#!/bin/bash # Ziskam seznam dostupnych korenovych certifikatu (nazvy) TMP_RESPONSE=___root___$$.tmp dig +nocmd +comments +nostats +norrcomments +dnssec IN TXT _certs.g1._fp.cacert.org. > ${TMP_RESPONSE} || exit 1 grep -q '^;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ' ${TMP_RESPONSE} || exit 2 #grep '^;; flags:' ${TMP_RESPONSE} | cut '-d;' -f3 | cut -d: -f2 | grep -q ad || exit 3 grep '^;; flags:' ${TMP_RESPONSE} | cut '-d;' -f3 | cut -d: -f2 | grep -q rd || exit 3 grep '^; EDNS:' ${TMP_RESPONSE} | tr ";," "\n\n" | grep flags | cut -d: -f2 | grep -q do || exit 4 #grep -v '^;' ${TMP_RESPONSE} | grep -q RRSIG || exit 5 grep -v '^;' ${TMP_RESPONSE} || exit 5 ROOTS=$(grep -v '^;' "${TMP_RESPONSE}" | grep -v " RRSIG " | grep TXT | cut '-d"' -f2 | head -1) printf "Nalezeny koreny: %s\n\n" "$ROOTS" rm -f -- "${TMP_RESPONSE}" for a in $ROOTS; do printf "Stahuji %s ...\n" "$a" # Ziskam URL pro stazeni kazdeho certifikatu v seznamu ROOTS TMP_ROOT=___root___$$.tmp dig +nocmd +comments +nostats +norrcomments +dnssec IN TXT "_url.$a.g1._fp.cacert.org." > ${TMP_ROOT} || exit 11 grep -q '^;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ' ${TMP_ROOT} || exit 12 # grep '^;; flags:' ${TMP_ROOT} | cut '-d;' -f3 | cut -d: -f2 | grep -q ad || exit 13 grep '^;; flags:' ${TMP_ROOT} | cut '-d;' -f3 | cut -d: -f2 | grep -q rd || exit 13 grep '^; EDNS:' ${TMP_ROOT} | tr ";," "\n\n" | grep flags | cut -d: -f2 | grep -q do || exit 14 # grep -v '^;' ${TMP_ROOT} | grep -q RRSIG || exit 15 grep -v '^;' ${TMP_ROOT} || exit 15 CRT_URL=$(grep -v '^;' ${TMP_ROOT} | grep -v " RRSIG " | grep TXT | cut '-d"' -f2 | head -1) # Ziskam otisk SHA2-256 kazdeho certifikatu v seznamu ROOTS TMP_ROOT_FP=___root___$$.tmp dig +nocmd +comments +nostats +norrcomments +dnssec IN TXT "_sha256.$a.g1._fp.cacert.org." > ${TMP_ROOT_FP} || exit 21 grep -q '^;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ' ${TMP_ROOT_FP} || exit 22 # grep '^;; flags:' ${TMP_ROOT_FP} | cut '-d;' -f3 | cut -d: -f2 | grep -q ad || exit 23 grep '^;; flags:' ${TMP_ROOT_FP} | cut '-d;' -f3 | cut -d: -f2 | grep -q rd || exit 23 grep '^; EDNS:' ${TMP_ROOT_FP} | tr ";," "\n\n" | grep flags | cut -d: -f2 | grep -q do || exit 24 # grep -v '^;' ${TMP_ROOT_FP} | grep -q RRSIG || exit 25 grep -v '^;' ${TMP_ROOT_FP} || exit 25 CRT_FP=$(grep -v '^;' ${TMP_ROOT_FP} | grep -v " RRSIG " | grep TXT | cut '-d"' -f2 | head -1) # Ze ziskaneho URL stahnu certifikat wget --quiet -O "___CRT___$a.crt" "$CRT_URL" || exit 31 # Spocitam otisk ze stazeneho souboru certifikatu DL_FP=$(openssl x509 -in "___CRT___$a.crt" -noout -fingerprint -sha256 | cut -d= -f2 | tr -d :) printf "Nalezen certifikat pro koren \"%s\":\n- CRT URL:\t%s\n- CRT FP:\t%s\n- DL FP:\t%s\n\n" "$a" "$CRT_URL" "$CRT_FP" "$DL_FP" # Porovnam otisk stazeneho certifikatu s hodnotou zĂ­skanou z DNS if [ ! "$CRT_FP" == "$DL_FP" ]; then printf 'Verification Failed!' exit 32 fi rm -f -- "$TMP_ROOT" "$TMP_ROOT_FP" done