diff options
Diffstat (limited to 'branding/scripts/check-ca-crt')
-rwxr-xr-x | branding/scripts/check-ca-crt | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/branding/scripts/check-ca-crt b/branding/scripts/check-ca-crt new file mode 100755 index 0000000..7458263 --- /dev/null +++ b/branding/scripts/check-ca-crt @@ -0,0 +1,74 @@ +#!/usr/bin/env python3 +import os +import re +import sys +import configparser +import urllib.request + +SCRIPT_NAME = 'check-ca-crt' +VENDOR_PATH = None + +USAGE = '''Check that the stored provider CA matches the one announced online. +Usage: {name} <provider> + +Example: {name} riseup'''.format(name=SCRIPT_NAME) + + +def getLocalCert(provider): + with open(os.path.join(VENDOR_PATH, provider, + '{provider}-ca.crt'.format(provider=sanitize(provider).lower()))) as crt: + return crt.read().strip() + + +def getRemoteCert(uri): + print("... checking cert from", uri) + fp = urllib.request.urlopen(uri) + remote_cert = fp.read().decode('utf-8').strip() + fp.close() + return remote_cert + +def getUriForProvider(provider, configfile): + c = configparser.ConfigParser() + c.read(configfile) + return c[provider]['caURL'] + +def sanitize(s): + return re.sub(r'[^\w\s-]', '', s).strip() + +if __name__ == '__main__': + VENDOR_PATH = os.environ.get('VENDOR_PATH') + + if not VENDOR_PATH: + print('[!] ERROR: Please set VENDOR_PATH variable first') + sys.exit(1) + if not os.path.isdir(os.path.abspath(VENDOR_PATH)): + print('[!] ERROR: VENDOR_PATH points to non-existent dir') + sys.exit(1) + + if len(sys.argv) != 2: + print('[!] Not enough arguments') + print(USAGE) + sys.exit(1) + + provider = sys.argv[1] + config = os.path.abspath(os.path.join(VENDOR_PATH, 'vendor.conf')) + if not os.path.isfile(config): + print('[!] ERROR: cannot open {config}') + sys.exit(1) + + try: + uri = getUriForProvider(provider, config) + except IndexError: + print('[!] Misconfigured provider') + sys.exit(1) + + local = getLocalCert(provider) + remote = getRemoteCert(uri) + + try: + assert local == remote + except AssertionError: + print('[!] ERROR: remote and local CA certs do not match') + sys.exit(1) + else: + print('OK: local CA matches what provider announces') |