Commit | Line | Data |
---|---|---|
69ab55f7 MW |
1 | #! /usr/bin/tclsh8.5 |
2 | ### -*-tcl-*- | |
3 | ### | |
4 | ### Check that the certificate authority database and files are consistent. | |
5 | ### | |
6 | ### (c) 2011 Mark Wooding | |
7 | ### | |
8 | ||
9 | ###----- Licensing notice --------------------------------------------------- | |
10 | ### | |
11 | ### This program is free software; you can redistribute it and/or modify | |
12 | ### it under the terms of the GNU General Public License as published by | |
13 | ### the Free Software Foundation; either version 2 of the License, or | |
14 | ### (at your option) any later version. | |
15 | ### | |
16 | ### This program is distributed in the hope that it will be useful, | |
17 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of | |
18 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
19 | ### GNU General Public License for more details. | |
20 | ### | |
21 | ### You should have received a copy of the GNU General Public License | |
22 | ### along with this program; if not, write to the Free Software Foundation, | |
23 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
24 | ||
25 | ## Find the common utilities. | |
26 | source [file join [file dirname $argv0] "../lib/func.tcl"] | |
27 | ||
28 | ## Open the database | |
29 | sqlite3 db "$CERTROOT/state/ca.db" | |
30 | db nullvalue nil | |
31 | ||
32 | ## Build a map of the active requests. Verify that active requests have | |
33 | ## distinct tags. | |
34 | array unset actreq | |
35 | array unset complain | |
36 | foreach {tag id} [db eval { | |
37 | SELECT tag, id FROM request WHERE st = 'active'; | |
38 | }] { | |
39 | if {[info exists actreq($tag)] && ![info exists complain(dup-req-$tag)]} { | |
40 | bad 4 "multiple active requests with tag `$tag' ($id and $actreq($tag))" | |
41 | set complain(dup-req-$tag) 1 | |
42 | } else { | |
43 | set actreq($tag) $id | |
44 | } | |
45 | } | |
46 | ||
47 | ## Go through the active certificates. Each one should tie up to an active | |
48 | ## request. We don't check here that the request exists at all: that gets | |
49 | ## done later. | |
50 | array unset actcert | |
51 | foreach {seq tag st} [db eval { | |
52 | SELECT c.seq, r.tag, r.st | |
53 | FROM certificate AS c JOIN request AS r ON c.req = r.id | |
54 | WHERE c.st = 'active'; | |
55 | }] { | |
56 | if {[info exists actcert($tag)] && | |
57 | ![info exists complain(dup-cert-$tag)]} { | |
58 | bad 4 [join { | |
59 | "multiple active certificates with " | |
60 | "tag `$tag' ($seq and $actcert($tag))"} ""] | |
61 | continue | |
62 | } | |
63 | set actcert($tag) $seq | |
64 | if {![string equal $st active]} { | |
65 | bad 2 [join { | |
66 | "active cert $seq associated with " | |
67 | "request $id (`$tag') which is $st not active"} ""] | |
68 | } | |
69 | } | |
70 | ||
71 | ## Check that the certificates for a revoked request are revoked or | |
72 | ## expired. | |
73 | foreach {seq id tag st} [db eval { | |
74 | SELECT c.seq, r.id, r.tag, c.st | |
75 | FROM certificate AS c JOIN request AS r ON c.req = r.id | |
76 | WHERE r.st = 'revoked' AND c.st != 'revoked' AND c.st != 'expired'; | |
77 | }] { | |
78 | bad 4 "cert $seq for revoked request $id (`$tag') is $st not revoked" | |
79 | } | |
80 | ||
81 | ## Similarly, check that revoked certificates match up with revoked | |
82 | ## requests. | |
83 | foreach {seq id tag st} [db eval { | |
84 | SELECT c.seq, r.id, r.tag, c.st | |
85 | FROM certificate AS c JOIN request AS r ON c.req = r.id | |
86 | WHERE c.st = 'revoked' AND r.st != 'revoked'; | |
87 | }] { | |
88 | bad 2 [join { | |
89 | "revoked cert $seq associated with " | |
90 | "request $id (`$tag') which is $st not revoked"} ""] | |
91 | } | |
92 | ||
93 | ## Check that the active symlinks are correct. | |
94 | foreach {what key dir actvar} { | |
95 | "request" "id" "req" actreq | |
96 | "certificate" "seq" "cert" actcert | |
97 | } { | |
98 | upvar 0 $actvar act | |
99 | ||
100 | ## Check that there's a symlink DIR/active/TAG for each active item, and | |
101 | ## that it points to the correct item. | |
102 | foreach tag [array names act] { | |
103 | set link "$CERTROOT/$dir/active/$tag" | |
104 | set id $act($tag) | |
105 | if {![file exists $link]} { | |
106 | bad 1 "missing symlink for active $what `$tag' ($key = $id)" | |
107 | } elseif {![string equal [file type $link] link]} { | |
108 | bad 1 "entry for active $what `$tag' ($key = $id) isn't a link" | |
109 | } elseif {![string equal [file readlink $link] "../by-$key/$id"]} { | |
110 | bad 1 "link for active $what `$tag' ($key = $id) is wrong" | |
111 | moan "\t(actually `[file readlink $link]'; should be `../by-$key/$id')" | |
112 | } | |
113 | } | |
114 | ||
115 | ## Check that there aren't any other stray things. | |
116 | foreach tag \ | |
117 | [glob -tails -directory "$CERTROOT/$dir/active" -nocomplain *] { | |
118 | if {![info exists act($tag)]} { | |
119 | bad 1 "bogus file `$dir/active/$tag'" | |
120 | } | |
121 | } | |
122 | } | |
123 | ||
124 | ## Now run through all of the requests and check that they match the | |
125 | ## corresponding request files. | |
126 | array unset reqmap | |
127 | foreach {id tag st dn hash} [db eval { | |
128 | SELECT id, tag, st, dn, hash FROM request; | |
129 | }] { | |
130 | if {[info exists reqmap($id)]} { | |
131 | bad 4 "duplicate request id $id" | |
132 | continue | |
133 | } | |
134 | set reqmap($id) 1 | |
135 | ||
136 | switch -exact -- $st { | |
137 | active - withdrawn - revoked { } | |
138 | default { | |
139 | bad 2 "request $id (`$tag') has unknown state `$st'" | |
140 | } | |
141 | } | |
142 | ||
143 | set reqfile "$CERTROOT/req/by-id/$id" | |
144 | if {![file exists $reqfile]} { | |
145 | bad 4 "missing file for request $id (`$tag')" | |
146 | continue | |
147 | } | |
148 | ||
149 | set req_dn [req-dn $reqfile] | |
150 | if {![string equal $req_dn $dn]} { | |
151 | bad 2 "request $id (`$tag') has DN mismatch" | |
152 | moan "\t(db has dn = $dn)" | |
153 | moan "\t(file has dn = $req_dn)" | |
154 | } | |
155 | ||
156 | set req_hash [req-key-hash $reqfile] | |
157 | if {![string equal $req_hash $hash]} { | |
158 | bad 2 "request $id (`$tag') has key hash mismatch" | |
159 | moan "\t(db has hash = $hash)" | |
160 | moan "\t(file has hash = $req_hash)" | |
161 | } | |
162 | } | |
163 | ||
164 | ## Run through all of the certificates and check that they match the | |
165 | ## correspoding certificate files. This is a good opportunity to verify that | |
166 | ## the certificates match up with requests. | |
167 | array unset certmap | |
168 | foreach {seq req tag st dn hash} [db eval { | |
169 | SELECT c.seq, r.id, r.tag, c.st, r.cert_dn, r.hash | |
170 | FROM certificate AS c LEFT OUTER JOIN request AS r ON c.req = r.id; | |
171 | }] { | |
172 | if {[info exists certmap($seq)]} { | |
173 | bad 4 "duplicate certificate serial number $seq" | |
174 | continue | |
175 | } | |
176 | set certmap($seq) 1 | |
177 | ||
178 | if {[string equal $req nil]} { | |
179 | bad 2 "certificate $seq has no certificate request" | |
180 | } | |
181 | ||
182 | switch -exact -- $st { | |
183 | active - withdrawn - superceded - revoked - expired { } | |
184 | default { | |
185 | bad 2 "certificate $id (`$tag') has unknown state `$st'" | |
186 | } | |
187 | } | |
188 | ||
189 | set certfile "$CERTROOT/cert/by-seq/$seq" | |
190 | if {![file exists $certfile]} { | |
191 | bad 4 "missing file for certficate $seq (`$tag')" | |
192 | continue | |
193 | } | |
194 | if {[string equal $req nil]} { continue } | |
195 | ||
196 | set cert_dn [cert-dn $certfile] | |
197 | if {![string equal $dn $cert_dn]} { | |
198 | bad 2 "certificate $seq (`$tag') has DN mismatch" | |
199 | moan "\t(db has dn = $dn)" | |
200 | moan "\t(file has dn = $cert_dn)" | |
201 | } | |
202 | ||
203 | set cert_hash [cert-key-hash $certfile] | |
204 | if {![string equal $cert_hash $hash]} { | |
205 | bad 2 "certificate $seq (`$tag') has key hash mismatch" | |
206 | moan "\t(db has hash = $hash)" | |
207 | moan "\t(file has hash = $cert_hash)" | |
208 | } | |
209 | } | |
210 | ||
211 | ## Finally, make sure that there aren't any stray files in those directories. | |
212 | foreach {dir mapvar} { | |
213 | "req/by-id" reqmap | |
214 | "cert/by-seq" certmap | |
215 | } { | |
216 | upvar 0 $mapvar map | |
217 | foreach file [glob -tails -directory "$CERTROOT/$dir" -nocomplain *] { | |
218 | if {![info exists map($file)]} { | |
219 | bad 1 "bogus file `$dir/$file'" | |
220 | } | |
221 | } | |
222 | } | |
223 | ||
224 | ## Done! | |
225 | quit | |
226 | ||
227 | ###----- That's all, folks -------------------------------------------------- |