CA names with domain component attributes
`certificate_info()` does not correctly display the Issuer name for CAs that use domain component attributes. There is a server on the NIST intra-net that I test against that has a certificate issued by a NIST CA, and the issuer name in the certificate is of the form: `/DC=net/DC=example/DC=internal/CN=CAname` Since there is no organizational name, testssl.sh displays the name as: ``` Issuer "CAname" ("") ``` In this PR, if the Issuer name has 'DC=' attributes, but does not have an 'O=' attribute, the "DC=" attributes are combined into a DNS name that is used as if it were the organizational name: ``` Issuer "CAname" ("internal.example.net") ``` I should note, however, that I have not been able to find any other examples of TLS server certificates that have been issued by CAs that have domain components ("DC=") in their names. So, it may not be worthwhile to change the code to try to accommodate such CAs.
This commit is contained in:
parent
b342db6b38
commit
346c52dc7c
31
testssl.sh
31
testssl.sh
|
@ -3839,7 +3839,7 @@ certificate_info() {
|
|||
local ocsp_response=$5
|
||||
local ocsp_response_status=$6
|
||||
local cert_sig_algo cert_sig_hash_algo cert_key_algo
|
||||
local expire days2expire secs2warn ocsp_uri crl startdate enddate issuer_CN issuer_C issuer_O issuer sans san cn cn_nosni
|
||||
local expire days2expire secs2warn ocsp_uri crl startdate enddate issuer_CN issuer_C issuer_O issuer_DC issuer issuerfinding sans san cn cn_nosni
|
||||
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial
|
||||
local policy_oid
|
||||
local spaces=""
|
||||
|
@ -4146,22 +4146,33 @@ certificate_info() {
|
|||
issuer_CN="$(awk -F'=' '/CN=/ { print $2 }' <<< "$issuer")"
|
||||
issuer_O="$(awk -F'=' '/O=/ { print $2 }' <<< "$issuer")"
|
||||
issuer_C="$(awk -F'=' '/ C=/ { print $2 }' <<< "$issuer")"
|
||||
issuer_DC="$(awk -F'=' '/DC=/ { print $2 }' <<< "$issuer")"
|
||||
|
||||
if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$CN" ]]; then
|
||||
pr_svrty_criticalln "self-signed (NOT ok)"
|
||||
fileout "${json_prefix}issuer" "NOT ok" "Issuer: selfsigned (NOT ok)"
|
||||
else
|
||||
pr_dquoted "$issuer_CN"
|
||||
out " ("
|
||||
pr_dquoted "$issuer_O"
|
||||
if [[ -n "$issuer_C" ]]; then
|
||||
out " from "
|
||||
pr_dquoted "$issuer_C"
|
||||
fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer_CN\" ( \"$issuer_O\" from \"$issuer_C\")"
|
||||
issuerfinding="$(pr_dquoted "$issuer_CN")"
|
||||
if [[ -z "$issuer_O" ]] && [[ -n "$issuer_DC" ]]; then
|
||||
for san in $issuer_DC; do
|
||||
if [[ -z "$issuer_O" ]]; then
|
||||
issuer_O="${san}"
|
||||
else
|
||||
fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer_CN\" ( \"$issuer_O\" )"
|
||||
issuer_O="${san}.${issuer_O}"
|
||||
fi
|
||||
outln ")"
|
||||
done
|
||||
fi
|
||||
if [[ -n "$issuer_O" ]]; then
|
||||
issuerfinding+=" ("
|
||||
issuerfinding+="$(pr_dquoted "$issuer_O")"
|
||||
if [[ -n "$issuer_C" ]]; then
|
||||
issuerfinding+=" from "
|
||||
issuerfinding+="$(pr_dquoted "$issuer_C")"
|
||||
fi
|
||||
issuerfinding+=")"
|
||||
fi
|
||||
outln "$issuerfinding"
|
||||
fileout "${json_prefix}issuer" "INFO" "Issuer: $issuerfinding"
|
||||
fi
|
||||
|
||||
# http://events.ccc.de/congress/2010/Fahrplan/attachments/1777_is-the-SSLiverse-a-safe-place.pdf, see page 40pp
|
||||
|
|
Loading…
Reference in New Issue