Implement -test to check certificates expiration

This commit is contained in:
Frank Denis 2018-02-27 02:48:33 +01:00
parent ff0c612e79
commit 2158674d17
4 changed files with 27 additions and 0 deletions

View File

@ -136,6 +136,7 @@ func ConfigLoad(proxy *Proxy, svcFlag *string) error {
listAll := flag.Bool("list-all", false, "print the complete list of available resolvers, ignoring filters") listAll := flag.Bool("list-all", false, "print the complete list of available resolvers, ignoring filters")
jsonOutput := flag.Bool("json", false, "output list as JSON") jsonOutput := flag.Bool("json", false, "output list as JSON")
check := flag.Bool("check", false, "check the configuration file and exit") check := flag.Bool("check", false, "check the configuration file and exit")
testGracePeriod := flag.Int("test", 0, "test that certificates of chosen servers are not going to expire before that number of minutes")
flag.Parse() flag.Parse()
if *svcFlag == "stop" || *svcFlag == "uninstall" { if *svcFlag == "stop" || *svcFlag == "uninstall" {
return nil return nil
@ -268,6 +269,10 @@ func ConfigLoad(proxy *Proxy, svcFlag *string) error {
} }
proxy.allWeeklyRanges = allWeeklyRanges proxy.allWeeklyRanges = allWeeklyRanges
if testGracePeriod != nil && *testGracePeriod > 0 {
proxy.testGracePeriod = testGracePeriod
}
if *listAll { if *listAll {
config.ServerNames = nil config.ServerNames = nil
config.SourceRequireDNSSEC = false config.SourceRequireDNSSEC = false

View File

@ -95,6 +95,12 @@ func FetchCurrentDNSCryptCert(proxy *Proxy, serverName *string, proto string, pk
} else { } else {
certInfo.ForwardSecurity = true certInfo.ForwardSecurity = true
} }
if proxy.testGracePeriod != nil {
if remaining := (tsEnd - now) / 60; uint32(*proxy.testGracePeriod) > remaining {
dlog.Fatalf("Certificate for [%v] is going to expire in %d minutes, before the grace period",
providerName, remaining)
}
}
if !proxy.certIgnoreTimestamp { if !proxy.certIgnoreTimestamp {
if now > tsEnd || now < tsBegin { if now > tsEnd || now < tsBegin {
dlog.Debugf("[%v] Certificate not valid at the current date", providerName) dlog.Debugf("[%v] Certificate not valid at the current date", providerName)

View File

@ -6,6 +6,7 @@ import (
"math/rand" "math/rand"
"net" "net"
"net/http" "net/http"
"os"
"sync/atomic" "sync/atomic"
"time" "time"
@ -52,6 +53,7 @@ type Proxy struct {
maxClients uint32 maxClients uint32
xTransport *XTransport xTransport *XTransport
allWeeklyRanges *map[string]WeeklyRanges allWeeklyRanges *map[string]WeeklyRanges
testGracePeriod *int
} }
func (proxy *Proxy) StartProxy() { func (proxy *Proxy) StartProxy() {
@ -83,6 +85,14 @@ func (proxy *Proxy) StartProxy() {
dlog.Fatal(err) dlog.Fatal(err)
} }
liveServers, err := proxy.serversInfo.refresh(proxy) liveServers, err := proxy.serversInfo.refresh(proxy)
if proxy.testGracePeriod != nil {
if liveServers > 0 {
dlog.Noticef("%d certificates successfully checked", liveServers)
os.Exit(0)
} else {
dlog.Fatal("Unable to check servers certificates")
}
}
if liveServers > 0 { if liveServers > 0 {
dlog.Noticef("dnscrypt-proxy is ready - live servers: %d", liveServers) dlog.Noticef("dnscrypt-proxy is ready - live servers: %d", liveServers)
SystemDNotify() SystemDNotify()

View File

@ -286,6 +286,7 @@ func (serversInfo *ServersInfo) fetchDoHServerInfo(proxy *Proxy, name string, st
showCerts := len(os.Getenv("SHOW_CERTS")) > 0 showCerts := len(os.Getenv("SHOW_CERTS")) > 0
found := false found := false
var wantedHash [32]byte var wantedHash [32]byte
now := time.Now()
for _, cert := range tls.PeerCertificates { for _, cert := range tls.PeerCertificates {
h := sha256.Sum256(cert.RawTBSCertificate) h := sha256.Sum256(cert.RawTBSCertificate)
if showCerts { if showCerts {
@ -293,6 +294,11 @@ func (serversInfo *ServersInfo) fetchDoHServerInfo(proxy *Proxy, name string, st
} else { } else {
dlog.Debugf("Advertised cert: [%s] [%x]", cert.Subject, h) dlog.Debugf("Advertised cert: [%s] [%x]", cert.Subject, h)
} }
if proxy.testGracePeriod != nil {
if remaining := int(cert.NotAfter.Sub(now).Minutes()); *proxy.testGracePeriod > remaining {
dlog.Fatalf("Certificate [%s] for [%s] is going to expire before the grace period, in %d minutes", cert.Subject, name, remaining)
}
}
for _, hash := range stamp.hashes { for _, hash := range stamp.hashes {
if len(hash) == len(wantedHash) { if len(hash) == len(wantedHash) {
copy(wantedHash[:], hash) copy(wantedHash[:], hash)