#!/bin/bash debug=false port=443 err_report() { echo "failed on line $1" exit 1 } trap 'err_report $LINENO' ERR while [ ! $1 = "" ]; do case $1 in "--debug"|"-d") debug=true ;; "--port"|"-p") shift; port=$1 ;; *) servername=$1 ;; esac shift done if [ "$servername" = "" ]; then echo "Usage: $0 [--debug] [--port port] domain.tld" echo "Example: $0 google.com" echo echo "Options:" echo " -d [--debug] : Turn on debug on (off)" echo " -p [--port] port : TCP port (443)" exit 1 fi tempdir="$(mktemp -d)" || exit 1 $debug && echo "Using tempdir $tempdir" pushd "$tempdir" >/dev/null # Get cert chain $debug && echo && echo "Get certificate chain..." rm -f *.pem openssl s_client \ -servername "$servername" \ -host "$servername" \ -port "$port" \ -showcerts < /dev/null > chain.pem 2> err $debug && cat err && rm -f err # Parse cert chain $debug && echo && echo "Parsing certificate chain..." n=0 while read i; do if [ "$i" = "-----END CERTIFICATE-----" ]; then echo $i >> chain-$n.pem ((n++)) continue else echo $i >> chain-$n.pem fi done < chain.pem || true # else trap $debug && echo Done mv chain-0.pem cert.pem mv chain-1.pem issuer.pem # Get ocsp url ocsp_url="$(openssl x509 -noout -ocsp_uri -in cert.pem)" ocsp_host="$(echo "$ocsp_url" | sed 's,https*://\([^/]\+\)/*.*,\1,g')" $debug && echo "OCSP url: $ocsp_url" if [ "$ocsp_url" = "" ]; then echo "Unable to find ocsp url from certificate" exit 1 fi $debug && echo Done # Verify the issuer cert $debug && echo && echo "Verify issuer" openssl verify issuer.pem $debug && echo && echo "Request OCSP info from $ocsp_url" ocsp_req="openssl ocsp \ -url $ocsp_url \ -header Host=$ocsp_host \ -no_nonce\ -VAfile issuer.pem \ -issuer issuer.pem \ -cert cert.pem \ -respout ocspresp.der" if $debug; then ocsp_req="$ocsp_req -resp_text" $debug && echo "Running this command: " && echo "$ocsp_req" $ocsp_req retval=$? else $ocsp_req retval=$? fi popd >/dev/null if $debug; then echo echo "Debug: Keeping $tempdir" else rm -rf "$tempdir" fi exit $retval