Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 13:55:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Accept stapled OCSP responses that use SHA-256 in CertID

Browse Source 
This commit modifies check_revocation_ocsp() to check the revocation status of a certificate in a stapled OCSP response whether the response uses SHA-1 or SHA-256 in CertID.
This commit is contained in:
David Cooper
2024-10-08 12:49:39 -07:00
parent b2e6f990b9
commit 1f37a8406f
1 changed files with 17 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
testssl.sh
View File

@@ -2035,7 +2035,7 @@ check_revocation_ocsp() {
local stapled_response="$2" local stapled_response="$2"
local jsonID="$3" local jsonID="$3"
local tmpfile="" local tmpfile=""
local -i success local -i success=1
local response="" local response=""
local host_header="" local host_header=""
@@ -2052,9 +2052,20 @@ check_revocation_ocsp() {
tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${uri##*\/} || exit $ERR_FCREATE tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${uri##*\/} || exit $ERR_FCREATE
if [[ -n "$stapled_response" ]]; then if [[ -n "$stapled_response" ]]; then
hex2binary "$stapled_response" > "$TEMPDIR/stapled_ocsp_response.dd" hex2binary "$stapled_response" > "$TEMPDIR/stapled_ocsp_response.dd"
$OPENSSL ocsp -no_nonce -respin "$TEMPDIR/stapled_ocsp_response.dd" \ if [[ "$stapled_response" =~ 06052[bB]0[eE]03021[aA] ]]; then
-issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \ # Response appears to use SHA-1 in CertID
-CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile" $OPENSSL ocsp -no_nonce -respin "$TEMPDIR/stapled_ocsp_response.dd" \
-issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
-CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile"
success=$?
fi
if [[ $success -ne 0 ]] && [[ "$stapled_response" =~ 0609608648016503040201 ]]; then
# Response appears to use SHA-256 in CertID
$OPENSSL ocsp -sha256 -no_nonce -respin "$TEMPDIR/stapled_ocsp_response.dd" \
-issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
-CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile"
success=$?
fi
else else
host_header=${uri##http://} host_header=${uri##http://}
host_header=${host_header%%/*} host_header=${host_header%%/*}
@@ -2069,8 +2080,9 @@ check_revocation_ocsp() {
$OPENSSL ocsp -no_nonce ${host_header} -url "$uri" \ $OPENSSL ocsp -no_nonce ${host_header} -url "$uri" \
-issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \ -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
-CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile" -CAfile <(cat $ADDTL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile"
success=$?
fi fi
if [[ $? -eq 0 ]] && grep -Fq "Response verify OK" "$tmpfile"; then if [[ $success -eq 0 ]] && grep -Fq "Response verify OK" "$tmpfile"; then
response="$(grep -F "$HOSTCERT: " "$tmpfile")" response="$(grep -F "$HOSTCERT: " "$tmpfile")"
response="${response#$HOSTCERT: }" response="${response#$HOSTCERT: }"
response="${response%\.}" response="${response%\.}"