Merge pull request #131 from synedraIT/master

added revocation check to certificate monitoring
2023-02-26 16:25:28 +01:00 · 2023-02-26 16:25:28 +01:00 · 85717b73d5
parent a19082212f 58069dc19c
commit 85717b73d5
1 changed files with 29 additions and 17 deletions
--- a/pfsense_zbx.php
+++ b/pfsense_zbx.php
@ -1113,24 +1113,36 @@ function pfz_get_smart_status(){
 function pfz_get_cert_date($valuekey){
    global $config;
    
+    // Contains a list of refs that were revoked and should not be considered
+    $revoked_cert_refs;
+    foreach ($config["crl"] as $crl) {
+        foreach ($crl["cert"] as $revoked_cert) {
+            $revoked_cert_refs[] = $revoked_cert["refid"];
+        }
+    }
+    
    $value = 0;
-	foreach (array("cert", "ca") as $cert_type) {
-		switch ($valuekey){
-		case "validFrom.max":
-			foreach ($config[$cert_type] as $cert) {
-				$certinfo = openssl_x509_parse(base64_decode($cert[crt]));
-				if ($value == 0 or $value < $certinfo['validFrom_time_t']) $value = $certinfo['validFrom_time_t'];
-            }
-			break;
-		case "validTo.min":
-			foreach ($config[$cert_type] as $cert) {
-				$certinfo = openssl_x509_parse(base64_decode($cert[crt]));
-				if ($value == 0 or $value > $certinfo['validTo_time_t']) $value = $certinfo['validTo_time_t'];
-			}
-			break;
-		}
-	}
-	echo $value;
+        foreach (array("cert", "ca") as $cert_type) {
+                switch ($valuekey){
+                case "validFrom.max":
+                        foreach ($config[$cert_type] as $cert) {
+                                if ( ! in_array($cert['refid'], $revoked_cert_refs) ) {
+                                        $certinfo = openssl_x509_parse(base64_decode($cert[crt]));
+                                        if ($value == 0 or $value < $certinfo['validFrom_time_t']) $value = $certinfo['validFrom_time_t'];
+                                }
+            		}
+                        break;
+                case "validTo.min":
+                        foreach ($config[$cert_type] as $cert) {
+                                if ( ! in_array($cert['refid'], $revoked_cert_refs) ) {
+                                        $certinfo = openssl_x509_parse(base64_decode($cert[crt]));
+                                        if ($value == 0 or $value > $certinfo['validTo_time_t']) $value = $certinfo['validTo_time_t'];
+                                }
+                        }
+                        break;
+                }
+        }
+        echo $value;
 }

 // File is present