Fixes #416

matteocorti · Oct 6, 2022 · c960267 · c960267
1 parent 62804b7
commit c960267
Show file tree

Hide file tree

Showing 12 changed files with 48 additions and 18 deletions.
diff --git a/CITATION.cff b/CITATION.cff
@@ -236,8 +236,8 @@ authors:
   given-names: "Дилян"
   website: https://github.com/dilyanpalauzov
 title: "check_ssl_cert"
-version: 2.49.0
-date-released: 2022-09-27
+version: 2.50.0
+date-released: 2022-10-06
 url: "https://github.com/matteocorti/check_ssl_cert"
 repository-code: "https://github.com/matteocorti/check_ssl_cert"
 keywords:

diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,7 @@
+2022-10-06  Matteo Corti  <[email protected]>
+
+        * check_ssl_cert: additional chain checks (no root attributes and handling of double certificates
+
 2022-09-27  Matteo Corti  <[email protected]>
 
         * check_ssl_cert (main): if nmap is not found the plugin continues

diff --git a/NEWS.md b/NEWS.md
@@ -1,3 +1,5 @@
+* 2022-10-06 Version 2.50.0
+  * Additional checks for the certificate chain (see ```--check-chain```)
 * 2022-09-27 Version 2.49.0
   * The plugin is working without nmap (with some limitations)
   * Fixed a bug in the processing of the --nmap-bin option

diff --git a/README.md b/README.md
@@ -36,6 +36,8 @@ Options:
                                    to be valid to issue a critical status.
                                    Can be a floating point number, e.g., 0.5
                                    Default: 15
+      --check-chain                The certificate chain cannot contain
+                                   double or root certificates
       --check-ciphers grade        Check the offered ciphers
       --check-ciphers-warnings     Critical if nmap reports a warning for an
                                    offered cipher

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -1,2 +1 @@
- * The plugin is working without nmap (with some limitations)
- * Fixed a bug in the processing of the --nmap-bin option
+Additional checks for the certificate chain (see ```--check-chain```)
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-2.49.0
+2.50.0
diff --git a/check_ssl_cert b/check_ssl_cert
@@ -25,16 +25,10 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-# To do
-#
-# config file
-# just put arguments in it and process the file as input?
-# Documentation
-
 ################################################################################
 # Constants
 
-VERSION=2.49.0
+VERSION=2.50.0
 SHORTNAME="SSL_CERT"
 
 VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -235,6 +229,8 @@ usage() {
     echo "                                   to be valid to issue a critical status."
     echo "                                   Can be a floating point number, e.g., 0.5"
     echo "                                   Default: ${CRITICAL_DAYS}"
+    echo "      --check-chain                The certificate chain cannot contain"
+    echo "                                   double or root certificates"
     echo "      --check-ciphers grade        Check the offered ciphers"
     echo "      --check-ciphers-warnings     Critical if nmap reports a warning for an"
     echo "                                   offered cipher"
@@ -2909,6 +2905,11 @@ parse_command_line_options() {
             shift
             ;;
 
+        --check-chain)
+            CHECK_CHAIN=1
+            shift
+            ;;
+
         --crl)
             CRL=1
             shift
@@ -4074,7 +4075,7 @@ main() {
 
         HOST_ADDR="${RESOLVE}"
         HOST_NAME="${HOST}"
-<        SNI="${HOST}"
+        SNI="${HOST}"
 
     else
 
@@ -5504,8 +5505,6 @@ EOF
             fi
         done
 
-        # TODO
-
         # check the certificate chain to see if the root certificate in unnecessarily delivered
         # and issue a warning if it is the case
 
@@ -5524,6 +5523,9 @@ EOF
         if [ "${matches}" -eq 1 ] ; then
             debuglog "The root certificate is present in the chain"
             verboselog "The root certificate is unnecessarily present in the delivered certificate chain"
+            if [ -n "${CHECK_CHAIN}" ] ; then
+                prepend_critical_message "The root certificate is unnecessarily present in the delivered certificate chain"
+            fi
         fi
 
         debuglog "Certificate chain check finished"
@@ -5947,6 +5949,9 @@ EOF
             # check if the warning is overridden by another certificate for the same CN
             if echo "${CN_OK}" | grep -q "${CN_TMP}" ; then
                 verboselog "Both a valid and an expired certificate were found"
+                if [ -n "${CHECK_CHAIN}" ] ; then
+                    prepend_critical_message "Both a valid and an expired certificate were found"
+                fi
             else
                 prepend_critical_message "${MESSAGE_TMP}" "${REPLACE_CURRENT_MESSAGE}"
             fi
@@ -5965,6 +5970,9 @@ INPUT
             # check if the warning is overridden by another certificate for the same CN
             if echo "${CN_OK}" | grep -q "${CN_TMP}" ; then
                 verboselog "Both a valid and an expired certificate were found"
+                if [ -n "${CHECK_CHAIN}" ] ; then
+                    prepend_critical_message "Both a valid and an expired certificate were found"
+                fi
             else
                 append_warning_message "${MESSAGE_TMP}" "${REPLACE_CURRENT_MESSAGE}"
             fi

diff --git a/check_ssl_cert.1 b/check_ssl_cert.1
@@ -1,7 +1,7 @@
 .\" Process this file with
 .\" groff -man -Tascii check_ssl_cert.1
 .\"
-.TH "check_ssl_cert" 1 "September, 2022" "2.49.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "October, 2022" "2.50.0" "USER COMMANDS"
 .SH NAME
 check_ssl_cert \- checks the validity of X.509 certificates
 .SH SYNOPSIS
@@ -38,6 +38,9 @@ Use client certificate to authenticate
 .BR "-c,--critical" " days"
 Minimum number of days a certificate has to be valid to issue a critical status. Can be a floating point number, e.g., 0.5. Default: 15
 .TP
+.BR "   --check-chain"
+The certificate chain cannot contain double or root certificates
+.TP
 .BR "   --check-ciphers" " grade"
 Check the offered ciphers
 .TP

diff --git a/check_ssl_cert.completion b/check_ssl_cert.completion
@@ -14,7 +14,7 @@ _check_ssl_cert() {
     #   only the autocompletion with long options is implemented: long options are more readable and quick to enter since we are
     #   using autocompletion.
     #
-    opts="--file --host --noauth --all --all-local --allow-empty-san --clientcert --configuration --critical --check-ciphers --check-ciphers-warnings --check-http-headers --check-ssl-labs --check-ssl-labs-warn --clientpass --crl --curl-bin --user-agent --custom-http-header --dane --date --debug-cert --debug-file --debug-headers --debug-time --default-format --dig-bin --dtls --dtls1 --dtls1_2 --ecdsa --element --file-bin --fingerprint --first-element-only --force-dconv-date --force-perl-date --format --grep-bin --http-headers-path --http-use-get --ignore-altnames --ignore-connection-problems --ignore-exp --ignore-host-cn --ignore-incomplete-chain --ignore-maximum-validity --ignore-ocsp --ignore-ocsp-errors --ignore-ocsp-timeout --ignore-sct --ignore-sig-alg --ignore-ssl-labs-cache --ignore-tls-renegotiation --inetproto protocol --info --init-host-cache --issuer-cert-cache --long-output --match --maximum-validity --nmap-bin --no-perf --no-proxy --no-proxy-curl --no-proxy-s_client --no-ssl2 --no-ssl3 --no-tls1 --no-tls1_1 --no-tls1_2 --no-tls1_3 --not-issued-by --not-valid-longer-than --ocsp-critical --ocsp-warning --openssl --password --precision --prometheus --proxy --require-client-cert --require-dnssec --require-http-header --require-no-http-header --require-no-ssl2 --require-no-ssl3 --require-no-tls1 --require-no-tls1_1 --require-ocsp-stapling --require-purpose --require-purpose-critical --resolve  --rootcert-dir --rootcert-file --rsa --serial --skip-element --sni --ssl2 --ssl3 --temp --terse --tls1 --tls1_1 --tls1_2 --tls1_3 --xmpphost -4 -6 --clientkey --protocol --version --debug --email --help --issuer --cn --org  --port port --rootcert --quiet --selfsigned --timeout --url --verbose --warning"
+    opts="--file --host --noauth --all --all-local --allow-empty-san --clientcert --configuration --critical --check-chain --check-ciphers --check-ciphers-warnings --check-http-headers --check-ssl-labs --check-ssl-labs-warn --clientpass --crl --curl-bin --user-agent --custom-http-header --dane --date --debug-cert --debug-file --debug-headers --debug-time --default-format --dig-bin --dtls --dtls1 --dtls1_2 --ecdsa --element --file-bin --fingerprint --first-element-only --force-dconv-date --force-perl-date --format --grep-bin --http-headers-path --http-use-get --ignore-altnames --ignore-connection-problems --ignore-exp --ignore-host-cn --ignore-incomplete-chain --ignore-maximum-validity --ignore-ocsp --ignore-ocsp-errors --ignore-ocsp-timeout --ignore-sct --ignore-sig-alg --ignore-ssl-labs-cache --ignore-tls-renegotiation --inetproto protocol --info --init-host-cache --issuer-cert-cache --long-output --match --maximum-validity --nmap-bin --no-perf --no-proxy --no-proxy-curl --no-proxy-s_client --no-ssl2 --no-ssl3 --no-tls1 --no-tls1_1 --no-tls1_2 --no-tls1_3 --not-issued-by --not-valid-longer-than --ocsp-critical --ocsp-warning --openssl --password --precision --prometheus --proxy --require-client-cert --require-dnssec --require-http-header --require-no-http-header --require-no-ssl2 --require-no-ssl3 --require-no-tls1 --require-no-tls1_1 --require-ocsp-stapling --require-purpose --require-purpose-critical --resolve  --rootcert-dir --rootcert-file --rsa --serial --skip-element --sni --ssl2 --ssl3 --temp --terse --tls1 --tls1_1 --tls1_2 --tls1_3 --xmpphost -4 -6 --clientkey --protocol --version --debug --email --help --issuer --cn --org  --port port --rootcert --quiet --selfsigned --timeout --url --verbose --warning"
 
     if [[ ${cur} == -* || ${COMP_CWORD} -eq 1 ]]; then
         # shellcheck disable=2207

diff --git a/check_ssl_cert.spec b/check_ssl_cert.spec
@@ -1,4 +1,4 @@
-%global version          2.49.0
+%global version          2.50.0
 %global release          0
 %global sourcename       check_ssl_cert
 %global packagename      nagios-plugins-check_ssl_cert
@@ -54,6 +54,9 @@ rm -rf $RPM_BUILD_ROOT
 %endif
 
 %changelog
+* Thu Oct   6 2022 Matteo Corti <[email protected]> - 2.50.0-0
+- Updated to 2.50.0
+
 * Tue Sep  27 2022 Matteo Corti <[email protected]> - 2.49.0-0
 - Updated to 2.49.0
 

diff --git a/test/unit_tests.sh b/test/unit_tests.sh
@@ -1885,6 +1885,13 @@ testRootCertInChain() {
     assertEquals "wrong exit code" "${OK}" "${EXIT_CODE}"
 }
 
+testRootCertInChainEnforce() {
+    # shellcheck disable=SC2086
+    ${SCRIPT} ${TEST_DEBUG} -H matteo.ethz.ch --check-chain
+    EXIT_CODE=$?
+    assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
+}
+
 testRootCertNotInChainGitHub() {
     # shellcheck disable=SC2086
     ${SCRIPT} ${TEST_DEBUG} -H github.com --verbose | grep -q 'The root certificate is unnecessarily present in the delivered certificate chain'

diff --git a/utils/help.txt b/utils/help.txt
@@ -7,6 +7,8 @@
 --allow-empty-san;Alternative Names (SANs)
 --altnames;Match the pattern specified in -n with
 --altnames;alternate names too (enabled by default)
+--check-chain;The certificate chain cannot contain
+--check-chain;double or root certificates
 --check-ciphers grade;Check the offered ciphers
 --check-ciphers-warnings;Critical if nmap reports a warning for an
 --check-ciphers-warnings;offered cipher