Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Polish existing CRL revocation check code

Browse Source 
* Extra function for ldap_get()
  * Hint when curl is not installed and LDAP URI is encountered
  * Rename jsonID cert_cRLDistributionPoints to cert_crlDistributionPoints
  * Fix trailing _ in jsonID

Open/to be clarified:

   * Proxy for curl / proxy needs to come from testssl.sh
   * Proxy support for HTTP bash socket GET
   * cert_CRLrevoked comes before cert_cRLDistributionPoints
   * Unit tests

Still open: OCSP
This commit is contained in:
Dirk 2018-04-28 22:25:43 +02:00
parent 5ff9fe0f0d
commit 0851599a4e
1 changed files with 32 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
testssl.sh
View File

@ -1401,7 +1401,7 @@ http_get() {
"$SNEAKY" && useragent="$UA_SNEAKY" "$SNEAKY" && useragent="$UA_SNEAKY"
# auomatically handles proxy vars via ENV # automatically handles proxy vars via ENV
if which curl &>/dev/null; then if which curl &>/dev/null; then
curl -s -A $''"$useragent"'' -o $dl "$1" curl -s -A $''"$useragent"'' -o $dl "$1"
return $? return $?
@ -1413,7 +1413,7 @@ http_get() {
IFS=/ read -r proto z node query <<< "$1" IFS=/ read -r proto z node query <<< "$1"
exec 33<>/dev/tcp/$node/80 exec 33<>/dev/tcp/$node/80
printf -- "%b" "GET /$query HTTP/1.0\r\nUser-Agent: $useragent\r\nHost: $node\r\nAccept: */*\r\n\r\n" >&33 printf -- "%b" "GET /$query HTTP/1.0\r\nUser-Agent: $useragent\r\nHost: $node\r\nAccept: */*\r\n\r\n" >&33
# strip HTTP header # strip HTTP header (
if [[ $DEBUG -ge 1 ]]; then if [[ $DEBUG -ge 1 ]]; then
cat <&33 >${dl}.raw cat <&33 >${dl}.raw
cat ${dl}.raw | sed '1,/^[[:space:]]*$/d' >${dl} cat ${dl}.raw | sed '1,/^[[:space:]]*$/d' >${dl}
@ -1425,12 +1425,32 @@ http_get() {
fi fi
} }
ldap_get() {
local ldif
local -i success
local crl="$1"
local tmpfile="$2"
local jsonID="$3"
if which curl &>/dev/null; then
ldif="$(curl -s "$crl")"
if [[ $? -eq 0 ]]; then
awk '/certificateRevocationList/ { print $2 }' <<< "$ldif" | $OPENSSL base64 -d -A -out "$tmpfile" 2>/dev/null
[[ -s "$tmpfile" ]] || return 1
fi
return 0
else
pr_litecyan " (for LDAP CRL check install \"curl\")"
fileout "$jsonID" "INFO" "LDAP CRL revocation check needs \"curl\""
return 2
fi
}
check_revocation_crl() { check_revocation_crl() {
local crl="$1" local crl="$1"
local jsonID="$2" local jsonID="$2"
local tmpfile="" local tmpfile=""
local scheme local scheme
local ldif
local -i success local -i success
"$PHONE_OUT" || return 0 "$PHONE_OUT" || return 0
@ -1438,22 +1458,18 @@ check_revocation_crl() {
# The code for obtaining CRLs only supports LDAP, HTTP, and HTTPS URLs. # The code for obtaining CRLs only supports LDAP, HTTP, and HTTPS URLs.
[[ "$scheme" == "http" ]] || [[ "$scheme" == "https" ]] || [[ "$scheme" == "ldap" ]] || return 0 [[ "$scheme" == "http" ]] || [[ "$scheme" == "https" ]] || [[ "$scheme" == "ldap" ]] || return 0
tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${crl##*\/} || exit $ERR_FCREATE tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${crl##*\/} || exit $ERR_FCREATE
if [[ "$scheme" == "ldap" ]]; then if [[ "$scheme" == "ldap" ]]; then
which curl &>/dev/null || return 0 ldap_get "$crl" "$tmpfile" "$jsonID"
ldif="$(curl -s "$crl")"
success=$? success=$?
if [[ $success -eq 0 ]]; then
awk '/certificateRevocationList/ { print $2 }' <<< "$ldif" | $OPENSSL base64 -d -A -out "$tmpfile" 2>/dev/null
[[ -s "$tmpfile" ]] || success=1
fi
else else
http_get "$crl" "$tmpfile" http_get "$crl" "$tmpfile"
success=$? success=$?
fi fi
if [[ $success -ne 0 ]]; then if [[ $success -eq 2 ]]; then
pr_warning "retrieval of \"$1\" failed" return 0
fileout "$jsonID" "WARN" "CRL retrieval from $1 failed" elif [[ $success -ne 0 ]]; then
pr_warning "retrieval of \"$crl\" failed"
fileout "$jsonID" "WARN" "CRL retrieval from $crl failed"
return 1 return 1
fi fi
# -crl_download could be more elegant but is supported from 1.0.2 onwards only # -crl_download could be more elegant but is supported from 1.0.2 onwards only
@ -7453,7 +7469,7 @@ certificate_info() {
out "$indent"; pr_bold " Certificate Revocation List " out "$indent"; pr_bold " Certificate Revocation List "
jsonID="cert_cRLDistributionPoints" jsonID="cert_crlDistributionPoints"
# ~ get next 50 lines after pattern , strip until Signature Algorithm and retrieve URIs # ~ get next 50 lines after pattern , strip until Signature Algorithm and retrieve URIs
crl="$(awk '/X509v3 CRL Distribution/{i=50} i&&i--' <<< "$cert_txt" | awk '/^$/,/^ [a-zA-Z0-9]+|^ Signature Algorithm:/' | awk -F'URI:' '/URI/ { print $2 }')" crl="$(awk '/X509v3 CRL Distribution/{i=50} i&&i--' <<< "$cert_txt" | awk '/^$/,/^ [a-zA-Z0-9]+|^ Signature Algorithm:/' | awk -F'URI:' '/URI/ { print $2 }')"
if [[ -z "$crl" ]] ; then if [[ -z "$crl" ]] ; then
@ -7463,7 +7479,7 @@ certificate_info() {
if [[ $(count_lines "$crl") -eq 1 ]]; then if [[ $(count_lines "$crl") -eq 1 ]]; then
out "$crl" out "$crl"
if [[ "$expfinding" != "expired" ]]; then if [[ "$expfinding" != "expired" ]]; then
check_revocation_crl "$crl" "cert_CRLrevoked_${json_postfix}" check_revocation_crl "$crl" "cert_crlRevoked${json_postfix}"
ret=$((ret +$?)) ret=$((ret +$?))
fi fi
outln outln
@ -7477,7 +7493,7 @@ certificate_info() {
fi fi
out "$line" out "$line"
if [[ "$expfinding" != "expired" ]]; then if [[ "$expfinding" != "expired" ]]; then
check_revocation_crl "$line" "cert_CRLrevoked_${json_postfix}" check_revocation_crl "$line" "cert_crlRevoked${json_postfix}"
ret=$((ret +$?)) ret=$((ret +$?))
fi fi
outln outln