cmbuckley · May 31, 2020 18:16
diff --git a/test-old-usertrust.sh b/test-old-usertrust.sh
 #!/bin/bash

 # Checks a server certificate chain for old USERTrust intermediate cert,
 # which will expire in May 2020.
 #
 # Possible output:
 #
 # • Error (e.g. cannot connect to host)
 # • Not a Sectigo/Comodo chain (cannot find one of the CAs)
 # • New USERTrust root cert found (valid, but superfluous)
 # • Chain looks correct (NOTE: the chain itself is not validated)
 # • Found the old USERTrust intermediate, but end-entity cert will expire before it (fix at update)
 # • Found the old USERTrust intermediate, and the end-entity cert will outlast it (fix ASAP)

 host="$1"

 s_ev="284E39C14B386D889C7299E58CD05A57"
 s_ov="137D539CAA7C31A9A433701968847A8D"
 s_dv="7D5B5126B476BA11DB74160BBC530DA7"
 c_ev="06A74380D4EBFED435B5A3F7E16ABDD8"
 c_ov="36825E7FB5A481937EF6D1736BB93CA6"
 c_dv="2B2E6EEAD975366C148A6EDBA37C8C07"

 usertrust_old="13EA28705BF4ECED0C36630980614336"
 usertrust_new="01FD6D30FCA3CA51A81BBC640E35032D"
 comodo_ca="2766EE56EB49F38EABD770A2FC84DE22"

 addtrust_expiry=1590835718 # May 30 10:48:38 2020 GMT
 now=$(date +%s)
 expiry_secs=$(( ($addtrust_expiry - $now) ))

 read -r -d '' script <<- 'EOS'
 /-BEGIN CERTIFICATE-/{
    cert=""
    cat=1
 }
 cat{
    cert=cert "\n" $0
 }
 /-END CERTIFICATE-/{
    cat=0
    system("echo '" cert "' | openssl x509 -noout -serial | cut -d= -f2")
 }
 EOS

 # get serials of all certs in the server chain
 serials=$(echo QUIT | timeout 1 openssl s_client -host "$host" -port 443 -servername "$host" -showcerts 2>/dev/null | awk "$script")

 if [ -z "$serials" ]; then
    echo "There was an error with $host"
    #echo QUIT | openssl s_client -host "$host" -port 443 -servername "$host" -showcerts
    exit 1
 fi

 # check for any of the Comodo/Sectigo intermediates
 grep -q -e $s_ev -e $s_ov -e $s_dv -e $c_ev -e $c_ov -e $c_dv <<< "$serials"
 if [ $? -eq 0 ]; then
    # check for old cert
    grep -q $usertrust_old <<< "$serials"
    if [  $? -eq 0 ]; then
        expiry=$(echo QUIT | openssl s_client -host "$host" -port 443 -servername "$host" 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
        expiry_iso=$(date -d "$expiry" --rfc-3339=seconds)

        # check the expiry time of the end-entity certificate
        echo QUIT \
            | openssl s_client -host "$host" -port 443 -servername "$host" 2>/dev/null \
            | openssl x509 -noout -checkend $expiry_secs >/dev/null \
            && echo "The chain for $host contains the old USERTrust intermediate - NEEDS REMOVING ($expiry_iso)" \
            || echo "The chain for $host contains the old USERTrust intermediate - fix at update ($expiry_iso)"
    else
        grep -q $comodo_ca <<< "$serials"
        if [ $? -eq 0 ]; then
            echo "The chain for $host contains the Comodo RSA CA - NEEDS REMOVING"
        else
            grep -q $usertrust_new <<< "$serials" && echo "The chain for $host contains the new USERTrust root - superfluous" || echo "The chain for $host is correct"
        fi
    fi
 else
    echo "The chain for $host is not a Comodo/Sectigo chain"
 fi
	#!/bin/bash

	# Checks a server certificate chain for old USERTrust intermediate cert,
	# which will expire in May 2020.
	#
	# Possible output:
	#
	# • Error (e.g. cannot connect to host)
	# • Not a Sectigo/Comodo chain (cannot find one of the CAs)
	# • New USERTrust root cert found (valid, but superfluous)
	# • Chain looks correct (NOTE: the chain itself is not validated)
	# • Found the old USERTrust intermediate, but end-entity cert will expire before it (fix at update)
	# • Found the old USERTrust intermediate, and the end-entity cert will outlast it (fix ASAP)

	host="$1"

	s_ev="284E39C14B386D889C7299E58CD05A57"
	s_ov="137D539CAA7C31A9A433701968847A8D"
	s_dv="7D5B5126B476BA11DB74160BBC530DA7"
	c_ev="06A74380D4EBFED435B5A3F7E16ABDD8"
	c_ov="36825E7FB5A481937EF6D1736BB93CA6"
	c_dv="2B2E6EEAD975366C148A6EDBA37C8C07"

	usertrust_old="13EA28705BF4ECED0C36630980614336"
	usertrust_new="01FD6D30FCA3CA51A81BBC640E35032D"
	comodo_ca="2766EE56EB49F38EABD770A2FC84DE22"

	addtrust_expiry=1590835718 # May 30 10:48:38 2020 GMT
	now=$(date +%s)
	expiry_secs=$(( ($addtrust_expiry - $now) ))

	read -r -d '' script <<- 'EOS'
	/-BEGIN CERTIFICATE-/{
	cert=""
	cat=1
	}
	cat{
	cert=cert "\n" $0
	}
	/-END CERTIFICATE-/{
	cat=0
	system("echo '" cert "' \| openssl x509 -noout -serial \| cut -d= -f2")
	}
	EOS

	# get serials of all certs in the server chain
	serials=$(echo QUIT \| timeout 1 openssl s_client -host "$host" -port 443 -servername "$host" -showcerts 2>/dev/null \| awk "$script")

	if [ -z "$serials" ]; then
	echo "There was an error with $host"
	#echo QUIT \| openssl s_client -host "$host" -port 443 -servername "$host" -showcerts
	exit 1
	fi

	# check for any of the Comodo/Sectigo intermediates
	grep -q -e $s_ev -e $s_ov -e $s_dv -e $c_ev -e $c_ov -e $c_dv <<< "$serials"
	if [ $? -eq 0 ]; then
	# check for old cert
	grep -q $usertrust_old <<< "$serials"
	if [ $? -eq 0 ]; then
	expiry=$(echo QUIT \| openssl s_client -host "$host" -port 443 -servername "$host" 2>/dev/null \| openssl x509 -noout -enddate \| cut -d= -f2)
	expiry_iso=$(date -d "$expiry" --rfc-3339=seconds)

	# check the expiry time of the end-entity certificate
	echo QUIT \
	\| openssl s_client -host "$host" -port 443 -servername "$host" 2>/dev/null \
	\| openssl x509 -noout -checkend $expiry_secs >/dev/null \
	&& echo "The chain for $host contains the old USERTrust intermediate - NEEDS REMOVING ($expiry_iso)" \
	\|\| echo "The chain for $host contains the old USERTrust intermediate - fix at update ($expiry_iso)"
	else
	grep -q $comodo_ca <<< "$serials"
	if [ $? -eq 0 ]; then
	echo "The chain for $host contains the Comodo RSA CA - NEEDS REMOVING"
	else
	grep -q $usertrust_new <<< "$serials" && echo "The chain for $host contains the new USERTrust root - superfluous" \|\| echo "The chain for $host is correct"
	fi
	fi
	else
	echo "The chain for $host is not a Comodo/Sectigo chain"
	fi