1 +elif [ ! -d "$PKI_PUBLIC" ]; then + echo "$0: invalid \$PKI_PUBLIC: $PKI_PUBLIC" + exit 1 +fi + +mail_out="$(mktemp)" +trap 'rm -f -- "$mail_out"' EXIT + +now="$(date +%s)" +min_expiry="" +total_matches=0 + +openssl_cmd=x509 +openssl_var_opts=(-startdate -enddate) +openssl_expiry_var="notAfter" + +check_dir ca "CA" +check_dir cert "Certificate" + +openssl_cmd=crl +openssl_var_opts=(-lastupdate -nextupdate) +openssl_expiry_var="nextUpdate" + +check_dir crl "CRL for CA" + +if [ -s "$mail_out" ] && ! cmp -s last-mail "$mail_out"; then + sendmail -t <<- EOF + From: PKI expiration reminder <pki-expiry> + To: sysadmin + Subject: $total_matches PKI objects will expire in $min_expiry days + + The following PKI objects are due for renewal: + $(<"$mail_out") + EOF + + mv -- "$mail_out" last-mail +fi |