Fix some problems with CRL revocation checking

There are some circumstances in which check_revocation_crl() will incorrectly indicate that a CRL lists the server's certificate as revoked. #1046 is one of them. Another is any case in which the server's certificate cannot be validated using any of the certificates in the trust store that OpenSSL uses (e.g., the server's certificate was issued by a local CA). In both of these cases, "openssl verify" fails, for some reason other than "certificate revoked", and check_revocation_crl() assumes that any failure of "openssl verify" is the result of certificate revocation.

This PR addresses the problem in two ways. First, it adds the "-partial_chain" option to the "openssl verify" command line whenever $OPENSSL supports that option (it is not supported by LibreSSL or by versions of OpenSSL earlier than 1.0.2). This will fix most of the problems when a version of OpenSSL that supports "-partial_chain" is used.

Even if the "-partial_chain" option is provided, OpenSSL needs to have at least one CA certificate so that it can get the public key needed to verify the signatures on the server's certificate and on the CRL. So, if the server doesn't send any CA certificates and the server's certificate was not issued by a CA in the trust store, then the verify command will fail even if the "-partial_chain" option is provided.

So, as a fail-safe, this PR changes check_revocation_crl() to check the error message that the verify command provides when it fails so that testssl.sh only reports a certificate a revoked if the verify command fails with a reason of "certificate revoked".

Note that this PR also fixes two other minor issues. It incorporates #1047, which corrects a typo, and it redirects $OPENSSL's output on line 1479 in order to suppress any error messages that $OPENSSL might print (e.g., "WARNING: can't open config file").
This commit is contained in:
David Cooper 2018-05-02 15:42:59 -04:00 committed by David Cooper
parent 626e0fc65a
commit 89f8ddcf30

View File

@ -318,6 +318,7 @@ HAS_NOSERVERNAME=false
HAS_CIPHERSUITES=false HAS_CIPHERSUITES=false
HAS_COMP=false HAS_COMP=false
HAS_NO_COMP=false HAS_NO_COMP=false
HAS_PARTIAL_CHAIN=false
HAS_ALPN=false HAS_ALPN=false
HAS_NPN=false HAS_NPN=false
HAS_FALLBACK_SCSV=false HAS_FALLBACK_SCSV=false
@ -1451,7 +1452,7 @@ check_revocation_crl() {
local crl="$1" local crl="$1"
local jsonID="$2" local jsonID="$2"
local tmpfile="" local tmpfile=""
local scheme local scheme retcode partial_chain=""
local -i success local -i success
"$PHONE_OUT" || return 0 "$PHONE_OUT" || return 0
@ -1474,22 +1475,30 @@ check_revocation_crl() {
return 1 return 1
fi fi
# -crl_download could be more elegant but is supported from 1.0.2 onwards only # -crl_download could be more elegant but is supported from 1.0.2 onwards only
$OPENSSL crl -inform DER -in "$tmpfile" -outform PEM -out "${tmpfile%%.crl}.pem" $OPENSSL crl -inform DER -in "$tmpfile" -outform PEM -out "${tmpfile%%.crl}.pem" &> $ERRFILE
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
pr_warning "conversion of "$tmpfile" failed" pr_warning "conversion of "$tmpfile" failed"
fileout "$jsonID" "WARN" "conversion of CRL to PEM format failed" fileout "$jsonID" "WARN" "conversion of CRL to PEM format failed"
return 1 return 1
fi fi
cat $TEMPDIR/intermediatecerts.pem "${tmpfile%%.crl}.pem" >$TEMPDIR/${NODE}-${NODEIP}-CRL-chain.pem cat $TEMPDIR/intermediatecerts.pem "${tmpfile%%.crl}.pem" >$TEMPDIR/${NODE}-${NODEIP}-CRL-chain.pem
$OPENSSL verify -crl_check -CAfile $TEMPDIR/${NODE}-${NODEIP}-CRL-chain.pem $TEMPDIR/host_certificate.pem &>$ERRFILE # See https://github.com/drwetter/testssl.sh/pull/1051
"$HAS_PARTIAL_CHAIN" && partial_chain="-partial_chain"
$OPENSSL verify -crl_check $partial_chain -CAfile $TEMPDIR/${NODE}-${NODEIP}-CRL-chain.pem $TEMPDIR/host_certificate.pem &> "${tmpfile%%.crl}.err"
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
out ", " out ", "
pr_svrty_good "not revoked" pr_svrty_good "not revoked"
fileout "$jsonID" "OK" "not revoked" fileout "$jsonID" "OK" "not revoked"
else else
out ", " retcode=$(awk '/error [1-9][0-9]? at [0-9]+ depth lookup:/ { if (!found) {print $2; found=1} }' "${tmpfile%%.crl}.err")
pr_svrty_critical "revoked" if [[ "$retcode" == "23" ]]; then # see verify_retcode_helper() and https://github.com/drwetter/testssl.sh/pull/1051
fileout "$jsonID" "CRITICAL" "revoked" out ", "
pr_svrty_critical "revoked"
fileout "$jsonID" "CRITICAL" "revoked"
elif [[ $DEBUG -ge 2 ]]; then
out " "
verify_retcode_helper "$retcode"
fi
fi fi
return 0 return 0
} }
@ -6218,6 +6227,7 @@ verify_retcode_helper() {
case $retcode in case $retcode in
# codes from ./doc/apps/verify.pod | verify(1ssl) # codes from ./doc/apps/verify.pod | verify(1ssl)
44) tm_out "(different CRL scope)" ;; # X509_V_ERR_DIFFERENT_CRL_SCOPE
26) tm_out "(unsupported certificate purpose)" ;; # X509_V_ERR_INVALID_PURPOSE 26) tm_out "(unsupported certificate purpose)" ;; # X509_V_ERR_INVALID_PURPOSE
24) tm_out "(certificate unreadable)" ;; # X509_V_ERR_INVALID_CA 24) tm_out "(certificate unreadable)" ;; # X509_V_ERR_INVALID_CA
23) tm_out "(certificate revoked)" ;; # X509_V_ERR_CERT_REVOKED 23) tm_out "(certificate revoked)" ;; # X509_V_ERR_CERT_REVOKED
@ -15111,6 +15121,13 @@ find_openssl_binary() {
$OPENSSL enc -aes-256-gcm -K 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef -iv 0123456789abcdef01234567 > /dev/null 2> /dev/null <<< "test" $OPENSSL enc -aes-256-gcm -K 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef -iv 0123456789abcdef01234567 > /dev/null 2> /dev/null <<< "test"
[[ $? -eq 0 ]] && HAS_AES256_GCM=true [[ $? -eq 0 ]] && HAS_AES256_GCM=true
$OPENSSL verify -partial_chain <<< "-----BEGIN CERTIFICATE-----
MIGYMGYCAQEwCQYHKoZIzj0EATAAMB4XDTE4MDUwMjE5NDk1NVoXDTE4MDYwMTE5
NDk1NVowADAyMBAGByqGSM49AgEGBSuBBAAGAx4ABIqtRNoHWKXwhKqS065E2p+0
bGW4kYxYp8ON+FMwCQYHKoZIzj0EAQMjADAgAg4qMOUGcBYIn9OouAC6EwIODVw+
r5TrwCZfR3CoB+k=
-----END CERTIFICATE-----" 2>&1 | grep -aq "recognized usages" || HAS_PARTIAL_CHAIN=true
if [[ "$OPENSSL_TIMEOUT" != "" ]]; then if [[ "$OPENSSL_TIMEOUT" != "" ]]; then
if type -p timeout >/dev/null 2>&1; then if type -p timeout >/dev/null 2>&1; then
if ! "$do_mass_testing"; then if ! "$do_mass_testing"; then