Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 13:55:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix #1747

Browse Source 
This commit fixes #1747 by converting PEM encoded certificates that are sent to fileout() to a single line. As suggested in #1747, '\n' is added after the '----- BEGIN ... -----' line and before the '------ END ... ------' line.

In order to ensure that '\n' appears in the string in the JSON and CSV files, '\\n' is sent to fileout() so that 'printf -- "%b"' converts '\\n' to '\n' rather than converting '\n' to a newline character.

In order to prevent fileout() from converting '\\n' to '\ ', this commit move the fix for #2049 (see PR #2050) from fileout() to fatal().
This commit is contained in:
David Cooper
2022-11-16 10:25:19 -08:00
parent 827782cd58
commit 3eb8cf6754
1 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
testssl.sh
View File

@@ -872,6 +872,26 @@ strip_quote() (
)" )"
) )
# Converts a string containing PEM encoded data to one line.
pem_to_one_line() {
local pem="$1"
local header="" footer=""
if [[ "$pem" =~ .*-+BEGIN\ [A-Za-z0-9]+-+ ]]; then
header="$BASH_REMATCH"
pem="${pem/$header/}"
fi
if [[ "$pem" =~ -+END\ [A-Za-z0-9]+-+.* ]]; then
footer="$BASH_REMATCH"
pem="${pem/$footer/}"
fi
pem="$(strip_spaces "$(newline_to_spaces "$pem")")"
[[ -n "$header" ]] && pem="$header\\\n$pem"
[[ -n "$footer" ]] && pem+="\\\n$footer"
printf -- "%s" "$pem"
return 0
}
is_ipv4addr() { is_ipv4addr() {
local octet="(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])" local octet="(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])"
local ipv4address="$octet\\.$octet\\.$octet\\.$octet" local ipv4address="$octet\\.$octet\\.$octet\\.$octet"
@@ -1355,7 +1375,6 @@ fileout() {
if { "$do_pretty_json" && [[ "$1" == service ]]; } || show_finding "$severity"; then if { "$do_pretty_json" && [[ "$1" == service ]]; } || show_finding "$severity"; then
local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")") # additional quotes will mess up screen output local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")") # additional quotes will mess up screen output
finding="${finding//\\n/ }"
[[ -e "$JSONFILE" ]] && [[ ! -d "$JSONFILE" ]] && fileout_json_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint" [[ -e "$JSONFILE" ]] && [[ ! -d "$JSONFILE" ]] && fileout_json_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint"
"$do_csv" && [[ -n "$CSVFILE" ]] && [[ ! -d "$CSVFILE" ]] && \ "$do_csv" && [[ -n "$CSVFILE" ]] && [[ ! -d "$CSVFILE" ]] && \
fileout_csv_finding "$1" "$NODE/$NODEIP" "$PORT" "$severity" "$finding" "$cve" "$cwe" "$hint" fileout_csv_finding "$1" "$NODE/$NODEIP" "$PORT" "$severity" "$finding" "$cve" "$cwe" "$hint"
@@ -9181,8 +9200,7 @@ certificate_info() {
fileout "cert_fingerprintSHA256${json_postfix}" "INFO" "${cert_fingerprint_sha2}" fileout "cert_fingerprintSHA256${json_postfix}" "INFO" "${cert_fingerprint_sha2}"
outln "${spaces}SHA256 ${cert_fingerprint_sha2}" outln "${spaces}SHA256 ${cert_fingerprint_sha2}"
# " " needs to be converted back to lf in JSON/CSV output. watch out leading/ending line containing "CERTIFICATE" fileout "cert${json_postfix}" "INFO" "$(pem_to_one_line "$hostcert")"
fileout "cert${json_postfix}" "INFO" "$hostcert"
[[ -z $CERT_FINGERPRINT_SHA2 ]] && \ [[ -z $CERT_FINGERPRINT_SHA2 ]] && \
CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2" || CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2" ||
@@ -9757,7 +9775,7 @@ certificate_info() {
intermediates="${intermediates#${cert}-----END CERTIFICATE-----}" intermediates="${intermediates#${cert}-----END CERTIFICATE-----}"
cert="-----BEGIN CERTIFICATE-----${cert}-----END CERTIFICATE-----" cert="-----BEGIN CERTIFICATE-----${cert}-----END CERTIFICATE-----"
fileout "intermediate_cert <#${i}>${json_postfix}" "INFO" "$cert" fileout "intermediate_cert <#${i}>${json_postfix}" "INFO" "$(pem_to_one_line "$cert")"
fileout "intermediate_cert_fingerprintSHA256 <#${i}>${json_postfix}" "INFO" "$(determine_cert_fingerprint_serial "$cert" "-fingerprint -sha256")" fileout "intermediate_cert_fingerprintSHA256 <#${i}>${json_postfix}" "INFO" "$(determine_cert_fingerprint_serial "$cert" "-fingerprint -sha256")"
intermediate_certs_txt[i]="$($OPENSSL x509 -text -noout 2>/dev/null <<< "$cert")" intermediate_certs_txt[i]="$($OPENSSL x509 -text -noout 2>/dev/null <<< "$cert")"
@@ -20443,7 +20461,7 @@ fatal() {
fi fi
# Make sure we don't try to write into files when not created yet. # Make sure we don't try to write into files when not created yet.
# No shorthand expression to avoid errors when $CMDLINE_PARSED haven't been filled yet. # No shorthand expression to avoid errors when $CMDLINE_PARSED haven't been filled yet.
[[ $CMDLINE_PARSED == true ]] && fileout "scanProblem" "FATAL" "$1" [[ $CMDLINE_PARSED == true ]] && fileout "scanProblem" "FATAL" "${1//\\n/ }" # See issue #2049.
exit $2 exit $2
} }