New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Megan/expiration #495
Megan/expiration #495
Changes from 3 commits
002c73e
c8bd51c
421d603
a20f560
d61bcc1
3f645af
c781dea
181018e
1d76695
48b362e
f813499
f57c70e
c7d80d9
1187e48
88a2762
4d67f07
40fb340
de3c152
0c36611
ac40eae
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,8 @@ import ( | |
"crypto/x509" | ||
"encoding/pem" | ||
"io/ioutil" | ||
"time" | ||
"fmt" | ||
|
||
"github.com/pkg/errors" | ||
"github.com/smallstep/cli/crypto/x509util" | ||
|
@@ -65,12 +67,22 @@ Verify a certificate using a custom directory of root certificates for path vali | |
''' | ||
$ step certificate verify ./certificate.crt --roots ./root-certificates/ | ||
''' | ||
|
||
Verify the expiration time left of a certificate using a custom root certificate and host for path validation: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Verify the remaining validity of a certificate ... |
||
|
||
''' | ||
$ step certificate verify ./certificate.crt --host smallstep.com --expire | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
''' | ||
`, | ||
Flags: []cli.Flag{ | ||
cli.StringFlag{ | ||
Name: "host", | ||
Usage: `Check whether the certificate is for the specified host.`, | ||
}, | ||
cli.BoolFlag{ | ||
Name: "expire", | ||
Usage: `Checks the certificate time till expiration`, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Checks the remaining certificate validity till expiration |
||
}, | ||
cli.StringFlag{ | ||
Name: "roots", | ||
Usage: `Root certificate(s) that will be used to verify the | ||
|
@@ -100,6 +112,7 @@ func verifyAction(ctx *cli.Context) error { | |
var ( | ||
crtFile = ctx.Args().Get(0) | ||
host = ctx.String("host") | ||
expire = ctx.Bool("expire") | ||
serverName = ctx.String("servername") | ||
roots = ctx.String("roots") | ||
intermediatePool = x509.NewCertPool() | ||
|
@@ -164,6 +177,31 @@ func verifyAction(ctx *cli.Context) error { | |
} | ||
} | ||
|
||
if expire { | ||
|
||
NowTillEndOfCert := time.Until(cert.NotAfter) | ||
totalLifeTimeOfCert := cert.NotAfter.Sub(cert.NotBefore) | ||
|
||
percentIntoLifeTime := ((totalLifeTimeOfCert.Hours() - NowTillEndOfCert.Hours()) / totalLifeTimeOfCert.Hours()) * 100 | ||
|
||
if percentIntoLifeTime >= 100 { | ||
fmt.Println("\033[31m", "This certificate has already expired.", "\033[0m") //"\033[__m" are color codes | ||
} else if percentIntoLifeTime > 90 { | ||
fmt.Println("\033[31m", "Leaf is", int(percentIntoLifeTime), "% through its lifetime.", "\033[0m") | ||
} else if percentIntoLifeTime > 66 && percentIntoLifeTime < 90 { | ||
fmt.Println("\033[33m", "Leaf is", int(percentIntoLifeTime), "% through its lifetime.", "\033[0m") | ||
} else if percentIntoLifeTime < 66 && percentIntoLifeTime > 1 { | ||
fmt.Println("\033[32m", "Leaf is", int(percentIntoLifeTime), "% through its lifetime.", "\033[0m") | ||
} else if percentIntoLifeTime < 1 { | ||
fmt.Println("\033[32m", "Leaf is less than 1% through its lifetime.", "\033[0m") | ||
} else { | ||
fmt.Println("Error") | ||
} | ||
|
||
return nil | ||
} | ||
|
||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we should verify the certificate first |
||
opts := x509.VerifyOptions{ | ||
DNSName: host, | ||
Roots: rootPool, | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
checking certificate expiration
The tense on the other verbs all seem to end with
ing
, so we should be consistent.