mdw@git.distorted.org.uk Git - ca/blob - bin/check

   1 #! /usr/bin/tclsh
   2 ### -*-tcl-*-
   3 ###
   4 ### Check that the certificate authority database and files are consistent.
   5 ###
   6 ### (c) 2011 Mark Wooding
   7 ###
   8
   9 ###----- Licensing notice ---------------------------------------------------
  10 ###
  11 ### This program is free software; you can redistribute it and/or modify
  12 ### it under the terms of the GNU General Public License as published by
  13 ### the Free Software Foundation; either version 2 of the License, or
  14 ### (at your option) any later version.
  15 ###
  16 ### This program is distributed in the hope that it will be useful,
  17 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  18 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19 ### GNU General Public License for more details.
  20 ###
  21 ### You should have received a copy of the GNU General Public License
  22 ### along with this program; if not, write to the Free Software Foundation,
  23 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  24
  25 ## Find the common utilities.
  26 source [file join [file dirname $argv0] "../lib/func.tcl"]
  27
  28 ## Open the database
  29 sqlite3 db "$CERTROOT/state/ca.db"
  30 db nullvalue nil
  31
  32 ## Build a map of the active requests.  Verify that active requests have
  33 ## distinct tags.
  34 array unset actreq
  35 array unset complain
  36 foreach {tag id} [db eval {
  37   SELECT tag, id FROM request WHERE st = 'active';
  38 }] {
  39   if {[info exists actreq($tag)] && ![info exists complain(dup-req-$tag)]} {
  40     bad 4 "multiple active requests with tag `$tag' ($id and $actreq($tag))"
  41     set complain(dup-req-$tag) 1
  42   } else {
  43     set actreq($tag) $id
  44   }
  45 }
  46
  47 ## Go through the active certificates.  Each one should tie up to an active
  48 ## request.  We don't check here that the request exists at all: that gets
  49 ## done later.
  50 array unset actcert
  51 foreach {seq tag st} [db eval {
  52   SELECT c.seq, r.tag, r.st
  53   FROM certificate AS c JOIN request AS r ON c.req = r.id
  54   WHERE c.st = 'active';
  55 }] {
  56   if {[info exists actcert($tag)] &&
  57       ![info exists complain(dup-cert-$tag)]} {
  58     bad 4 [join {
  59       "multiple active certificates with "
  60       "tag `$tag' ($seq and $actcert($tag))"} ""]
  61     continue
  62   }
  63   set actcert($tag) $seq
  64   if {![string equal $st active]} {
  65     bad 2 [join {
  66       "active cert $seq associated with "
  67       "request $id (`$tag') which is $st not active"} ""]
  68   }
  69 }
  70
  71 ## Check that the certificates for a revoked request are revoked or
  72 ## expired.
  73 foreach {seq id tag st} [db eval {
  74   SELECT c.seq, r.id, r.tag, c.st
  75   FROM certificate AS c JOIN request AS r ON c.req = r.id
  76   WHERE r.st = 'revoked' AND c.st != 'revoked' AND c.st != 'expired';
  77 }] {
  78   bad 4 "cert $seq for revoked request $id (`$tag') is $st not revoked"
  79 }
  80
  81 ## Similarly, check that revoked certificates match up with revoked
  82 ## requests.
  83 foreach {seq id tag st} [db eval {
  84   SELECT c.seq, r.id, r.tag, c.st
  85   FROM certificate AS c JOIN request AS r ON c.req = r.id
  86   WHERE c.st = 'revoked' AND r.st != 'revoked';
  87 }] {
  88   bad 2 [join {
  89     "revoked cert $seq associated with "
  90     "request $id (`$tag') which is $st not revoked"} ""]
  91 }
  92
  93 ## Check that the active symlinks are correct.
  94 foreach {what key dir actvar} {
  95   "request" "id" "req" actreq
  96   "certificate" "seq" "cert" actcert
  97 } {
  98   upvar 0 $actvar act
  99
 100   ## Check that there's a symlink DIR/active/TAG for each active item, and
 101   ## that it points to the correct item.
 102   foreach tag [array names act] {
 103     set link "$CERTROOT/$dir/active/$tag"
 104     set id $act($tag)
 105     if {![file exists $link]} {
 106       bad 1 "missing symlink for active $what `$tag' ($key = $id)"
 107     } elseif {![string equal [file type $link] link]} {
 108       bad 1 "entry for active $what `$tag' ($key = $id) isn't a link"
 109     } elseif {![string equal [file readlink $link] "../by-$key/$id"]} {
 110       bad 1 "link for active $what `$tag' ($key = $id) is wrong"
 111       moan "\t(actually `[file readlink $link]'; should be `../by-$key/$id')"
 112     }
 113   }
 114
 115   ## Check that there aren't any other stray things.
 116   foreach tag \
 117       [glob -tails -directory "$CERTROOT/$dir/active" -nocomplain *] {
 118     if {![info exists act($tag)]} {
 119       bad 1 "bogus file `$dir/active/$tag'"
 120     }
 121   }
 122 }
 123
 124 ## Now run through all of the requests and check that they match the
 125 ## corresponding request files.
 126 array unset reqmap
 127 foreach {id tag st dn hash} [db eval {
 128   SELECT id, tag, st, dn, hash FROM request;
 129 }] {
 130   if {[info exists reqmap($id)]} {
 131     bad 4 "duplicate request id $id"
 132     continue
 133   }
 134   set reqmap($id) 1
 135
 136   switch -exact -- $st {
 137     active - withdrawn - revoked { }
 138     default {
 139       bad 2 "request $id (`$tag') has unknown state `$st'"
 140     }
 141   }
 142
 143   set reqfile "$CERTROOT/req/by-id/$id"
 144   if {![file exists $reqfile]} {
 145     bad 4 "missing file for request $id (`$tag')"
 146     continue
 147   }
 148
 149   set req_dn [req-dn $reqfile]
 150   if {![string equal $req_dn $dn]} {
 151     bad 2 "request $id (`$tag') has DN mismatch"
 152     moan "\t(db has dn = $dn)"
 153     moan "\t(file has dn = $req_dn)"
 154   }
 155
 156   set req_hash [req-key-hash $reqfile]
 157   if {![string equal $req_hash $hash]} {
 158     bad 2 "request $id (`$tag') has key hash mismatch"
 159     moan "\t(db has hash = $hash)"
 160     moan "\t(file has hash = $req_hash)"
 161   }
 162 }
 163
 164 ## Run through all of the certificates and check that they match the
 165 ## correspoding certificate files.  This is a good opportunity to verify that
 166 ## the certificates match up with requests.
 167 array unset certmap
 168 foreach {seq req tag st dn hash} [db eval {
 169   SELECT c.seq, r.id, r.tag, c.st, r.cert_dn, r.hash
 170   FROM certificate AS c LEFT OUTER JOIN request AS r ON c.req = r.id;
 171 }] {
 172   if {[info exists certmap($seq)]} {
 173     bad 4 "duplicate certificate serial number $seq"
 174     continue
 175   }
 176   set certmap($seq) 1
 177
 178   if {[string equal $req nil]} {
 179     bad 2 "certificate $seq has no certificate request"
 180   }
 181
 182   switch -exact -- $st {
 183     active - withdrawn - superceded - revoked - expired { }
 184     default {
 185       bad 2 "certificate $id (`$tag') has unknown state `$st'"
 186     }
 187   }
 188
 189   set certfile "$CERTROOT/cert/by-seq/$seq"
 190   if {![file exists $certfile]} {
 191     bad 4 "missing file for certficate $seq (`$tag')"
 192     continue
 193   }
 194   if {[string equal $req nil]} { continue }
 195
 196   set cert_dn [cert-dn $certfile]
 197   if {![string equal $dn $cert_dn]} {
 198     bad 2 "certificate $seq (`$tag') has DN mismatch"
 199     moan "\t(db has dn = $dn)"
 200     moan "\t(file has dn = $cert_dn)"
 201   }
 202
 203   set cert_hash [cert-key-hash $certfile]
 204   if {![string equal $cert_hash $hash]} {
 205     bad 2 "certificate $seq (`$tag') has key hash mismatch"
 206     moan "\t(db has hash = $hash)"
 207     moan "\t(file has hash = $cert_hash)"
 208   }
 209 }
 210
 211 ## Finally, make sure that there aren't any stray files in those directories.
 212 foreach {dir mapvar} {
 213   "req/by-id" reqmap
 214   "cert/by-seq" certmap
 215 } {
 216   upvar 0 $mapvar map
 217   foreach file [glob -tails -directory "$CERTROOT/$dir" -nocomplain *] {
 218     if {![info exists map($file)]} {
 219       bad 1 "bogus file `$dir/$file'"
 220     }
 221   }
 222 }
 223
 224 ## Done!
 225 quit
 226
 227 ###----- That's all, folks --------------------------------------------------