From 61947405e0183bc1872ccaf5feacb45850d93f9b Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Tue, 10 Jun 2025 22:54:11 +0200
Subject: [PATCH] Fix missing issuer CN

This fixes a problem which was introduced @ 8d8f83ace507db6a699acb4901d1329f31731a04.
It caused for some hosts not to parse / display the issuer CN correctly.

Also it adds some code in testssl.sh and in a unit test to detect
this earlier. In general an output string FIXME will now cause a
unit test to fail. This can + should be used at other places too!

Fixes #2789
---
 t/10_baseline_ipv4_http.t | 4 ++--
 testssl.sh                | 9 ++++++---
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/t/10_baseline_ipv4_http.t b/t/10_baseline_ipv4_http.t
index 6df9422..aa52f38 100755
--- a/t/10_baseline_ipv4_http.t
+++ b/t/10_baseline_ipv4_http.t
@@ -26,8 +26,8 @@ my $openssl_json="";
 #       @args="$prg $check2run $uri >/dev/null";
 #       system("@args") == 0
 #           or die ("FAILED: \"@args\" ");
-my $socket_errors='(e|E)rror|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
-my $openssl_errors='(e|E)rror|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
+my $socket_errors='(e|E)rror|FIXME|\.\/testssl\.sh: line |(f|F)atal|(c|C)ommand not found';
+my $openssl_errors='(e|E)rror|FIXME|(f|F)atal|\.\/testssl\.sh: line |Oops|s_client connect problem|(c|C)ommand not found';
 my $json_errors='(id".*:\s"scanProblem"|severity".*:\s"FATAL"|"Scan interrupted")';
 
 
diff --git a/testssl.sh b/testssl.sh
index 18c6cd5..6ad85ed 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -10121,9 +10121,12 @@ certificate_info() {
                expok="OK"
           fi
           out " ($enddate). "
-          # Match on Subject/Issuer plus next 3 lines
-          cn="$(awk '/Subject:/{stop=NR+3}; NR<=stop' <<< "${intermediate_certs_txt[i]}" | awk -F= '/CN/ { print $NF }')"
-          issuer_CN="$(awk '/Issuer:/{stop=NR+3}; NR<=stop' <<< "${intermediate_certs_txt[i]}" | awk -F= '/CN/ { print $NF }')"
+          # Match on Subject/Issuer plus next 4 lines, there should be the CN
+          cn="$(awk '/Subject:/{stop=NR+4}; NR<=stop' <<< "${intermediate_certs_txt[i]}" | awk -F= '/CN/ { print $NF }')"
+          issuer_CN="$(awk '/Issuer:/{stop=NR+4}; NR<=stop' <<< "${intermediate_certs_txt[i]}" | awk -F= '/CN/ { print $NF }')"
+          # to catch errors like #2789 during unit test:
+          [[ -z "$cn" ]] && cn="FIXME: cn Error"
+          [[ -z "$issuer_CN" ]] && issuer_CN="FIXME: issuer_CN Error"
           pr_italic "$(strip_leading_space "$cn")"; out " <-- "; prln_italic "$(strip_leading_space "$issuer_CN")"
           fileout "intermediate_cert_notAfter <#${i}>${json_postfix}" "$expok" "$enddate"
           fileout "intermediate_cert_expiration <#${i}>${json_postfix}" "$expok" "$cn_finding"