summaryrefslogtreecommitdiff
path: root/tools/check-sth.py
diff options
context:
space:
mode:
Diffstat (limited to 'tools/check-sth.py')
-rwxr-xr-xtools/check-sth.py67
1 files changed, 67 insertions, 0 deletions
diff --git a/tools/check-sth.py b/tools/check-sth.py
new file mode 100755
index 0000000..323d1a8
--- /dev/null
+++ b/tools/check-sth.py
@@ -0,0 +1,67 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2015, NORDUnet A/S.
+# See LICENSE for licensing information.
+
+import sys
+import argparse
+import json
+from datetime import datetime, timedelta
+from certtools import get_sth
+
+NAGIOS_OK = 0
+NAGIOS_WARN = 1
+NAGIOS_CRIT = 2
+NAGIOS_UNKNOWN = 3
+
+parser = argparse.ArgumentParser(description="")
+parser.add_argument('--sth-file', help="File with previous STH to verify against")
+parser.add_argument('baseurl', help="Base URL for CT server")
+args = parser.parse_args()
+
+def print_sth(sth):
+ print sth['timestamp']
+ print sth['sha256_root_hash']
+ print sth['tree_size']
+ print sth['tree_head_signature']
+
+def get_cur_sth(baseurl):
+ try:
+ sth = get_sth(args.baseurl)
+ except Exception, e:
+ print e
+ sys.exit(NAGIOS_UNKNOWN)
+ return sth
+
+def read_prev_sth(filename):
+ if args.sth_file is not None:
+ prev_sth = json.loads(open(args.sth_file).read())
+ return prev_sth
+ return None
+
+def check_age(sth):
+ now = datetime.now()
+ sth_time = datetime.fromtimestamp(sth['timestamp'] / 1000)
+ if now > sth_time + timedelta(0, 6 * 3600):
+ print "CRITICAL: STH older than 6h: ", sth_time
+ sys.exit(NAGIOS_CRIT)
+ if now > sth_time + timedelta(0, 2 * 3600):
+ print "WARNING: STH older than 2h: ", sth_time
+ sys.exit(NAGIOS_WARN)
+
+def check_treesize(cur, prev):
+ if prev is not None:
+ if cur['tree_size'] < prev['tree_size']:
+ print "CRITICAL: new tree smaller than previous tree (%d < %d)" % \
+ (cur['tree_size'], prev['tree_size'])
+ sys.exit(NAGIOS_CRIT)
+
+cur_sth = get_cur_sth(args.baseurl)
+prev_sth = read_prev_sth(args.sth_file)
+check_age(cur_sth)
+check_treesize(cur_sth, prev_sth)
+# TODO: verify signature
+# TODO: get and verify consistency proof
+
+sys.exit(NAGIOS_OK)