From 8de6995c4b38f80439f0b70dc19f747f4f58f83d Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Mon, 4 Dec 2023 12:35:13 +0100
Subject: check-certificates: add workaround for broken certificates...

... where the issuer array is borked. Or is this a RouterOS issue?

[eworm@carpo] > $InspectVar [ $ParseKeyValueStore  [ /certificate/get ISRG-Root-X2 issuer ] ]
-type-> array
  -key-> C
    -type-> str
    -value-> US,O=Internet Security Research Group,CN=ISRG Root X2

A good certificate looks like this:

[eworm@carpo] > $InspectVar [ $ParseKeyValueStore  [ /certificate/get [ find where name~"eworm.net" ] issuer ] ]
-type-> array
  -key-> C
    -type-> str
    -value-> US
  -key-> CN
    -type-> str
    -value-> E1
  -key-> O
    -type-> str
    -value-> Let's Encrypt
---
 check-certificates.rsc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'check-certificates.rsc')

diff --git a/check-certificates.rsc b/check-certificates.rsc
index c501a28..87ad1e5 100644
--- a/check-certificates.rsc
+++ b/check-certificates.rsc
@@ -90,18 +90,20 @@
   :local FormatCertChain do={
     :local Cert $1;
 
+    :global EitherOr;
     :global ParseKeyValueStore;
 
     :local CertVal [ /certificate/get $Cert ];
     :local Return "";
 
     :for I from=0 to=3 do={
-      :set Return ($Return . [ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN");
+      :set Return ($Return . [ $EitherOr ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN") \
+        ([ $ParseKeyValueStore (($CertVal->"issuer")->0) ]->"CN") ]);
+      :set CertVal [ /certificate/get [ find where skid=($CertVal->"akid") ] ];
       :if (($CertVal->"akid") = "" || ($CertVal->"akid") = ($CertVal->"skid")) do={
         :return $Return;
       }
       :set Return ($Return . " -> ");
-      :set CertVal [ /certificate/get [ find where skid=($CertVal->"akid") ] ];
     }
     :return ($Return . "...");
   }
-- 
cgit v1.2.3-54-g00ecf