Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1710 from tosticated/3.1dev

Browse Source 
Added check for certificate validity longer than 398 days
This commit is contained in:
Dirk Wetter 2020-09-08 15:37:07 +02:00 committed by GitHub
commit 794bbe30af
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -21,6 +21,7 @@
* Don't penalize missing trust in rating when CA not in Java store * Don't penalize missing trust in rating when CA not in Java store
* Added support for certificates with EdDSA signatures and pubilc keys * Added support for certificates with EdDSA signatures and pubilc keys
* --add-ca can also now be a directory with \*.pem files * --add-ca can also now be a directory with \*.pem files
* Warning of 398 day limit for certificates issued after 2020/9/1
### Features implemented / improvements in 3.0 ### Features implemented / improvements in 3.0

3
CREDITS.md
View File

@ -39,6 +39,9 @@ Full contribution, see git log.
* Christoph Badura * Christoph Badura
- NetBSD fixes - NetBSD fixes
* Jim Blankendaal
- maximum certificate lifespan of 398 days
* Frank Breedijk * Frank Breedijk
- Detection of insecure redirects - Detection of insecure redirects
- JSON and CSV output - JSON and CSV output

21
testssl.sh
View File

@ -8353,6 +8353,7 @@ certificate_info() {
local caa_node="" all_caa="" caa_property_name="" caa_property_value="" local caa_node="" all_caa="" caa_property_name="" caa_property_value=""
local response="" local response=""
local yearstart yearend clockstart clockend y m d local yearstart yearend clockstart clockend y m d
local gt_398=false gt_398warn=false
local gt_825=false gt_825warn=false local gt_825=false gt_825warn=false
local badocsp=1 local badocsp=1
@ -9111,6 +9112,26 @@ certificate_info() {
out "$spaces" out "$spaces"
prln_svrty_medium ">= 5 years is too long" prln_svrty_medium ">= 5 years is too long"
fileout "cert_validityPeriod${json_postfix}" "MEDIUM" "$((diffseconds / (3600 * 24) )) days" fileout "cert_validityPeriod${json_postfix}" "MEDIUM" "$((diffseconds / (3600 * 24) )) days"
elif [[ $diffseconds -ge $((3600 * 24 * 398 + 1)) ]]; then
# Also "official" certificates issued from september 1st 2020 (1598918400) aren't supposed
# to be valid longer than 398 days which is 34387200 in epoch seconds
gt_398=true
if "$HAS_OPENBSDDATE"; then
if [[ 20200901 -le ${yearstart//-/} ]]; then
gt_398warn=true
fi
elif [[ $(parse_date "$startdate" "+%s" $'%F %H:%M') -ge 1598918400 ]]; then
gt_398warn=true
fi
# Now, the verdict, depending on the issuing date
out "$spaces"
if "$gt_398warn" && "$gt_398"; then
prln_svrty_medium "> 398 days issued after 2020/09/01 is too long"
fileout "cert_validityPeriod${json_postfix}" "MEDIUM" "$((diffseconds / (3600 * 24) )) > 398 days"
elif "$gt_398"; then
outln ">= 398 days certificate life time but issued before 2020/09/01"
fileout "cert_validityPeriod${json_postfix}" "INFO" "$((diffseconds / (3600 * 24) )) =< 398 days"
fi
elif [[ $diffseconds -ge $((3600 * 24 * 825 + 1)) ]]; then elif [[ $diffseconds -ge $((3600 * 24 * 825 + 1)) ]]; then
# Also "official" certificates issued from March 1st, 2018 (1517353200) aren't supposed # Also "official" certificates issued from March 1st, 2018 (1517353200) aren't supposed
# to be valid longer than 825 days which is 1517353200 in epoch seconds # to be valid longer than 825 days which is 1517353200 in epoch seconds