tests/scripts/checkremotecerts.sh

#!/bin/sh
set -e
set -u

BASEDIR="$(dirname $0)/../../"
cd "$BASEDIR"
RESEEDHOSTS=$(sed -e '/^\s\+"https:\/\/[-a-z0-9.]/!d' -e 's/.*"https:\/\/\([-a-z0-9.:]\+\).*/\1/' router/java/src/net/i2p/router/networkdb/reseed/Reseeder.java)
CERTHOME="installer/resources/certificates"
CACERTS=$(mktemp)
WORK=$(mktemp -d)
FAIL=0
MAX=5
OPENSSL=0
CERTTOOL=0

check_for_prog() {
    if which $1 > /dev/null 2>&1 ; then
        return 0
    else
        return 1
    fi
}

if pidof /usr/bin/tor > /dev/null 2>&1 && check_for_prog torsocks; then
    echo "-- Detected Tor, will try using it --"
    GNUTLS_BIN="torsocks gnutls-cli"
    OPENSSL_BIN="torsocks openssl"
else
    GNUTLS_BIN="gnutls-cli"
    OPENSSL_BIN="openssl"
fi

if check_for_prog certtool; then
    CERTTOOL=1
    echo "-- Checking certificates with GnuTLS --"
elif check_for_prog openssl; then
    OPENSSL=1
    echo "-- Checking certificates with OpenSSL --"
fi

if [ $CERTTOOL -ne 1 ] && [ $OPENSSL -ne 1 ]; then
    echo "ERROR: This script requires either gnutls or openssl" >&2
    exit
fi

assemble_ca() {
    # Combine system certificates with the certificates shipped with I2P into
    # a large CA file for use with gnutls-cli later
    cat /etc/ssl/certs/ca-certificates.crt "$CERTHOME"/*/*.crt > "$CACERTS"
}

retry ()
# retry function borrowed from zzz's sync-mtn script
{
    if [ $# -eq 0 ]
    then
        echo 'usage: $0 command args...'
        exit 1
    fi

    i=1
    while ! "$@"
    do
        echo "try $i of $MAX failed for command $@" >&2
        if [ $i -ge $MAX ]
        then
            break
        fi
        i=$(expr $i + 1)
        sleep 15
    done
    if [ $i = $MAX ]; then
        return 1
    fi
}

normalize(){
    # Convert fingerprint to the format output by GnuTLS
    sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/'
}

connect() {
    if [ $OPENSSL -eq 1 ]; then
        $OPENSSL_BIN s_client -connect "$1:$2" -CAfile $CACERTS -servername $1 < /dev/null 2> /dev/null
    else
        $GNUTLS_BIN --insecure --print-cert --x509cafile "$CACERTS" "$1" -p "$2"  < /dev/null 2>/dev/null
    fi
}

extract_finger() {
    if [ $CERTTOOL -eq 1 ]; then
        # Roughly equivalent to "grep -A1 "SHA-1 fingerprint" | head -n 2 | grep -o '[a-f0-9]{40}'"
        certtool -i < $1 | sed -n '/SHA-1 fingerprint/{n;p;q}' | sed 's/\s\+\([a-f0-9]\{40\}\)/\1/'
    else
        openssl x509 -in $1 -fingerprint -noout | normalize
    fi
}

verify_fingerprint() {
    if [ -e "$CERTHOME/ssl/$1.crt" ]; then
        EXPECTED=$(extract_finger "$CERTHOME/ssl/$1.crt")
        FOUND=$(extract_finger "$WORK/$1")
        if [ "$EXPECTED" != "$FOUND" ]; then
            echo -n "invalid certificate. Expected $EXPECTED, got $FOUND"
            FAIL=1
            echo $HOST >> $WORK/bad
        fi
    else
        echo "Untrusted certficate and certificate not found at $CERTHOME/ssl" >&2
        FAIL=1
        echo $HOST >> $WORK/bad
    fi
}

cleanup() {
    rm -rf $CACERTS $WORK
    exit $FAIL
}

check_hosts() {
    for HOST in $RESEEDHOSTS; do
        if $(echo $HOST | grep -q ':'); then
            OLDIFS=$IFS
            IFS=":"
            set -- $HOST
            HOSTNAM=$1
            PORT=$2
            IFS=$OLDIFS
        else
            HOSTNAM=$HOST
            PORT=443
        fi

        echo -n "Checking $HOSTNAM:$PORT..."
        if retry connect "$HOSTNAM" "$PORT"  < /dev/null 1> "$WORK/$HOST"; then

            # OpenSSL returns "return code: 0 (ok)"
            # GnuTLS returns "certificate is trusted"
            # GnuTLS v2 has the word "Peer" before certificate, v3 has the word "The" before it
            if ! grep -q 'Verify return code: 0 (ok)\|certificate is trusted' "$WORK/$HOST"; then
                # If we end up here, it's possible that the certificate is valid, but CA: false is set in the certificate.
                # The OpenSSL binary is "picky" about this. GnuTLS doesn't seem to be.
                verify_fingerprint $HOST
            fi
            echo
        else
            echo "failed to connect to $HOST" >&2
            FAIL=1
        fi
    done
}

assemble_ca
check_hosts
cleanup