This commit adds additional information to the "Server key size" line for a certificate if the subject public key is RSA, ECDSA, or DH.

For RSA it show the public exponent. For ECDSA, it shows the curve. For DH, it shows the group used, if it is a common prime.
This commit is contained in:
David Cooper 2020-05-06 12:16:15 -04:00
parent f492cf0336
commit 9dba2a8c9c
1 changed files with 67 additions and 22 deletions

View File

@ -8290,7 +8290,10 @@ certificate_info() {
local sni_used="${10}"
local ct="${11}"
local certificate_list_ordering_problem="${12}"
local cert_sig_algo cert_sig_hash_algo cert_key_algo cert_keyusage cert_ext_keyusage short_keyAlgo
local cert_sig_algo cert_sig_hash_algo cert_key_algo cert_spki_info
local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt"
local -i lineno_matched=0
local cert_keyusage cert_ext_keyusage short_keyAlgo
local outok=true
local expire days2expire secs2warn ocsp_uri crl
local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
@ -8308,6 +8311,7 @@ certificate_info() {
local -i ret=0
local json_postfix="" # string to place at the end of JSON IDs when there is more than one certificate
local jsonID="" # string to place at beginning of JSON IDs
local json_rating json_msg
local indent=""
local days2warn2=$DAYS2WARN2
local days2warn1=$DAYS2WARN1
@ -8476,51 +8480,51 @@ certificate_info() {
if [[ $cert_key_algo =~ ecdsa ]] || [[ $cert_key_algo =~ ecPublicKey ]]; then
if [[ "$cert_keysize" -le 110 ]]; then # a guess
pr_svrty_critical "$cert_keysize"
fileout "${jsonID}${json_postfix}" "CRITICAL" "$short_keyAlgo $cert_keysize bits"
json_rating="CRITICAL"; json_msg="$short_keyAlgo $cert_keysize bits"
elif [[ "$cert_keysize" -le 123 ]]; then # a guess
pr_svrty_high "$cert_keysize"
fileout "${jsonID}${json_postfix}" "HIGH" "$short_keyAlgo $cert_keysize bits"
json_rating="HIGH"; json_msg="$short_keyAlgo $cert_keysize bits"
elif [[ "$cert_keysize" -le 163 ]]; then
pr_svrty_medium "$cert_keysize"
fileout "${jsonID}${json_postfix}" "MEDIUM" "$short_keyAlgo $cert_keysize bits"
json_rating="MEDIUM"; json_msg="$short_keyAlgo $cert_keysize bits"
elif [[ "$cert_keysize" -le 224 ]]; then
out "$cert_keysize"
fileout "${jsonID}${json_postfix}" "INFO" "$short_keyAlgo $cert_keysize bits"
json_rating="INFO"; json_msg="$short_keyAlgo $cert_keysize bits"
elif [[ "$cert_keysize" -le 533 ]]; then
pr_svrty_good "$cert_keysize"
fileout "${jsonID}${json_postfix}" "OK" "$short_keyAlgo $cert_keysize bits"
json_rating="OK"; json_msg="$short_keyAlgo $cert_keysize bits"
else
out "keysize: $cert_keysize (not expected, FIXME)"
fileout "${jsonID}${json_postfix}" "DEBUG" " $cert_keysize bits (not expected)"
json_rating="DEBUG"; json_msg=" $cert_keysize bits (not expected)"
((ret++))
fi
outln " bits"
out " bits"
set_key_str_score "$short_keyAlgo" "$cert_keysize" # TODO: should be $dh_param_size
elif [[ $cert_key_algo =~ RSA ]] || [[ $cert_key_algo =~ rsa ]] || [[ $cert_key_algo =~ dsa ]] || \
[[ $cert_key_algo =~ dhKeyAgreement ]] || [[ $cert_key_algo == X9.42\ DH ]]; then
if [[ "$cert_keysize" -le 512 ]]; then
pr_svrty_critical "$cert_keysize"
outln " bits"
fileout "${jsonID}${json_postfix}" "CRITICAL" "$short_keyAlgo $cert_keysize bits"
out " bits"
json_rating="CRITICAL"; json_msg="$short_keyAlgo $cert_keysize bits"
elif [[ "$cert_keysize" -le 768 ]]; then
pr_svrty_high "$cert_keysize"
outln " bits"
fileout "${jsonID}${json_postfix}" "HIGH" "$short_keyAlgo $cert_keysize bits"
out " bits"
json_rating="HIGH"; json_msg="$short_keyAlgo $cert_keysize bits"
elif [[ "$cert_keysize" -le 1024 ]]; then
pr_svrty_medium "$cert_keysize"
outln " bits"
fileout "${jsonID}${json_postfix}" "MEDIUM" "$short_keyAlgo $cert_keysize bits"
out " bits"
json_rating="MEDIUM"; json_msg="$short_keyAlgo $cert_keysize bits"
elif [[ "$cert_keysize" -le 2048 ]]; then
outln "$cert_keysize bits"
fileout "${jsonID}${json_postfix}" "INFO" "$short_keyAlgo $cert_keysize bits"
out "$cert_keysize bits"
json_rating="INFO"; json_msg="$short_keyAlgo $cert_keysize bits"
elif [[ "$cert_keysize" -le 4096 ]]; then
pr_svrty_good "$cert_keysize"
fileout "${jsonID}${json_postfix}" "OK" "$short_keyAlgo $cert_keysize bits"
outln " bits"
json_rating="OK"; json_msg="$short_keyAlgo $cert_keysize bits"
out " bits"
else
pr_warning "weird key size: $cert_keysize bits"; outln " (could cause compatibility problems)"
fileout "${jsonID}${json_postfix}" "WARN" "$cert_keysize bits (Odd)"
pr_warning "weird key size: $cert_keysize bits"; out " (could cause compatibility problems)"
json_rating="WARN"; json_msg="$cert_keysize bits (Odd)"
((ret++))
fi
@ -8528,12 +8532,53 @@ certificate_info() {
else
out "$cert_key_algo + $cert_keysize bits ("
pr_warning "FIXME: can't tell whether this is good or not"
outln ")"
fileout "${jsonID}${json_postfix}" "WARN" "Server keys $cert_keysize bits, unknown public key algorithm $cert_key_algo"
out ")"
json_rating="WARN"; json_msg="Server keys $cert_keysize bits, unknown public key algorithm $cert_key_algo"
((ret++))
fi
fi
case "$short_keyAlgo" in
"RSA") cert_spki_info="${cert_txt##*Subject Public Key Info:}"
cert_spki_info="${cert_spki_info##*Public Key Algorithm:}"
cert_spki_info="${cert_spki_info#*Exponent:}"
cert_spki_info="$(strip_leading_space "$cert_spki_info")"
cert_spki_info="${cert_spki_info%%[[:space:]]*}"
if [[ -n "$cert_spki_info" ]]; then
out " (exponent is $cert_spki_info)"
json_msg+=" (exponent is $cert_spki_info)"
fi
;;
"EC") cert_spki_info="${cert_txt##*Subject Public Key Info:}"
cert_spki_info="${cert_spki_info##*Public Key Algorithm:}"
cert_spki_info="${cert_spki_info##*ASN1 OID: }"
[[ "$cert_spki_info" =~ NIST\ CURVE:\ ]] && cert_spki_info="${cert_spki_info##*NIST CURVE: }"
cert_spki_info="${cert_spki_info%%[[:space:]]*}"
cert_spki_info="$(strip_lf "$(strip_spaces "$cert_spki_info")")"
if [[ -n "$cert_spki_info" ]]; then
out " (curve $cert_spki_info)"
json_msg+=" (curve $cert_spki_info)"
fi
;;
"DH") if [[ -s "$common_primes_file" ]]; then
cert_spki_info="${cert_txt##*Subject Public Key Info:}"
cert_spki_info="${cert_spki_info##*Public Key Algorithm:}"
cert_spki_info="$(awk '/prime:|prime P:/,/generator:|generator G:/' <<< "$cert_spki_info" | grep -Ev "prime|generator")"
cert_spki_info="$(strip_spaces "$(colon_to_spaces "$(newline_to_spaces "$cert_spki_info")")")"
[[ "${cert_spki_info:0:2}" == 00 ]] && cert_spki_info="${cert_spki_info:2}"
cert_spki_info="$(toupper "$cert_spki_info")"
lineno_matched=$(grep -n "$cert_spki_info" "$common_primes_file" 2>/dev/null | awk -F':' '{ print $1 }')
if [[ "$lineno_matched" -ne 0 ]]; then
cert_spki_info="$(awk "NR == $lineno_matched-1" "$common_primes_file" | awk -F'"' '{ print $2 }')"
out " ($cert_spki_info)"
json_msg+=" ($cert_spki_info)"
fi
fi
;;
esac
outln
fileout "${jsonID}${json_postfix}" "$json_rating" "$json_msg"
out "$indent"; pr_bold " Server key usage ";
outok=true
jsonID="cert_keyUsage"