correct signature keysizes, FIX #249

This commit is contained in:
Dirk 2016-02-01 10:19:23 +01:00
parent c62abaf215
commit 0bfe12742e

View File

@ -2875,14 +2875,37 @@ certificate_info() {
outln "(couldn't determine)" outln "(couldn't determine)"
fileout "$heading key_size" "WARN" "Server keys size cannot be determined" fileout "$heading key_size" "WARN" "Server keys size cannot be determined"
else else
if [[ "$keysize" -le 768 ]]; then # https://tools.ietf.org/html/rfc4492, http://www.keylength.com/en/compare/
# http://infoscience.epfl.ch/record/164526/files/NPDF-22.pdf
# see http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
# Table 2 @ chapter 5.6.1 (~ p64)
if [[ $sig_algo =~ ecdsa ]] || [[ $key_algo =~ ecPublicKey ]]; then if [[ $sig_algo =~ ecdsa ]] || [[ $key_algo =~ ecPublicKey ]]; then
pr_litegreen "EC $keysize" if [[ "$keysize" -le 110 ]]; then # a guess
fileout "$heading key_size" "OK" "Server keys $keysize bits EC (OK)" pr_red "$keysize"
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
elif [[ "$keysize" -le 123 ]]; then # a guess
pr_litered "$keysize"
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
elif [[ "$keysize" -le 163 ]]; then
pr_brown "$keysize"
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
elif [[ "$keysize" -le 224 ]]; then
out "$keysize"
fileout "$heading key_size" "INFO" "Server keys $keysize EC bits"
elif [[ "$keysize" -le 533 ]]; then
pr_litegreen "$keysize"
fileout "$heading key_size" "OK" "Server keys $keysize EC bits (OK)"
else else
out "keysize: $keysize (not expected, FIXME)"
fileout "$heading key_size" "WARN" "Server keys $keysize bits (not expected)"
fi
else
if [[ "$keysize" -le 512 ]]; then
pr_red "$keysize" pr_red "$keysize"
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)" fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
fi elif [[ "$keysize" -le 768 ]]; then
pr_litered "$keysize"
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
elif [[ "$keysize" -le 1024 ]]; then elif [[ "$keysize" -le 1024 ]]; then
pr_brown "$keysize" pr_brown "$keysize"
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)" fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
@ -2893,10 +2916,11 @@ certificate_info() {
pr_litegreen "$keysize" pr_litegreen "$keysize"
fileout "$heading key_size" "OK" "Server keys $keysize bits (OK)" fileout "$heading key_size" "OK" "Server keys $keysize bits (OK)"
else else
out "weird keysize: $keysize" out "weird keysize: $keysize (compatibility problems)"
fileout "$heading key_size" "WARN" "Server keys $keysize bits (Odd)" fileout "$heading key_size" "WARN" "Server keys $keysize bits (Odd)"
fi fi
fi fi
fi
outln " bit" outln " bit"
out "$indent" ; pr_bold " Signature Algorithm " out "$indent" ; pr_bold " Signature Algorithm "
@ -6684,4 +6708,4 @@ fi
exit $? exit $?
# $Id: testssl.sh,v 1.452 2016/01/31 22:53:12 dirkw Exp $ # $Id: testssl.sh,v 1.453 2016/02/01 09:18:25 dirkw Exp $