Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Define extract_certificates() function

Browse Source 
This PR defines an extract_certificates() function in order to remove some redundant code from get_server_certificate(). Currently, nearly identical code appears in two places in get_server_certificate() to extract certificates from the output of `$OPENSSL sclient`, in one place for SSLv2 responses and in another for SSLv3 through TLSv1.2. The code to get the certificates used with TLSv1.3 (see https://github.com/dcooper16/testssl.sh/tree/extended_tls_sockets) would have added a third place where this same code would be needed. This PR allows the code to be written once and used in all three places.
This commit is contained in:
David Cooper 2017-12-22 11:42:24 -05:00 committed by David Cooper
parent c4e4720133
commit 288175a61f
1 changed files with 41 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
testssl.sh
View File

@ -5976,14 +5976,49 @@ determine_tls_extensions() {
return $success return $success
} }
extract_certificates() {
local version="$1"
local savedir
local -i success nrsaved=0
# Place the server's certificate in $HOSTCERT and any intermediate
# certificates that were provided in $TEMPDIR/intermediatecerts.pem
savedir=$(pwd); cd $TEMPDIR
# http://backreference.org/2010/05/09/ocsp-verification-with-openssl/
if [[ "$version" == "ssl2" ]]; then
awk -v n=-1 '/Server certificate/ {start=1}
/-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} }
inc { print > ("level" n ".crt") }
/---END CERTIFICATE-----/{ inc=0 }' $TMPFILE
else
awk -v n=-1 '/Certificate chain/ {start=1}
/-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} }
inc { print > ("level" n ".crt") }
/---END CERTIFICATE-----/{ inc=0 }' $TMPFILE
fi
[[ -s level0.crt ]] && nrsaved=$(count_words "$(echo level?.crt 2>/dev/null)")
if [[ $nrsaved -eq 0 ]]; then
success=1
else
success=0
mv level0.crt $HOSTCERT
if [[ $nrsaved -eq 1 ]]; then
echo "" > $TEMPDIR/intermediatecerts.pem
else
cat level?.crt > $TEMPDIR/intermediatecerts.pem
rm level?.crt
fi
fi
cd "$savedir"
return $success
}
# arg1 is "-cipher <OpenSSL cipher>" or empty # arg1 is "-cipher <OpenSSL cipher>" or empty
# arg2 is a list of protocols to try (tls1_2, tls1_1, tls1, ssl3) or empty (if all should be tried) # arg2 is a list of protocols to try (tls1_2, tls1_1, tls1, ssl3) or empty (if all should be tried)
get_server_certificate() { get_server_certificate() {
local protocols_to_try proto local protocols_to_try proto
local success local success
local npn_params="" line local npn_params="" line
local savedir
local nrsaved=0
"$HAS_SPDY" && [[ -z "$STARTTLS" ]] && npn_params="-nextprotoneg \"$NPN_PROTOs\"" "$HAS_SPDY" && [[ -z "$STARTTLS" ]] && npn_params="-nextprotoneg \"$NPN_PROTOs\""
@ -6000,28 +6035,8 @@ get_server_certificate() {
$OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY -ssl2 </dev/null 2>$ERRFILE >$TMPFILE $OPENSSL s_client $STARTTLS $BUGS $1 -showcerts -connect $NODEIP:$PORT $PROXY -ssl2 </dev/null 2>$ERRFILE >$TMPFILE
sclient_connect_successful $? $TMPFILE && success=0 sclient_connect_successful $? $TMPFILE && success=0
if [[ $success -eq 0 ]]; then if [[ $success -eq 0 ]]; then
# Place the server's certificate in $HOSTCERT and any intermediate extract_certificates "ssl2"
# certificates that were provided in $TEMPDIR/intermediatecerts.pem success=$?
savedir=$(pwd); cd $TEMPDIR
# http://backreference.org/2010/05/09/ocsp-verification-with-openssl/
awk -v n=-1 '/Server certificate/ {start=1}
/-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} }
inc { print > ("level" n ".crt") }
/---END CERTIFICATE-----/{ inc=0 }' $TMPFILE
[[ -s level0.crt ]] && nrsaved=$(count_words "$(echo level?.crt 2>/dev/null)")
if [[ $nrsaved -eq 0 ]]; then
success=1
else
success=0
mv level0.crt $HOSTCERT
if [[ $nrsaved -eq 1 ]]; then
echo "" > $TEMPDIR/intermediatecerts.pem
else
cat level?.crt > $TEMPDIR/intermediatecerts.pem
rm level?.crt
fi
fi
cd "$savedir"
fi fi
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
return $success return $success
@ -6063,29 +6078,8 @@ get_server_certificate() {
"ssl3") DETECTED_TLS_VERSION="0300" ;; "ssl3") DETECTED_TLS_VERSION="0300" ;;
esac esac
extract_new_tls_extensions $TMPFILE extract_new_tls_extensions $TMPFILE
extract_certificates "$proto"
# Place the server's certificate in $HOSTCERT and any intermediate success=$?
# certificates that were provided in $TEMPDIR/intermediatecerts.pem
savedir=$(pwd); cd $TEMPDIR
# http://backreference.org/2010/05/09/ocsp-verification-with-openssl/
awk -v n=-1 '/Certificate chain/ {start=1}
/-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} }
inc { print > ("level" n ".crt") }
/---END CERTIFICATE-----/{ inc=0 }' $TMPFILE
[[ -s level0.crt ]] && nrsaved=$(count_words "$(echo level?.crt 2>/dev/null)")
if [[ $nrsaved -eq 0 ]]; then
success=1
else
success=0
mv level0.crt $HOSTCERT
if [[ $nrsaved -eq 1 ]]; then
echo "" > $TEMPDIR/intermediatecerts.pem
else
cat level?.crt > $TEMPDIR/intermediatecerts.pem
rm level?.crt
fi
fi
cd "$savedir"
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
return $success return $success