#!/bin/bash

# With the following command, you can get the MD5 hash of the certificates
# openssl x509 -noout -modulus -in <cert_file>.pem 2> /dev/null | openssl md5

if [ $# -lt 4 ]; then
  echo "Missing some arguments, usage: ./check_mysql_xtradb_certs --ca_md5 <HASH> --server_md5 <HASH>"
  exit 1
fi

# Parse arguments
while [[ $# -gt 0 ]]; do
  case $1 in
    --ca_md5)
      ca_md5="$2"
      shift 2
      ;;
    --server_md5)
      server_md5="$2"
      shift 2
      ;;
    *)
      echo "Unknown option $1"
      exit 1
      ;;
  esac
done

error=0
error_msg="CRITICAL"

# Check CA PEM
ca_key_local_md5=$(openssl rsa -noout -modulus -in /var/lib/mysql/ca-key.pem 2> /dev/null | openssl md5 | awk -F '=' '{ print $2 }' | sed 's/ //')
ca_local_md5=$(openssl x509 -noout -modulus -in /var/lib/mysql/ca.pem 2> /dev/null | openssl md5 | awk -F '=' '{ print $2 }' | sed 's/ //')

if [[ ! "${ca_key_local_md5}" == "${ca_md5}" ]] && [[ ! "${ca_local_md5}" == "${ca_md5}" ]]; then
    ((error++))
    error_msg+=" - CA or CA-key is not valid"
fi

# Check Server PEM
server_key_local_md5=$(openssl rsa -noout -modulus -in /var/lib/mysql/server-key.pem 2> /dev/null | openssl md5 | awk -F '=' '{ print $2 }' | sed 's/ //')
server_local_md5=$(openssl x509 -noout -modulus -in /var/lib/mysql/server-cert.pem 2> /dev/null | openssl md5 | awk -F '=' '{ print $2 }' | sed 's/ //')

if [[ ! "${server_key_local_md5}" == "${server_md5}" ]] && [[ ! "${server_local_md5}" == "${server_md5}" ]]; then
    ((error++))
    error_msg+=" - Server-cert or Server-key is not valid"
fi

# Check certificate date
expiry_date=$(openssl x509 -enddate -noout -in /var/lib/mysql/server-cert.pem | cut -d= -f2)
expiry_epoch=$(date -d "$expiry_date" +%s)
current_date=$(date +%s)
seven_days_later=$(date -d "7 days" +%s)

if [ ! ${expiry_epoch} -gt ${seven_days_later} ]; then
    ((error++))
    error_msg+=" - certificate will expire within 7 days"
fi

# Result
if [ ${error} -gt  0 ]; then
    echo "${error_msg}"
    exit 2
else
    echo "OK - certs are valid"
    exit 0
fi
