checks/jar_signature

   1 #!/usr/bin/python
   2 # -*- encoding: utf-8; py-indent-offset: 4 -*-
   3 # +------------------------------------------------------------------+
   4 # |             ____ _               _        __  __ _  __           |
   5 # |            / ___| |__   ___  ___| | __   |  \/  | |/ /           |
   6 # |           | |   | '_ \ / _ \/ __| |/ /   | |\/| | ' /            |
   7 # |           | |___| | | |  __/ (__|   <    | |  | | . \            |
   8 # |            \____|_| |_|\___|\___|_|\_\___|_|  |_|_|\_\           |
   9 # |                                                                  |
  10 # | Copyright Mathias Kettner 2014             mk@mathias-kettner.de |
  11 # +------------------------------------------------------------------+
  12 #
  13 # This file is part of Check_MK.
  14 # The official homepage is at http://mathias-kettner.de/check_mk.
  15 #
  16 # check_mk is free software;  you can redistribute it and/or modify it
  17 # under the  terms of the  GNU General Public License  as published by
  18 # the Free Software Foundation in version 2.  check_mk is  distributed
  19 # in the hope that it will be useful, but WITHOUT ANY WARRANTY;  with-
  20 # out even the implied warranty of  MERCHANTABILITY  or  FITNESS FOR A
  21 # PARTICULAR PURPOSE. See the  GNU General Public License for more de-
  22 # tails. You should have  received  a copy of the  GNU  General Public
  23 # License along with GNU Make; see the file  COPYING.  If  not,  write
  24 # to the Free Software Foundation, Inc., 51 Franklin St,  Fifth Floor,
  25 # Boston, MA 02110-1301 USA.
  26
  27 # Example output from agent
  28 # <<<jar_signature>>>
  29 # [[[bluecove-1.2.3-signed.jar]]]
  30 # sm       308 Fri May 11 01:42:04 CEST 2007 javax/microedition/io/StreamConnectionNotifier.class
  31 #
  32 #       X.509, CN=MicroEmulator Team
  33 #             [certificate expired on 2/10/12 6:19 PM]
  34 #
  35 #
  36 #               s = signature was verified
  37 #                 m = entry is listed in manifest
  38 #                   k = at least one certificate was found in keystore
  39 #                     i = at least one certificate was found in identity scope
  40 #
  41 #                     jar verified.
  42 #
  43 #                     Warning:
  44 #                     This jar contains entries whose signer certificate has expired.
  45
  46
  47 def inventory_jar_signature(info):
  48     inventory = []
  49     for line in info:
  50         if line[0].startswith("[[["):
  51             f = line[0][3:-3]
  52             inventory.append((f, {}))
  53     return inventory
  54
  55
  56 def check_jar_signature(item, _no_params, info):
  57     in_block = False
  58     details = []
  59     in_cert = False
  60     cert = []
  61     for line in info:
  62         line = (" ".join(line)).strip()
  63         if line == "[[[%s]]]" % item:
  64             in_block = True
  65         elif in_block and line.startswith("[[["):
  66             break
  67         elif in_block and line.startswith("X.509"):
  68             in_cert = True
  69             cert = [line]
  70         elif in_block and in_cert and line.startswith(
  71                 "[") and not line.startswith("[entry was signed on"):
  72             in_cert = False
  73             cert.append(line)
  74             details.append(cert)
  75
  76     if not details:
  77         return (2, "No certificate found")
  78
  79     _cert_dn, cert_valid = details[0]
  80
  81     # [certificate is valid from 3/26/12 11:26 AM to 3/26/17 11:36 AM]
  82     # [certificate will expire on 7/4/13 4:13 PM]
  83     # [certificate expired on 2/10/12 6:19 PM]
  84     if "will expire on " in cert_valid:
  85         expiry_date_text = cert_valid.split("will expire on ", 1)[1][:-1]
  86     elif "expired on" in cert_valid:
  87         expiry_date_text = cert_valid.split("expired on ", 1)[1][:-1]
  88     else:
  89         expiry_date_text = cert_valid.split("to ", 1)[1][:-1]
  90     expiry_date = time.mktime(time.strptime(expiry_date_text, '%m/%d/%y %I:%M %p'))
  91     expired_since = time.time() - expiry_date
  92
  93     warn, crit = 60 * 86400, 30 * 86400
  94
  95     state = 0
  96     if expired_since >= 0:
  97         status_text = "Certificate expired on %s (%s ago) " % (
  98             expiry_date_text, get_age_human_readable(expired_since))
  99         state = 2
 100
 101     else:
 102         status_text = "Certificate will expire on %s (in %s)" % (
 103             expiry_date_text, get_age_human_readable(-expired_since))
 104         if -expired_since <= crit:
 105             state = 2
 106         elif -expired_since <= warn:
 107             state = 1
 108         if state:
 109             status_text += " (warn/crit below %s/%s)" % (get_age_human_readable(warn),
 110                                                          get_age_human_readable(crit))
 111
 112     return state, status_text
 113
 114
 115 check_info['jar_signature'] = {
 116     "service_description": "Jar-Signature %s",
 117     "check_function": check_jar_signature,
 118     "inventory_function": inventory_jar_signature,
 119 }