Programmatically verify certificate (for renewal) against chain and arbitrary timestamp using openssl in bash










0















We use bash scripts and the openssl command line tool to maintain our internal PKI chain, this was the first thing that came to mind when scripting the auto renewal procedures:



is_cert_valid () 
# pem cert, pem cert chain, timestamp
local signed="$1" signer="$2" at_time="$3"
openssl verify -attime "$at_time" -CAfile "$signer" "$signed"
return $?



However, the exit code for openssl verify does not reflect the validity of the given certificate, but (as far as I understand it) if the command failed to perform the check.



How would one go about rewriting is_cert_valid so that it becomes usable in bash if statements? Assuming such thing is possible without using other programming languages like python or c.










share|improve this question






















  • I don't think this is really a programming question, but if you only care about expiration and not other kinds of invalidity like revocation, see stackoverflow.com/questions/21297853/… (also marked offtopic)

    – dave_thompson_085
    Nov 14 '18 at 3:42















0















We use bash scripts and the openssl command line tool to maintain our internal PKI chain, this was the first thing that came to mind when scripting the auto renewal procedures:



is_cert_valid () 
# pem cert, pem cert chain, timestamp
local signed="$1" signer="$2" at_time="$3"
openssl verify -attime "$at_time" -CAfile "$signer" "$signed"
return $?



However, the exit code for openssl verify does not reflect the validity of the given certificate, but (as far as I understand it) if the command failed to perform the check.



How would one go about rewriting is_cert_valid so that it becomes usable in bash if statements? Assuming such thing is possible without using other programming languages like python or c.










share|improve this question






















  • I don't think this is really a programming question, but if you only care about expiration and not other kinds of invalidity like revocation, see stackoverflow.com/questions/21297853/… (also marked offtopic)

    – dave_thompson_085
    Nov 14 '18 at 3:42













0












0








0








We use bash scripts and the openssl command line tool to maintain our internal PKI chain, this was the first thing that came to mind when scripting the auto renewal procedures:



is_cert_valid () 
# pem cert, pem cert chain, timestamp
local signed="$1" signer="$2" at_time="$3"
openssl verify -attime "$at_time" -CAfile "$signer" "$signed"
return $?



However, the exit code for openssl verify does not reflect the validity of the given certificate, but (as far as I understand it) if the command failed to perform the check.



How would one go about rewriting is_cert_valid so that it becomes usable in bash if statements? Assuming such thing is possible without using other programming languages like python or c.










share|improve this question














We use bash scripts and the openssl command line tool to maintain our internal PKI chain, this was the first thing that came to mind when scripting the auto renewal procedures:



is_cert_valid () 
# pem cert, pem cert chain, timestamp
local signed="$1" signer="$2" at_time="$3"
openssl verify -attime "$at_time" -CAfile "$signer" "$signed"
return $?



However, the exit code for openssl verify does not reflect the validity of the given certificate, but (as far as I understand it) if the command failed to perform the check.



How would one go about rewriting is_cert_valid so that it becomes usable in bash if statements? Assuming such thing is possible without using other programming languages like python or c.







bash openssl pki






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 14 '18 at 0:43









FacundoFacundo

11




11












  • I don't think this is really a programming question, but if you only care about expiration and not other kinds of invalidity like revocation, see stackoverflow.com/questions/21297853/… (also marked offtopic)

    – dave_thompson_085
    Nov 14 '18 at 3:42

















  • I don't think this is really a programming question, but if you only care about expiration and not other kinds of invalidity like revocation, see stackoverflow.com/questions/21297853/… (also marked offtopic)

    – dave_thompson_085
    Nov 14 '18 at 3:42
















I don't think this is really a programming question, but if you only care about expiration and not other kinds of invalidity like revocation, see stackoverflow.com/questions/21297853/… (also marked offtopic)

– dave_thompson_085
Nov 14 '18 at 3:42





I don't think this is really a programming question, but if you only care about expiration and not other kinds of invalidity like revocation, see stackoverflow.com/questions/21297853/… (also marked offtopic)

– dave_thompson_085
Nov 14 '18 at 3:42












1 Answer
1






active

oldest

votes


















0














This method works for validating partial chains and the parsing part is quite trivial. It also works for CAs, just pass the same certificate for the signer and the signed.



is_cert_valid () 
local signer="$1" signed="$2" at_time_offset="$3" output
if output="$(openssl verify
-CApath /dev/null
-attime "$(( "$at_time_offset" + "$(date +%s)" ))"
-partial_chain
-trusted "$signer"
"$signed"
)" &&
[[ "$output" == "$signed: OK" ]]; then
return 0
fi
return 1






share|improve this answer






















    Your Answer






    StackExchange.ifUsing("editor", function ()
    StackExchange.using("externalEditor", function ()
    StackExchange.using("snippets", function ()
    StackExchange.snippets.init();
    );
    );
    , "code-snippets");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "1"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53291565%2fprogrammatically-verify-certificate-for-renewal-against-chain-and-arbitrary-ti%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    This method works for validating partial chains and the parsing part is quite trivial. It also works for CAs, just pass the same certificate for the signer and the signed.



    is_cert_valid () 
    local signer="$1" signed="$2" at_time_offset="$3" output
    if output="$(openssl verify
    -CApath /dev/null
    -attime "$(( "$at_time_offset" + "$(date +%s)" ))"
    -partial_chain
    -trusted "$signer"
    "$signed"
    )" &&
    [[ "$output" == "$signed: OK" ]]; then
    return 0
    fi
    return 1






    share|improve this answer



























      0














      This method works for validating partial chains and the parsing part is quite trivial. It also works for CAs, just pass the same certificate for the signer and the signed.



      is_cert_valid () 
      local signer="$1" signed="$2" at_time_offset="$3" output
      if output="$(openssl verify
      -CApath /dev/null
      -attime "$(( "$at_time_offset" + "$(date +%s)" ))"
      -partial_chain
      -trusted "$signer"
      "$signed"
      )" &&
      [[ "$output" == "$signed: OK" ]]; then
      return 0
      fi
      return 1






      share|improve this answer

























        0












        0








        0







        This method works for validating partial chains and the parsing part is quite trivial. It also works for CAs, just pass the same certificate for the signer and the signed.



        is_cert_valid () 
        local signer="$1" signed="$2" at_time_offset="$3" output
        if output="$(openssl verify
        -CApath /dev/null
        -attime "$(( "$at_time_offset" + "$(date +%s)" ))"
        -partial_chain
        -trusted "$signer"
        "$signed"
        )" &&
        [[ "$output" == "$signed: OK" ]]; then
        return 0
        fi
        return 1






        share|improve this answer













        This method works for validating partial chains and the parsing part is quite trivial. It also works for CAs, just pass the same certificate for the signer and the signed.



        is_cert_valid () 
        local signer="$1" signed="$2" at_time_offset="$3" output
        if output="$(openssl verify
        -CApath /dev/null
        -attime "$(( "$at_time_offset" + "$(date +%s)" ))"
        -partial_chain
        -trusted "$signer"
        "$signed"
        )" &&
        [[ "$output" == "$signed: OK" ]]; then
        return 0
        fi
        return 1







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 23 '18 at 20:13









        FacundoFacundo

        11




        11





























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53291565%2fprogrammatically-verify-certificate-for-renewal-against-chain-and-arbitrary-ti%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Use pre created SQLite database for Android project in kotlin

            Darth Vader #20

            Ondo