1 files changed, 107 insertions, 0 deletions
diff --git a/src/lib/libcrypto/format-pem.pl b/src/lib/libcrypto/format-pem.pl
new file mode 100644
index 0000000000..6c689d4978
--- /dev/null
+++ b/src/lib/libcrypto/format-pem.pl
@@ -0,0 +1,107 @@
+#!/usr/bin/perl
+# $OpenBSD: format-pem.pl,v 1.1 2016/12/15 10:23:21 sthen Exp $
+#
+# Copyright (c) 2016 Stuart Henderson <sthen@openbsd.org>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+use strict;
+use warnings;
+use File::Temp qw/ :seekable /;
+if (! eval {require Date::Parse;1;}) {
+        print STDERR "Date::Parse not available - install p5-Time-TimeDate to check cert dates.\n";
+} else {
+        use Date::Parse;
+}
+my $tmp = File::Temp->new(TEMPLATE => '/tmp/splitcert.XXXXXXXX');
+my $t = $tmp->filename;
+my $certs = 0;
+my $incert = 0;
+my %ca;
+my $rcsid = '# $'.'OpenBSD$';
+while(<>) {
+        $rcsid = $_ if ($_ =~ m/^# \$[O]penBSD/);
+        $incert++ if ($_ =~ m/^-----BEGIN CERTIFICATE-----/);
+        print $tmp $_ if ($incert);
+        if ($_ =~ m/^-----END CERTIFICATE-----/) {
+                $certs++;
+                my $issuer = `openssl x509 -in $t -noout -issuer`;
+                $issuer =~ s/^issuer= (.*)\n/$1/;
+                my $subj = `openssl x509 -in $t -noout -subject`;
+                $subj =~ s/^subject= (.*)\n/$1/;
+                print STDERR "'$subj' not self-signed"
+                        if ($issuer ne $subj);
+                my $o = `openssl x509 -in $t -noout -nameopt sep_multiline,use_quote,esc_msb -subject`;
+                $o =~ s/.*O=([^\n]*).*/$1/sm;
+                if (eval {require Date::Parse;1;}) {
+                        my $startdate = `openssl x509 -in $t -startdate -noout`;
+                        my $enddate = `openssl x509 -in $t -enddate -noout`;
+                        $startdate =~ s/notBefore=(.*)\n/$1/;
+                        $enddate =~ s/notAfter=(.*)\n/$1/;
+                        my $starttime = str2time($startdate);
+                        my $endtime = str2time($enddate);
+                        if ($starttime > time) {
+                                print STDERR "'$subj' not valid yet\n"
+                        }
+                        if ($endtime < time) {
+                                print STDERR "'$subj' expired on $startdate\n"
+                        } elsif ($endtime < time + 86400 * 365 * 2) {
+                                print STDERR "'$subj' expires on $enddate\n"
+                        }
+                }
+                my $info = qx/openssl x509 -in $t -text -fingerprint -sha1 -certopt no_pubkey,no_sigdump,no_issuer -noout/;
+                $info .= qx/openssl x509 -in $t -fingerprint -sha256 -noout/;
+                my $cert = qx/openssl x509 -in $t/;
+                if (defined $ca{$o}{$subj}) {
+                        print STDERR "'$subj': duplicate\n";
+                }
+                $ca{$o}{$subj}{'subj'} = $subj;
+                $ca{$o}{$subj}{'info'} = $info;
+                $ca{$o}{$subj}{'cert'} = $cert;
+                $tmp->seek(0, SEEK_SET);
+                $incert = 0;
+        }
+}
+close $tmp;
+print $rcsid;
+foreach my $o (sort{lc($a) cmp lc($b)} keys %ca) {
+        print "\n### $o\n\n";
+        foreach my $subj (sort{lc($a) cmp lc($b)} keys %{ $ca{$o} }) {
+                print "=== $subj\n";
+                print $ca{$o}{$subj}{'info'};
+                print $ca{$o}{$subj}{'cert'};
+        }
+}
+# print a visual summary at the end
+foreach my $o (sort{lc($a) cmp lc($b)} keys %ca) {
+        print STDERR "\n$o\n";
+        foreach my $subj (sort{lc($a) cmp lc($b)} keys %{ $ca{$o} }) {
+                print STDERR "  $subj\n";
+        }
+}

diff --git a/src/lib/libcrypto/format-pem.pl b/src/lib/libcrypto/format-pem.pl new file mode 100644 index 0000000000..6c689d4978 --- /dev/null +++ b/src/lib/libcrypto/format-pem.pl
@@ -0,0 +1,107 @@
	1	#!/usr/bin/perl
	2	# $OpenBSD: format-pem.pl,v 1.1 2016/12/15 10:23:21 sthen Exp $
	3	#
	4	# Copyright (c) 2016 Stuart Henderson <sthen@openbsd.org>
	5	#
	6	# Permission to use, copy, modify, and distribute this software for any
	7	# purpose with or without fee is hereby granted, provided that the above
	8	# copyright notice and this permission notice appear in all copies.
	9	#
	10	# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	11	# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	12	# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	13	# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	14	# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	15	# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	16	# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	17
	18	use strict;
	19	use warnings;
	20
	21	use File::Temp qw/ :seekable /;
	22	if (! eval {require Date::Parse;1;}) {
	23	print STDERR "Date::Parse not available - install p5-Time-TimeDate to check cert dates.\n";
	24	} else {
	25	use Date::Parse;
	26	}
	27
	28	my $tmp = File::Temp->new(TEMPLATE => '/tmp/splitcert.XXXXXXXX');
	29	my $t = $tmp->filename;
	30
	31	my $certs = 0;
	32	my $incert = 0;
	33	my %ca;
	34	my $rcsid = '# $'.'OpenBSD$';
	35
	36	while(<>) {
	37	$rcsid = $_ if ($_ =~ m/^# \$[O]penBSD/);
	38	$incert++ if ($_ =~ m/^-----BEGIN CERTIFICATE-----/);
	39	print $tmp $_ if ($incert);
	40
	41	if ($_ =~ m/^-----END CERTIFICATE-----/) {
	42	$certs++;
	43
	44	my $issuer = `openssl x509 -in $t -noout -issuer`;
	45	$issuer =~ s/^issuer= (.*)\n/$1/;
	46	my $subj = `openssl x509 -in $t -noout -subject`;
	47	$subj =~ s/^subject= (.*)\n/$1/;
	48
	49	print STDERR "'$subj' not self-signed"
	50	if ($issuer ne $subj);
	51
	52	my $o = `openssl x509 -in $t -noout -nameopt sep_multiline,use_quote,esc_msb -subject`;
	53	$o =~ s/.O=([^\n]).*/$1/sm;
	54
	55	if (eval {require Date::Parse;1;}) {
	56	my $startdate = `openssl x509 -in $t -startdate -noout`;
	57	my $enddate = `openssl x509 -in $t -enddate -noout`;
	58	$startdate =~ s/notBefore=(.*)\n/$1/;
	59	$enddate =~ s/notAfter=(.*)\n/$1/;
	60	my $starttime = str2time($startdate);
	61	my $endtime = str2time($enddate);
	62
	63	if ($starttime > time) {
	64	print STDERR "'$subj' not valid yet\n"
	65	}
	66	if ($endtime < time) {
	67	print STDERR "'$subj' expired on $startdate\n"
	68	} elsif ($endtime < time + 86400 * 365 * 2) {
	69	print STDERR "'$subj' expires on $enddate\n"
	70	}
	71	}
	72
	73	my $info = qx/openssl x509 -in $t -text -fingerprint -sha1 -certopt no_pubkey,no_sigdump,no_issuer -noout/;
	74	$info .= qx/openssl x509 -in $t -fingerprint -sha256 -noout/;
	75	my $cert = qx/openssl x509 -in $t/;
	76
	77	if (defined $ca{$o}{$subj}) {
	78	print STDERR "'$subj': duplicate\n";
	79	}
	80
	81	$ca{$o}{$subj}{'subj'} = $subj;
	82	$ca{$o}{$subj}{'info'} = $info;
	83	$ca{$o}{$subj}{'cert'} = $cert;
	84
	85	$tmp->seek(0, SEEK_SET);
	86	$incert = 0;
	87	}
	88	}
	89
	90	close $tmp;
	91	print $rcsid;
	92	foreach my $o (sort{lc($a) cmp lc($b)} keys %ca) {
	93	print "\n### $o\n\n";
	94	foreach my $subj (sort{lc($a) cmp lc($b)} keys %{ $ca{$o} }) {
	95	print "=== $subj\n";
	96	print $ca{$o}{$subj}{'info'};
	97	print $ca{$o}{$subj}{'cert'};
	98	}
	99	}
	100
	101	# print a visual summary at the end
	102	foreach my $o (sort{lc($a) cmp lc($b)} keys %ca) {
	103	print STDERR "\n$o\n";
	104	foreach my $subj (sort{lc($a) cmp lc($b)} keys %{ $ca{$o} }) {
	105	print STDERR " $subj\n";
	106	}
	107	}