#!/usr/bin/sh #---------------------------------------------------------------------------------- # /var/install/bin/certs-cert-key-matcher - check if a key matches a certificate # # Copyright (c) 2001-2025 The Eisfair Team, team(at)eisfair(dot)org # # Creation: 2013-01-06 jed # Last Update: $Id$ # # Usage: # certs-cert-key-matcher --help - show this help # # certs-cert-key-matcher [--quiet] [--show-modulus] # --match-cert-key -cert cert-filename -key key-filename # - check if cert file matches key file. # certs-cert-key-matcher [--quiet] [--show-modulus] # --match-cert-csr -cert cert-filename -csr csr-filename # - check if cert file matches csr file. # # certs-cert-key-matcher --find-match -cert cert-filename # - search for matching key and csr files. # certs-cert-key-matcher --find-match -key key-filename # - search for matching cert and csr files. # certs-cert-key-matcher --find-match -csr csr-filename # - search for matching cert and key files. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. #---------------------------------------------------------------------------------- # include eislib . /var/install/include/eislib #exec 2>/tmp/certs-cert-key-matcher-trace-$$.log #set -x # set path names ssldir=/usr/local/ssl certdir=${ssldir}/certs csrdir=${ssldir}/csr privdir=${ssldir}/private openssl_bin=/usr/bin/openssl mflag=0 modulus_str='' # set configuration file export OPENSSL_CONF=${ssldir}/openssl.cnf #------------------------------------------------------------------------------ # my own echo #------------------------------------------------------------------------------ myecho () { EXEC_FUNCTION='===begin:myecho===' case $1 in -std|--std ) _me_switch=$1 shift _me_outstr="`echo "$*" | sed -r 's/^(-)?-std //g'`" ;; -info|--info ) _me_switch=$1 shift _me_outstr="`echo "$*" | sed -r 's/^(-)?-info //g'`" ;; -warn|--warn ) _me_switch=$1 shift _me_outstr="`echo "$*" | sed -r 's/^(-)?-warn //g'`" ;; -error|--error ) _me_switch=$1 shift _me_outstr="`echo "$*" | sed -r 's/^(-)?-error //g'`" ;; * ) _me_switch='' _me_outstr="$*" ;; esac if [ ${force_quiet_run} -eq 0 ] then # be verbose mecho ${_me_switch} "${_me_outstr}" fi EXEC_FUNCTION='===end:myecho===' } #------------------------------------------------------------------------------ # set modulus # # input: $1 - modulus #------------------------------------------------------------------------------ set_modulus () { if [ ${mflag} -eq 1 ] then modulus_str=" ($1)" fi } #------------------------------------------------------------------------------ # find matching cert files # # input: $1 - modulus #------------------------------------------------------------------------------ find_cert_files () { fcf_modulus="$1" # separator set to newline (\n) to handle file names which contain spaces correctly fcf_oldifs="$IFS" IFS=$'\n' hflag=0 filelist=$(find ${certdir} -maxdepth 1 -type f -name "*.pem" -printf '%p\n' | sort) for FN in ${filelist} do cert_file=`echo "${FN}" | sed "s#^${certdir}/##"` cert_modulus=`${openssl_bin} x509 -noout -modulus -in "${FN}" | ${openssl_bin} md5 | sed 's/(stdin)= //'` if [ "${fcf_modulus}" = "${cert_modulus}" ] then set_modulus "${cert_modulus}" if [ ${hflag} -eq 0 ] then myecho "cert file: ${cert_file}${modulus_str}" hflag=1 else myecho " ${cert_file}${modulus_str}" fi fi done IFS="${fcf_oldifs}" } #------------------------------------------------------------------------------ # find matching key files # # input: $1 - modulus #------------------------------------------------------------------------------ find_key_files () { fkf_modulus="$1" # separator set to newline (\n) to handle file names which contain spaces correctly fkf_oldifs="$IFS" IFS=$'\n' hflag=0 filelist=$(find ${privdir} -maxdepth 1 -type f -name "*.key" -printf '%p\n' | sort) for FN in ${filelist} do # skip ca.key file echo "${FN}" | grep -q "ca.key" if [ $? -ne 0 ] then key_file=`echo "${FN}" | sed "s#^${privdir}/##"` key_modulus=`${openssl_bin} rsa -noout -modulus -in "${FN}" | ${openssl_bin} md5 | sed 's/(stdin)= //'` if [ "${fkf_modulus}" = "${key_modulus}" ] then set_modulus "${key_modulus}" if [ ${hflag} -eq 0 ] then myecho "key file : ${key_file}${modulus_str}" hflag=1 else myecho " ${key_file}${modulus_str}" fi fi fi done IFS="${fkf_oldifs}" } #------------------------------------------------------------------------------ # find matching csr files # # input: $1 - modulus #------------------------------------------------------------------------------ find_csr_files () { fcf_modulus="$1" # separator set to newline (\n) to handle file names which contain spaces correctly fcf_oldifs="$IFS" IFS=$'\n' hflag=0 filelist=$(find ${csrdir} -maxdepth 1 -type f -name "*.csr" -printf '%p\n' | sort) for FN in ${filelist} do csr_file=`echo ${FN} | sed "s#^${csrdir}/##"` csr_modulus=`${openssl_bin} req -noout -modulus -in ${FN} | ${openssl_bin} md5 | sed 's/(stdin)= //'` if [ "${fcf_modulus}" = "${csr_modulus}" ] then set_modulus "${csr_modulus}" if [ ${hflag} -eq 0 ] then myecho "csr file : ${csr_file}${modulus_str}" hflag=1 else myecho " ${csr_file}${modulus_str}" fi fi done IFS="${fcf_oldifs}" } #------------------------------------------------------------------------------ # print help #------------------------------------------------------------------------------ show_help () { echo "Usage:" echo " certs-cert-key-matcher --help - show this help" echo echo " certs-cert-key-matcher [--quiet] [--show-modulus]" echo " --match-cert-key -cert cert-filename -key key-filename" echo " - check if cert file matches key file." echo " certs-cert-key-matcher [--quiet] [--show-modulus]" echo " --match-cert-csr -cert cert-filename -csr csr-filename" echo " - check if cert file matches csr file." echo echo " certs-cert-key-matcher --find-match -cert cert-filename" echo " - search for matching key and csr files." echo " certs-cert-key-matcher --find-match -key key-filename" echo " - search for matching cert and csr files." echo " certs-cert-key-matcher --find-match -csr csr-filename" echo " - search for matching cert and key files." echo } #============================================================================== # main #============================================================================== force_quiet_run=0 # force quiet run if [ $# -gt 0 ] then # read command line parameters while [ 1 ] do case "$1" in --quiet) force_quiet_run=1 shift ;; --help|-help|-?|/?) # show command line parameters echo show_help exit 1 ;; --show-modulus) mflag=1 shift ;; -ssldir) if [ -d $2 ] then ssldir=$2 shift; shift else mecho --error "ssl directory '$2' doesn't exist!" fi ;; -cert) fname=`basename $2` # check if file extension has been given echo "${fname}" | grep -q "\.pem$" if [ $? -ne 0 ] then fname="${fname}.pem" fi if [ -f ${certdir}/${fname} ] then certfile=${fname} shift; shift else mecho --error "certificate file '${fname}' doesn't exist!" exit 1 fi ;; -csr) fname=`basename $2` # check if file extension has been given echo "${fname}" | grep -q "\.csr$" if [ $? -ne 0 ] then fname="${fname}.csr" fi if [ -f ${csrdir}/${fname} ] then csrfile=${fname} shift; shift else mecho --error "csr file '${fname}' doesn't exist!" exit 1 fi ;; -key) fname=`basename $2` # check if file extension has been given echo "${fname}" | grep -q "\.key$" if [ $? -ne 0 ] then fname="${fname}.key" fi if [ -f ${privdir}/${fname} ] then keyfile=${fname} shift; shift else mecho --error "key file '${fname}' doesn't exist!" exit 1 fi ;; --find-match) # which key/csr files are matching a certificate? cmd='find-match' shift ;; --match-cert-key) # does key file match certifikate? cmd='match-cert-key' shift ;; --match-cert-csr) # does csr file match certifikate? cmd='match-cert-csr' shift ;; *) break ;; esac done else # show command line parameters echo show_help exit 1 fi case ${cmd} in find-match) # find matching key and csr files # print header myecho myecho "cert dir: ${certdir}" myecho "csr dir : ${csrdir}" myecho "key dir : ${privdir}" myecho if [ -n "${certfile}" ] then cert_modulus=`${openssl_bin} x509 -noout -modulus -in "${certdir}/${certfile}" | ${openssl_bin} md5 | sed 's/(stdin)= //'` set_modulus "${cert_modulus}" myecho "cert file: ${certfile}${modulus_str}" find_key_files "${cert_modulus}" find_csr_files "${cert_modulus}" elif [ -n "${keyfile}" ] then key_modulus=`${openssl_bin} rsa -noout -modulus -in "${privdir}/${keyfile}" | ${openssl_bin} md5 | sed 's/(stdin)= //'` set_modulus "${key_modulus}" myecho "key file : ${keyfile}${modulus_str}" find_cert_files "${key_modulus}" find_csr_files "${key_modulus}" elif [ -n "${csrfile}" ] then csr_modulus=`${openssl_bin} req -noout -modulus -in "${csrdir}/${csrfile}" | ${openssl_bin} md5 | sed 's/(stdin)= //'` set_modulus "${csr_modulus}" myecho "csr file : ${csrfile}${modulus_str}" find_cert_files "${csr_modulus}" find_key_files "${csr_modulus}" fi myecho ;; match-cert-key) # check if a key file matches a certificate # exit: 0 - matching # 1 - not matching cert_modulus=`${openssl_bin} x509 -noout -modulus -in "${certdir}/${certfile}" | ${openssl_bin} md5 | sed 's/(stdin)= //'` key_modulus=` ${openssl_bin} rsa -noout -modulus -in "${privdir}/${keyfile}" | ${openssl_bin} md5 | sed 's/(stdin)= //'` myecho myecho "cert dir: ${certdir}" myecho "key dir : ${privdir}" myecho set_modulus "${cert_modulus}" myecho "cert file: ${certfile}${modulus_str}" set_modulus "${key_modulus}" myecho "key file : ${keyfile}${modulus_str}" myecho if [ "${cert_modulus}" = "${key_modulus}" ] then myecho -n "result : " myecho --info "both files are matching!" ret=0 else myecho -n "result : " myecho --warn "both files are not matching!" ret=1 fi myecho exit ${ret} ;; match-cert-csr) # check if a csr file matches a certificate # exit: 0 - matching # 1 - not matching ret=1 cert_modulus=`${openssl_bin} x509 -noout -modulus -in "${certdir}/${certfile}" | ${openssl_bin} md5 | sed 's/(stdin)= //'` csr_modulus=` ${openssl_bin} req -noout -modulus -in "${csrdir}/${csrfile}" | ${openssl_bin} md5 | sed 's/(stdin)= //'` myecho myecho "cert dir: ${certdir}" myecho "csr dir : ${csrdir}" myecho set_modulus "${cert_modulus}" myecho "cert file: ${certfile}${modulus_str}" set_modulus "${csr_modulus}" myecho "csr file : ${csrfile}${modulus_str}" myecho if [ "${cert_modulus}" = "${csr_modulus}" ] then myecho -n "result : " myecho --info "both files are matching!" ret=0 else myecho -n "result : " myecho --warn "both files are not matching!" ret=1 fi myecho exit ${ret} ;; esac exit 0