Merge pull request #2014 from drwetter/fix_len_certserialnum
Check cert serial len + fix output when too big
This commit is contained in:
commit
79df758023
34
testssl.sh
34
testssl.sh
|
@ -8429,8 +8429,10 @@ certificate_transparency() {
|
|||
return 0
|
||||
}
|
||||
|
||||
# replacement for inline $OPENSSL x509 -noout -in $HOSTCERT -serial
|
||||
# and $OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256/-sha1
|
||||
# Shortcut for $OPENSSL x509 -noout -in $cert $ossl_command
|
||||
# arg1 is the certificate
|
||||
# arg2 is -serial | -fingerprint -sha1 | -fingerprint -sha256
|
||||
# returns the serial or fingerprint as ASCII
|
||||
#
|
||||
determine_cert_fingerprint_serial() {
|
||||
local cert="$1"
|
||||
|
@ -8444,6 +8446,10 @@ determine_cert_fingerprint_serial() {
|
|||
result="${result//:/}"
|
||||
result="${result//SHA1 /}"
|
||||
result="${result//SHA256 /}"
|
||||
# When the serial number is too large we'll get a 0x0a LF after 70 ASCII chars (see #2010).
|
||||
# Thus we clean them here so that it is displayed correctly.
|
||||
result="${result/[$'\n\r']/}"
|
||||
result="${result//[\\]/}"
|
||||
safe_echo "$result"
|
||||
}
|
||||
|
||||
|
@ -8549,6 +8555,7 @@ certificate_info() {
|
|||
local -i secsaday=86400
|
||||
local first=true
|
||||
local badocsp=1
|
||||
local len_cert_serial=0
|
||||
|
||||
if [[ $number_of_certificates -gt 1 ]]; then
|
||||
[[ $certificate_number -eq 1 ]] && outln
|
||||
|
@ -8885,12 +8892,31 @@ certificate_info() {
|
|||
|
||||
hostcert="$(<$HOSTCERT)"
|
||||
|
||||
out "$indent"; pr_bold " Serial / Fingerprints "
|
||||
out "$indent"; pr_bold " Serial "
|
||||
cert_serial="$(determine_cert_fingerprint_serial "$hostcert" "-serial")"
|
||||
fileout "cert_serialNumber${json_postfix}" "INFO" "$cert_serial"
|
||||
out "$cert_serial"
|
||||
|
||||
len_cert_serial=${#cert_serial}
|
||||
len_cert_serial=$(( len_cert_serial / 2 ))
|
||||
|
||||
if [[ $len_cert_serial -gt 20 ]]; then
|
||||
# https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2
|
||||
outln
|
||||
prln_svrty_low "${spaces}NOT ok: length must not exceed 20 bytes (is: $len_cert_serial bytes)"
|
||||
fileout "cert_serialNumberLen${json_postfix}" "LOW" "$len_cert_serial is too long"
|
||||
elif [[ $len_cert_serial -lt 8 ]]; then
|
||||
# Wording is from https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.0.pdf
|
||||
prln_svrty_low " NOT ok: length should be >= 64 bits entropy (is: $len_cert_serial bytes)"
|
||||
fileout "cert_serialNumberLen${json_postfix}" "LOW" "$len_cert_serial is not enough entropy"
|
||||
else
|
||||
outln " (OK: length $len_cert_serial)"
|
||||
fileout "cert_serialNumberLen${json_postfix}" "INFO" "$len_cert_serial"
|
||||
fi
|
||||
|
||||
out "$indent"; pr_bold " Fingerprints "
|
||||
cert_fingerprint_sha1="$(determine_cert_fingerprint_serial "$hostcert" "-fingerprint -sha1")"
|
||||
outln "$cert_serial / SHA1 $cert_fingerprint_sha1"
|
||||
outln "SHA1 $cert_fingerprint_sha1"
|
||||
fileout "cert_fingerprintSHA1${json_postfix}" "INFO" "${cert_fingerprint_sha1}"
|
||||
|
||||
cert_fingerprint_sha2="$(determine_cert_fingerprint_serial "$hostcert" "-fingerprint -sha256")"
|
||||
|
|
Loading…
Reference in New Issue