From 9fc8c337043338b2aa508e026317df3106b7fac8 Mon Sep 17 00:00:00 2001
From: Sole <sole@notyours.com>
Date: Thu, 2 Feb 2023 00:42:15 +0000
Subject: [PATCH 1/2] Change exception for removed root certificates into easy
 edit multi-value regular expression for Organization name and making it clear
 that CA's are actively removed from 1+ root stores.

---
 testssl.sh | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 77d7bd6..1bbc7c0 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -9416,10 +9416,11 @@ certificate_info() {
 
      out "$indent"; pr_bold " Chain of trust"; out "               "
      jsonID="cert_chain_of_trust"
-     if [[ "$issuer_O" =~ StartCom ]] || [[ "$issuer_O" =~ WoSign ]] || [[ "$issuer_CN" =~ StartCom ]] || [[ "$issuer_CN" =~ WoSign ]]; then
-          # Shortcut for this special case here.
-          pr_italic "WoSign/StartCom"; out " are " ; prln_svrty_critical "not trusted anymore (NOT ok)"
-          fileout "${jsonID}${json_postfix}" "CRITICAL" "Issuer not trusted anymore (WoSign/StartCom)"
+     # Looks for CA's that have their trust removed by the first part of their Organization Name as they can only used verified names
+     if [[ "$issuer_O" =~ ^(TrustCor Systems|WoSign|StartCom) ]]; then
+          # Shortcut for this special case here. There is a difference between not being in a root store and being removed from a root store.
+          pr_italic "$issuer_O"; out " is " ; prln_svrty_critical "actively removed from one or more root stores (NOT ok)"
+          fileout "${jsonID}${json_postfix}" "CRITICAL" "Issuer removed from one or more root stores ($issuer_O)"
           set_grade_cap "T" "Untrusted certificate chain"
      else
           # Also handles fileout, keep error if happened

From 3670c1e4ad8479e32e44d6e76c9ff6039e643b4d Mon Sep 17 00:00:00 2001
From: Sole <sole@notyours.com>
Date: Thu, 2 Feb 2023 01:13:00 +0000
Subject: [PATCH 2/2] Removed non-relevant CA's that no longer have active
 certificates.

---
 testssl.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 1bbc7c0..16374ae 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -9416,8 +9416,8 @@ certificate_info() {
 
      out "$indent"; pr_bold " Chain of trust"; out "               "
      jsonID="cert_chain_of_trust"
-     # Looks for CA's that have their trust removed by the first part of their Organization Name as they can only used verified names
-     if [[ "$issuer_O" =~ ^(TrustCor Systems|WoSign|StartCom) ]]; then
+     # Looks for CA's that have their trust removed by the first part of their Organization Name, add multiple with ^(TrustCor Systems|WoSign) etc.
+     if [[ "$issuer_O" =~ ^(TrustCor Systems) ]]; then
           # Shortcut for this special case here. There is a difference between not being in a root store and being removed from a root store.
           pr_italic "$issuer_O"; out " is " ; prln_svrty_critical "actively removed from one or more root stores (NOT ok)"
           fileout "${jsonID}${json_postfix}" "CRITICAL" "Issuer removed from one or more root stores ($issuer_O)"