Last active
April 1, 2016 16:53
-
-
Save maijou2501/8c748ec17e4253b88a2d62aba86e1ab7 to your computer and use it in GitHub Desktop.
S/MIME証明書ありの eml ファイルに対して、改ざんチェック・デジタル署名の有効性確認・送信者の確認などを行う。
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Check Email S/MIME Certification | |
| # | |
| # @author kyohei ito | |
| # Prepare | |
| if ! type openssl 2>/dev/null 1>/dev/null | |
| then | |
| echo "'oepnssl' is not found." | |
| exit 1 | |
| fi | |
| if [ $# -ne 1 ]; then | |
| echo 'Usage : smime target.eml' | |
| exit 1 | |
| fi | |
| if [ ! -f $1 ]; then | |
| echo "'$1' is Not found." | |
| exit 1 | |
| else | |
| TARGET_MAIL=$1 | |
| fi | |
| if ! `grep smime.p7s $TARGET_MAIL 1>/dev/null` ; then | |
| echo 'Not S/MIME mail.' | |
| exit 1 | |
| fi | |
| # Check mail body | |
| if `openssl smime -verify -in $TARGET_MAIL 1>/dev/null` ; then | |
| echo 'NoPolute: OK' | |
| else | |
| exit 1 | |
| fi | |
| # Cut smime.p7s from eml file | |
| perl -pe 's/\r\n/\n/' $TARGET_MAIL | sed 's/------.*--//g' | awk 'BEGIN{RS="";FS="\n"};{a[NR]=$0}END{print a[NR]}' | base64 -d > /tmp/smime.p7s | |
| # Check output certification | |
| if ! `openssl pkcs7 -in /tmp/smime.p7s -inform DER -print_certs -out /tmp/output.crt 2>/dev/null 1>/dev/null`; then | |
| echo 'Certify : error (Certification output)' | |
| rm /tmp/smime.p7s | |
| exit 1 | |
| fi | |
| rm /tmp/smime.p7s | |
| # Check certification | |
| cat /tmp/output.crt | awk 'BEGIN{RS="";FS="\n"};{a[NR]=$0}END{for(i=NR;i>0;i--)print a[i]"\n"}' > /tmp/output_reverse.crt | |
| if `openssl verify -verbose -x509_strict -CAfile /etc/ssl/certs/ca-certificates.crt /tmp/output.crt | grep OK 1>/dev/null` ; then | |
| echo "Certify : OK" | |
| # Check OCSP | |
| OCSP_URI=`openssl x509 -in /tmp/output_reverse.crt -noout -text | egrep ocsp | sed -e "s/.*\(http.*\)$/\1/"` | |
| if [ -n "$OCSP_URI" ]; then | |
| awk 'BEGIN{RS="";FS="\n"};{a[NR]=$0}END{print a[2]}' /tmp/output_reverse.crt > /tmp/intermediate.crt | |
| if `openssl ocsp -issuer /tmp/intermediate.crt -cert /tmp/output_reverse.crt -url $OCSP_URI -resp_text -no_nonce -CAfile /tmp/intermediate.crt 1>/dev/null` ; then | |
| echo 'Status : OK' | |
| else | |
| echo 'Status : NG' | |
| fi | |
| rm /tmp/intermediate.crt | |
| else | |
| echo 'OCSP_URI: None' | |
| fi | |
| rm /tmp/output_reverse.crt | |
| else | |
| if `openssl verify -verbose -x509_strict -CAfile /etc/ssl/certs/ca-certificates.crt /tmp/output_reverse.crt | grep OK 1>/dev/null` ; then | |
| echo 'xCertify: OK' | |
| # Check OCSP | |
| awk 'BEGIN{RS="";FS="\n"};{a[NR]=$0}END{print a[2]}' /tmp/output.crt > /tmp/intermediate.crt | |
| OCSP_URI=`openssl x509 -in /tmp/output.crt -noout -text | egrep ocsp | sed -e "s/.*\(http.*\)$/\1/"` | |
| if [ -n "$OCSP_URI" ]; then | |
| if `openssl ocsp -issuer /tmp/intermediate.crt -cert /tmp/output.crt -url $OCSP_URI -resp_text -no_nonce -CAfile /tmp/intermediate.crt 1>/dev/null` ; then | |
| echo 'Status : OK' | |
| else | |
| echo 'Status : NG' | |
| fi | |
| rm /tmp/intermediate.crt | |
| else | |
| echo 'OCSP_URI: None' | |
| fi | |
| rm /tmp/output_reverse.crt | |
| else | |
| echo 'Certify : NG' | |
| rm /tmp/output.crt | |
| rm /tmp/output_reverse.crt | |
| exit 1 | |
| fi | |
| fi | |
| # Check address | |
| FROM_ADDRESS=`grep -E "^From:" $TARGET_MAIL | perl -pe 's/.*?([a-zA-Z0-9!$&\*\.=^\`|~#%\+\/?_{}\-]+@[a-zA-Z0-9_\-\.]+).*/$1/' | perl -pe 's/\r\n/\n/'` | |
| CERT_ADDRESS=`grep emailAddress /tmp/output.crt | sed -e "s/.*emailAddress=\(.*\)/\1/" | perl -pe 's/\r\n/\n/'` | |
| rm /tmp/output.crt | |
| if [ $FROM_ADDRESS = $CERT_ADDRESS ] ; then | |
| echo 'Address : OK' | |
| else | |
| echo 'Address : NG' | |
| echo "FROM_ADDRESS = $FROM_ADDRESS" | |
| echo "CERT_ADDRESS = $CERT_ADDRESS" | |
| exit 1 | |
| fi | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment