add support for certificate check inside jks-files

[claudioth]

Proposed Changes

After using your wonderful script for a while, I realized that it would be easy to extend it to also validate certificates in a Java KeyStore/Truststore. To do this, the script would have to be extended as follows:

1. usage() + parse_command_line_options(): A Java KeyStore/Truststore is a collection of certificates, so before checking, it must be determined which one should be checked. For this purpose the alias of the certificate could be specified by parameters like "--jks-alias ".
2. fetch_certificate(): Before the check, the certificate to be checked would have to be exported from the KeyStore/Truststore and converted to PEM. "${KEYTOOLBIN}" -exportcert -rfc -keystore "${FILE}" -alias "${JKSALIAS}" -file "${CERT}" -storepass "${PASSWORD_SOURCE}" (I was not shure where you would like to check the existence of "keytool", you may whant to move it to another part in the code)

After these two steps, all functions of your script can be used.

I already implemented it based on your actual code. To test the code I attached a Java Truststore (default cacerts from a jdk) and a Java KeyStore (keystore.jks containing an actual cert from google). key_and_truststore.zip

Test:

• ./check_ssl_cert -H localhost -f cacerts --password changeit --jks-alias "verisignuniversalrootca [jdk]" --allow-empty-san --ignore-maximum-validity --selfsigned
• ./check_ssl_cert -H localhost -f keystore.jks --password changeit --jks-alias google-com --ignore-incomplete-chain

[matteocorti]

Thanks! I will take a look as soon as possible