mirror of
https://github.com/fleetdm/fleet
synced 2026-05-14 20:48:35 +00:00
33858d7301
# Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes (docs/Using Fleet/manage-access.md) - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). Signed-off-by: guoguangwu <guoguangwu@magic-shield.com>
83 lines
1.9 KiB
Go
83 lines
1.9 KiB
Go
package main
|
|
|
|
import (
|
|
"context"
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"flag"
|
|
"fmt"
|
|
"log"
|
|
"os"
|
|
"time"
|
|
|
|
"github.com/davecgh/go-spew/spew"
|
|
"github.com/fleetdm/fleet/v4/pkg/certificate"
|
|
"github.com/fleetdm/fleet/v4/server/config"
|
|
)
|
|
|
|
func main() {
|
|
flagCert := flag.String("cert", "", "The certificate to inspect (and optionally validate)")
|
|
flagKey := flag.String("key", "", "The private key associated with the certificate (required for validation)")
|
|
flagValidate := flag.Bool("validate", false, "Validate the certificate, including client authentication to the Apple sandbox")
|
|
|
|
flag.Usage = func() {
|
|
fmt.Println(`usage: <cmd> -cert CERTFILE
|
|
Inspects the certificate by printing its parsed value.
|
|
|
|
usage: <cmd> -cert CERTFILE -key KEYFILE -validate
|
|
Validates the certificate and private key, including connecting to the Apple
|
|
sandbox using client authentication.`)
|
|
flag.PrintDefaults()
|
|
}
|
|
flag.Parse()
|
|
|
|
if *flagCert == "" {
|
|
log.Fatal("certificate file must be specified")
|
|
}
|
|
if *flagValidate && *flagKey == "" {
|
|
log.Fatal("validation requires a private key")
|
|
}
|
|
|
|
if *flagValidate {
|
|
validate(*flagCert, *flagKey)
|
|
} else {
|
|
inspect(*flagCert)
|
|
}
|
|
|
|
}
|
|
|
|
func validate(certFile, keyFile string) {
|
|
mdmCfg := config.MDMConfig{
|
|
AppleAPNsCert: certFile,
|
|
AppleAPNsKey: keyFile,
|
|
}
|
|
|
|
cert, _, _, err := mdmCfg.AppleAPNs()
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
|
if err := certificate.ValidateClientAuthTLSConnection(ctx, cert, "https://api.sandbox.push.apple.com"); err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
cancel()
|
|
}
|
|
|
|
func inspect(certFile string) {
|
|
b, err := os.ReadFile(certFile)
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
|
|
block, _ := pem.Decode(b)
|
|
if block == nil || block.Type != "CERTIFICATE" {
|
|
log.Fatal("failed to decode PEM block containing certificate")
|
|
}
|
|
|
|
cert, err := x509.ParseCertificate(block.Bytes)
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
spew.Dump(cert)
|
|
}
|