From e33722d4408938848290fc913d1406c20995ed6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= <jdubois@evolix.fr>
Date: Thu, 1 Dec 2022 15:35:11 +0100
Subject: [PATCH] Improved cert-expirations.sh for better readability of its
 ouput

---
 cert-expirations.sh | 66 +++++++++++++++++++++++++++++++++++++--------
 1 file changed, 55 insertions(+), 11 deletions(-)

diff --git a/cert-expirations.sh b/cert-expirations.sh
index f1b5601..b9f294e 100644
--- a/cert-expirations.sh
+++ b/cert-expirations.sh
@@ -1,28 +1,72 @@
 #!/bin/sh
 
-VERSION="22.04"
+SYSTEM=$(uname | tr '[:upper:]' '[:lower:]')
 
-carp=$(/sbin/ifconfig carp0 2>/dev/null | grep 'status' | cut -d' ' -f2)
-
-if [ "$carp" = "backup" ]; then
-    exit 0
+if [ "${SYSTEM}" = "openbsd" ]; then
+    carp=$(/sbin/ifconfig carp0 2>/dev/null | grep 'status' | cut -d' ' -f2)
+    
+    if [ "$carp" = "backup" ]; then
+        exit 0
+    fi
 fi
 
-echo "Warning : all times are in UTC !\n"
+cacert_path="/etc/openvpn/ssl/ca/cacert.pem"
+index_path="/etc/openvpn/ssl/ca/index.txt"
+somedays="3456000" # 40 days currently
+expired_certs=""
+expiring_soon_certs=""
+still_valid_certs=""
 
+echo "Warning : all times are in UTC !"
+echo ""
 echo "CA certificate:"
-openssl x509 -enddate -noout -in /etc/shellpki/cacert.pem \
+openssl x509 -enddate -noout -in ${cacert_path} \
     | cut -d '=' -f 2 \
     | sed -e "s/^\(.*\)\ \(20..\).*/- \2 \1/"
 
 echo ""
 
-echo "Client certificates:"
-cat /etc/shellpki/index.txt \
-    | grep ^V \
+# Syntax "cmd | { while read line; do var="foo"; done echo $var }" needed, otherwise $var is empty at the end of while loop
+grep ^V ${index_path} \
     | awk -F "/" '{print $1,$5}' \
     | awk '{print $2,$5}' \
     | sed 's/CN=//' \
     | sed -E 's/([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})Z (.*)/- 20\1 \2 \3 \4:\5:\6 \7/' \
     | awk '{if ($3 == "01") $3="Jan"; else if ($3 == "02") $3="Feb"; else if ($3 == "03") $3="Mar"; else if ($3 == "04") $3="Apr"; else if ($3 == "05") $3="May"; else if ($3 == "06") $3="Jun"; else if ($3 == "07") $3="Jul"; else if ($3 == "08") $3="Aug"; else if ($3 == "09") $3="Sep"; else if ($3 == "10") $3="Oct"; else if ($3 == "11") $3="Nov"; else if ($3 == "12") $3="Dec"; print $0;}' \
-    | sort -n -k 2 -k 3M -k 4
+    | sort -n -k 2 -k 3M -k 4 | { 
+        while read -r line; do
+
+        # Predicting expirations - OpenBSD case (date is not the same than in Linux)
+        if [ "${SYSTEM}" = "openbsd" ]; then
+            # Already expired if expiration date is before now
+            if [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -le "$(date +%s)" ]; then
+                expired_certs="${expired_certs}$line\n"
+            # Expiring soon if expiration date is after now and before now + $somedays days
+            elif [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -gt "$(date +%s)" ] && [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -lt "$(($(date +%s) + somedays))" ]; then
+                expiring_soon_certs="${expiring_soon_certs}$line\n"
+            # Still valid for a time if expiration date is after now + $somedays days
+            elif [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -ge "$(($(date +%s) + somedays))" ]; then
+                still_valid_certs="${still_valid_certs}$line\n"
+            fi
+        # Non OpenBSD cases
+        else
+            # Already expired if expiration date is before now
+            if [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -le "$(date +%s)" ]; then
+                expired_certs="${expired_certs}$line\n"
+            # Expiring soon if expiration date is after now and before now + $somedays days
+            elif [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -gt "$(date +%s)" ] && [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -lt "$(($(date +%s) + somedays))" ]; then
+                expiring_soon_certs="${expiring_soon_certs}$line\n"
+            # Still valid for a time if expiration date is after now + $somedays days
+            elif [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -ge "$(($(date +%s) + somedays))" ]; then
+                still_valid_certs="${still_valid_certs}$line\n"
+            fi
+        fi
+    done
+    
+    echo "Expired client certificates:"
+    echo "${expired_certs}"
+    echo "Valid client certificates expiring soon (in less than $((somedays / 60 / 60 / 24)) days):"
+    echo "${expiring_soon_certs}"
+    echo "Valid client certificates expiring later (in more than $((somedays / 60 / 60 / 24)) days):"
+    echo "${still_valid_certs}"
+}