From 99a2787111cf2f2a725480bd3b4570a045b9ed2a Mon Sep 17 00:00:00 2001
From: Linus Nordberg <linus@nordberg.se>
Date: Tue, 12 May 2015 17:21:10 +0200
Subject: Add check-sth.py.

---
 tools/check-sth.py | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100755 tools/check-sth.py

diff --git a/tools/check-sth.py b/tools/check-sth.py
new file mode 100755
index 0000000..323d1a8
--- /dev/null
+++ b/tools/check-sth.py
@@ -0,0 +1,67 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2015, NORDUnet A/S.
+# See LICENSE for licensing information.
+
+import sys
+import argparse
+import json
+from datetime import datetime, timedelta
+from certtools import get_sth
+
+NAGIOS_OK = 0
+NAGIOS_WARN = 1
+NAGIOS_CRIT = 2
+NAGIOS_UNKNOWN = 3
+
+parser = argparse.ArgumentParser(description="")
+parser.add_argument('--sth-file', help="File with previous STH to verify against")
+parser.add_argument('baseurl', help="Base URL for CT server")
+args = parser.parse_args()
+
+def print_sth(sth):
+    print sth['timestamp']
+    print sth['sha256_root_hash']
+    print sth['tree_size']
+    print sth['tree_head_signature']
+
+def get_cur_sth(baseurl):
+    try:
+        sth = get_sth(args.baseurl)
+    except Exception, e:
+        print e
+        sys.exit(NAGIOS_UNKNOWN)
+    return sth
+        
+def read_prev_sth(filename):
+    if args.sth_file is not None:
+        prev_sth = json.loads(open(args.sth_file).read())
+        return prev_sth
+    return None
+
+def check_age(sth):
+    now = datetime.now()
+    sth_time = datetime.fromtimestamp(sth['timestamp'] / 1000)
+    if now > sth_time + timedelta(0, 6 * 3600):
+        print "CRITICAL: STH older than 6h: ", sth_time
+        sys.exit(NAGIOS_CRIT)
+    if now > sth_time + timedelta(0, 2 * 3600):
+        print "WARNING: STH older than 2h: ", sth_time
+        sys.exit(NAGIOS_WARN)
+
+def check_treesize(cur, prev):
+    if prev is not None:
+        if cur['tree_size'] < prev['tree_size']:
+            print "CRITICAL: new tree smaller than previous tree (%d < %d)" % \
+              (cur['tree_size'], prev['tree_size'])
+            sys.exit(NAGIOS_CRIT)
+
+cur_sth = get_cur_sth(args.baseurl)
+prev_sth = read_prev_sth(args.sth_file)
+check_age(cur_sth)
+check_treesize(cur_sth, prev_sth)
+# TODO: verify signature
+# TODO: get and verify consistency proof
+
+sys.exit(NAGIOS_OK)
-- 
cgit v1.1