Changes to outputs: certificate start+end time, CRL+OCSP

For certificate start+end time it is now displaying the
time on UTC and without mentioning the timezone twice.

Also if neither CRL nor OCSP URI is provided it'll appear
on the screen below those two checks. JSON/CSV has then an
additional finding
This commit is contained in:
Dirk 2018-01-31 17:23:50 +01:00
parent 02b5497864
commit 656016eae4

View File

@ -6976,13 +6976,15 @@ certificate_info() {
# see #967
out "$indent"; pr_bold " Certificate Expiration "
# FreeBSD + OSX can't swallow the leading blank:
enddate="$(strip_leading_space "$(awk -F':' '/Not After/ { print $2":"$3":"$4 }' $HOSTCERT_TXT)")" # in GMT
startdate="$(strip_leading_space "$(awk -F':' '/Not Before/ { print $2":"$3":"$4 }' $HOSTCERT_TXT)")"
days2expire=$(( $(parse_date "$enddate" "+%s" $'%b %d %T %Y %Z') - $(LC_ALL=C date "+%s") )) # first in seconds
days2expire=$((days2expire / 3600 / 24 ))
enddate="$(parse_date "$enddate" +"%F %H:%M" "%b %d %T %Y %Z")"
startdate="$(parse_date "$startdate" +"%F %H:%M" "%b %d %T %Y %Z")"
enddate="$(strip_trailing_space "${enddate//GMT/}")"
startdate="$(strip_trailing_space "${startdate//GMT/}")"
days2expire=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(LC_ALL=C date "+%s") )) # first in seconds
days2expire=$((days2expire / 3600 / 24 ))
# we adjust the thresholds by %50 for LE certificates, relaxing those warnings
if grep -q "^Let's Encrypt Authority" <<< "$issuer_CN"; then
@ -7015,14 +7017,14 @@ certificate_info() {
expok="HIGH"
fi
fi
outln " ($startdate --> $enddate)"
outln " (UTC: $startdate --> $enddate)"
fileout "cert_expiration_status${json_postfix}" "$expok" "$expfinding"
fileout "cert_expiration_start${json_postfix}" "$expok" "$startdate"
fileout "cert_expiration_end${json_postfix}" "$expok" "$enddate"
fileout "cert_expirationUTC_start${json_postfix}" "INFO" "$startdate" # we assume that the certificate has no start time in the future
fileout "cert_expirationUTC_end${json_postfix}" "$expok" "$enddate"
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided"
fileout "certchain_count${json_postfix}" "INFO" "${certificates_provided} certificates"
fileout "certchain_count${json_postfix}" "INFO" "${certificates_provided}"
# Get both CRL and OCSP URI upfront. If there's none, this is not good. And we need to penalize this in the output
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | \
@ -7032,14 +7034,8 @@ certificate_info() {
out "$indent"; pr_bold " Certificate Revocation List "
jsonID="cert_CRL"
if [[ -z "$crl" ]] ; then
if [[ -n "$ocsp_uri" ]]; then
outln "--"
fileout "${jsonID}${json_postfix}" "INFO" "none"
else
pr_svrty_high "NOT ok --"
outln " neither CRL nor OCSP URI provided"
fileout "${jsonID}${json_postfix}" "HIGH" "Neither CRL nor OCSP URI provided"
fi
fileout "${jsonID}${json_postfix}" "INFO" "--"
outln "--"
else
if [[ $(count_lines "$crl") -eq 1 ]]; then
outln "$crl"
@ -7062,6 +7058,12 @@ certificate_info() {
fi
fileout "${jsonID}${json_postfix}" "INFO" "$ocsp_uri"
fi
if [[ -z "$ocsp_uri" ]] && [[ -z "$crl" ]]; then
out "$spaces"
pr_svrty_high "NOT ok --"
outln " neither CRL nor OCSP URI provided"
fileout "cert_revocation${json_postfix}" "HIGH" "Neither CRL nor OCSP URI provided"
fi
out "$indent"; pr_bold " OCSP stapling "
jsonID="OCSP_stapling"