#!/bin/sh
#
# Author: Jason Haar <jhaar@users.sourceforge.net>
# Date: 09-Nov-2004
# Version: 1.0
# Copyright: GPL
#
# This script simply checks the status of the certificates used by
# Qmail with Frederik Vermeulen's TLS patch - to ensure they are
# valid, non-expired certs with the appropriate KeyUsage extensions
# required to get their jobs done.
# This script can be run on a nightly basis to check the cert status.
# Note that when it marked as cert as "bad" (typically because it's
# expired), it will be renamed, a syslog event generated, and probably
# Qmail will STOP WORKING FOR NEW TLS SESSIONS.
#
# That may sound bad, but the alternative is that Qmail will stop working
# for new TLS sessions *anyway* - it's just that this script will tell
# you why...

LOGGER="logger -i -t qmail-tls-check_certs"

dir=''
dirlist="/etc/qmail/control /var/qmail/control"
for trydir in $dirlist ; do
  if test -d $trydir ; then
    dir=$trydir
    break
  fi
done
if test -z "$dir" ; then
  1>&2 echo "Cannot find any control director ($dirlist)"
  exit 1
fi

for cert in servercert.pem clientcert.pem ; do
    if ! test -f "$dir/$cert"; then
        echo "Certificate missing: $dir/$cert"
    else
        #First, check that it's a valid cert for the task
        TEMP_PURPOSE=`openssl x509 -in $dir/$cert -noout -purpose 2>/dev/null`
        if [ "$?" != "0" ]; then
                echo "$dir/$cert is a broken cert. Disabled"
                mv -f $dir/$cert $dir/BROKEN-${cert}
                $LOGGER "$dir/$cert is a broken cert. Disabled"
                continue
        fi

        #Now check it hasn't expired
        TEMP_DATE=$( openssl x509 -in $dir/$cert -noout -dates 2>/dev/null | \
                grep -i after|cut -d= -f2 )
        EXPIRE_IN_SECS=`date +%s --date $TEMP_DATE 2>/dev/null`
        if [ "`echo $EXPIRE_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then
            NOW_IN_SECS=`date +%s 2>/dev/null`
            if [ "`echo $NOW_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then
                if [ $NOW_IN_SECS -gt $EXPIRE_IN_SECS ]; then
                    echo "$dir/$cert has EXPIRED. Disabling"
                    mv -f $dir/$cert $dir/EXPIRED-${cert}
                    $LOGGER "$dir/$cert has EXPIRED. Disabling"
                    continue
                fi
            fi
        fi

        if [ "`echo $cert|grep server`" != "" ] ; then
            if [ "_$( echo $TEMP_PURPOSE | \
                    egrep -i '(any purpose|server).* yes' )" = "_" ]; then
                echo "$dir/$cert is NOT a server cert. Disabled"
                mv -f $dir/$cert $dir/NOT-A-SERVER-CERT-${cert}
                $LOGGER "$dir/$cert is NOT a server cert. Disabled"
                continue
            fi
        fi
        if [ "`echo $cert|grep client`" != "" ] ; then
            if [ "_$( echo $TEMP_PURPOSE |
                   egrep -i '(any purpose|client).* yes' )" = "_" ]; then
                echo "$dir/$cert is NOT a client cert. Disabled"
                mv -f $dir/$cert $dir/NOT-A-CLIENT-CERT-${cert}
                $LOGGER "$dir/$cert is NOT a client cert. Disabled"
            fi
        fi
    fi

done