Works for Thawte CA.
The following script accepts certificate in PEM format as input and validates it via OCSP and CRL specified in the certificate.
Requires openssl and curl.
#!/bin/sh
CERT="$1"
OCSP_URI=`openssl x509 -noout -ocsp_uri -in "$CERT"`
CRL_URI=`openssl x509 -in "$CERT" -text -noout | awk 'match($1, /URI:(http.+crl)$/, a) {print a[1]}'`
CA_CERTS_URI=`openssl x509 -in "$CERT" -text -noout | awk 'match($0, /CA Issuers.+URI:(http:\S+)/, a) {print a[1]}'`
SERIAL=`openssl x509 -serial -in "$CERT" -noout | cut -f2 -d=`
CA_CERTS_FILE="/tmp/ca.crts.tmp"
curl -s $CA_CERTS_URI | openssl x509 -inform DER > $CA_CERTS_FILE
echo "--------------------------"
echo "CHECKING VIA OCSP"
openssl ocsp -issuer $CA_CERTS_FILE -cert "$CERT" -text -url $OCSP_URI -CAfile $CA_CERTS_FILE | egrep "(Update|$CERT)"
echo "--------------------------"
echo "CHECKING SN $SERIAL IN CRL"
curl -s $CRL_URI | openssl crl -text -inform DER -noout | grep Update
if curl -s $CRL_URI | openssl crl -text -inform DER -noout | grep $SERIAL; then
echo "Revoked via CRL"
else
echo "NOT FOUND => NOT REVOKED"
fi
echo "--------------------------"
No comments:
Post a Comment