From 6e6b8731c9fc4c486f583a8629eacbc0fe556d24 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Thu, 14 Apr 2022 08:31:57 -0400 Subject: [PATCH] Fix getting CRL OpenSSL 3.X pretty prints certificates in a slightly different way than previous versions, and this breaks the code for getting the URIs from the CRLDP extension. This commit fixes the issue by having awk search for additional possible strings to start the CRL Distribution Points output. Unless the CRLDP extension is malformed, it will begin with "Full Name", "Relative Name", "Reasons", or "CRL Issuer". --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index f0b25df..8012d11 100755 --- a/testssl.sh +++ b/testssl.sh @@ -8947,7 +8947,7 @@ certificate_info() { out "$indent"; pr_bold " Certificate Revocation List " jsonID="cert_crlDistributionPoints" # ~ get next 50 lines after pattern , strip until Signature Algorithm and retrieve URIs - crl="$(awk '/X509v3 CRL Distribution/{i=50} i&&i--' <<< "$cert_txt" | awk '/^$/,/^ [a-zA-Z0-9]+|^ Signature Algorithm:/' | awk -F'URI:' '/URI/ { print $2 }')" + crl="$(awk '/X509v3 CRL Distribution/{i=50} i&&i--' <<< "$cert_txt" | awk '/^$|^.*Name.*$|^.*Reasons.*$|^.*CRL Issuer.*$/,/^ [a-zA-Z0-9]+|^ Signature Algorithm:/' | awk -F'URI:' '/URI/ { print $2 }')" if [[ -z "$crl" ]] ; then fileout "${jsonID}${json_postfix}" "INFO" "--" outln "--"