From 0851599a4e66c6bc0ad6b85b161dfaeab6d7572f Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 28 Apr 2018 22:25:43 +0200 Subject: [PATCH] Polish existing CRL revocation check code * Extra function for ldap_get() * Hint when curl is not installed and LDAP URI is encountered * Rename jsonID cert_cRLDistributionPoints to cert_crlDistributionPoints * Fix trailing _ in jsonID Open/to be clarified: * Proxy for curl / proxy needs to come from testssl.sh * Proxy support for HTTP bash socket GET * cert_CRLrevoked comes before cert_cRLDistributionPoints * Unit tests Still open: OCSP --- testssl.sh | 48 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 32 insertions(+), 16 deletions(-) diff --git a/testssl.sh b/testssl.sh index 9d83426..9c8b3d8 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1401,7 +1401,7 @@ http_get() { "$SNEAKY" && useragent="$UA_SNEAKY" - # auomatically handles proxy vars via ENV + # automatically handles proxy vars via ENV if which curl &>/dev/null; then curl -s -A $''"$useragent"'' -o $dl "$1" return $? @@ -1413,7 +1413,7 @@ http_get() { IFS=/ read -r proto z node query <<< "$1" exec 33<>/dev/tcp/$node/80 printf -- "%b" "GET /$query HTTP/1.0\r\nUser-Agent: $useragent\r\nHost: $node\r\nAccept: */*\r\n\r\n" >&33 - # strip HTTP header + # strip HTTP header ( if [[ $DEBUG -ge 1 ]]; then cat <&33 >${dl}.raw cat ${dl}.raw | sed '1,/^[[:space:]]*$/d' >${dl} @@ -1425,12 +1425,32 @@ http_get() { fi } +ldap_get() { + local ldif + local -i success + local crl="$1" + local tmpfile="$2" + local jsonID="$3" + + if which curl &>/dev/null; then + ldif="$(curl -s "$crl")" + if [[ $? -eq 0 ]]; then + awk '/certificateRevocationList/ { print $2 }' <<< "$ldif" | $OPENSSL base64 -d -A -out "$tmpfile" 2>/dev/null + [[ -s "$tmpfile" ]] || return 1 + fi + return 0 + else + pr_litecyan " (for LDAP CRL check install \"curl\")" + fileout "$jsonID" "INFO" "LDAP CRL revocation check needs \"curl\"" + return 2 + fi +} + check_revocation_crl() { local crl="$1" local jsonID="$2" local tmpfile="" local scheme - local ldif local -i success "$PHONE_OUT" || return 0 @@ -1438,22 +1458,18 @@ check_revocation_crl() { # The code for obtaining CRLs only supports LDAP, HTTP, and HTTPS URLs. [[ "$scheme" == "http" ]] || [[ "$scheme" == "https" ]] || [[ "$scheme" == "ldap" ]] || return 0 tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${crl##*\/} || exit $ERR_FCREATE - if [[ "$scheme" == "ldap" ]]; then - which curl &>/dev/null || return 0 - ldif="$(curl -s "$crl")" + ldap_get "$crl" "$tmpfile" "$jsonID" success=$? - if [[ $success -eq 0 ]]; then - awk '/certificateRevocationList/ { print $2 }' <<< "$ldif" | $OPENSSL base64 -d -A -out "$tmpfile" 2>/dev/null - [[ -s "$tmpfile" ]] || success=1 - fi else http_get "$crl" "$tmpfile" success=$? fi - if [[ $success -ne 0 ]]; then - pr_warning "retrieval of \"$1\" failed" - fileout "$jsonID" "WARN" "CRL retrieval from $1 failed" + if [[ $success -eq 2 ]]; then + return 0 + elif [[ $success -ne 0 ]]; then + pr_warning "retrieval of \"$crl\" failed" + fileout "$jsonID" "WARN" "CRL retrieval from $crl failed" return 1 fi # -crl_download could be more elegant but is supported from 1.0.2 onwards only @@ -7453,7 +7469,7 @@ certificate_info() { out "$indent"; pr_bold " Certificate Revocation List " - jsonID="cert_cRLDistributionPoints" + jsonID="cert_crlDistributionPoints" # ~ get next 50 lines after pattern , strip until Signature Algorithm and retrieve URIs crl="$(awk '/X509v3 CRL Distribution/{i=50} i&&i--' <<< "$cert_txt" | awk '/^$/,/^ [a-zA-Z0-9]+|^ Signature Algorithm:/' | awk -F'URI:' '/URI/ { print $2 }')" if [[ -z "$crl" ]] ; then @@ -7463,7 +7479,7 @@ certificate_info() { if [[ $(count_lines "$crl") -eq 1 ]]; then out "$crl" if [[ "$expfinding" != "expired" ]]; then - check_revocation_crl "$crl" "cert_CRLrevoked_${json_postfix}" + check_revocation_crl "$crl" "cert_crlRevoked${json_postfix}" ret=$((ret +$?)) fi outln @@ -7477,7 +7493,7 @@ certificate_info() { fi out "$line" if [[ "$expfinding" != "expired" ]]; then - check_revocation_crl "$line" "cert_CRLrevoked_${json_postfix}" + check_revocation_crl "$line" "cert_crlRevoked${json_postfix}" ret=$((ret +$?)) fi outln