This commit adds additional information to the "Server key size" line for a certificate if the subject public key is RSA, ECDSA, or DH.

For RSA it show the public exponent. For ECDSA, it shows the curve. For DH, it shows the group used, if it is a common prime.
This commit is contained in:
David Cooper 2020-05-06 12:16:15 -04:00
parent f492cf0336
commit 9dba2a8c9c

View File

@ -8290,7 +8290,10 @@ certificate_info() {
local sni_used="${10}" local sni_used="${10}"
local ct="${11}" local ct="${11}"
local certificate_list_ordering_problem="${12}" local certificate_list_ordering_problem="${12}"
local cert_sig_algo cert_sig_hash_algo cert_key_algo cert_keyusage cert_ext_keyusage short_keyAlgo local cert_sig_algo cert_sig_hash_algo cert_key_algo cert_spki_info
local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt"
local -i lineno_matched=0
local cert_keyusage cert_ext_keyusage short_keyAlgo
local outok=true local outok=true
local expire days2expire secs2warn ocsp_uri crl local expire days2expire secs2warn ocsp_uri crl
local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
@ -8308,6 +8311,7 @@ certificate_info() {
local -i ret=0 local -i ret=0
local json_postfix="" # string to place at the end of JSON IDs when there is more than one certificate local json_postfix="" # string to place at the end of JSON IDs when there is more than one certificate
local jsonID="" # string to place at beginning of JSON IDs local jsonID="" # string to place at beginning of JSON IDs
local json_rating json_msg
local indent="" local indent=""
local days2warn2=$DAYS2WARN2 local days2warn2=$DAYS2WARN2
local days2warn1=$DAYS2WARN1 local days2warn1=$DAYS2WARN1
@ -8476,51 +8480,51 @@ certificate_info() {
if [[ $cert_key_algo =~ ecdsa ]] || [[ $cert_key_algo =~ ecPublicKey ]]; then if [[ $cert_key_algo =~ ecdsa ]] || [[ $cert_key_algo =~ ecPublicKey ]]; then
if [[ "$cert_keysize" -le 110 ]]; then # a guess if [[ "$cert_keysize" -le 110 ]]; then # a guess
pr_svrty_critical "$cert_keysize" pr_svrty_critical "$cert_keysize"
fileout "${jsonID}${json_postfix}" "CRITICAL" "$short_keyAlgo $cert_keysize bits" json_rating="CRITICAL"; json_msg="$short_keyAlgo $cert_keysize bits"
elif [[ "$cert_keysize" -le 123 ]]; then # a guess elif [[ "$cert_keysize" -le 123 ]]; then # a guess
pr_svrty_high "$cert_keysize" pr_svrty_high "$cert_keysize"
fileout "${jsonID}${json_postfix}" "HIGH" "$short_keyAlgo $cert_keysize bits" json_rating="HIGH"; json_msg="$short_keyAlgo $cert_keysize bits"
elif [[ "$cert_keysize" -le 163 ]]; then elif [[ "$cert_keysize" -le 163 ]]; then
pr_svrty_medium "$cert_keysize" pr_svrty_medium "$cert_keysize"
fileout "${jsonID}${json_postfix}" "MEDIUM" "$short_keyAlgo $cert_keysize bits" json_rating="MEDIUM"; json_msg="$short_keyAlgo $cert_keysize bits"
elif [[ "$cert_keysize" -le 224 ]]; then elif [[ "$cert_keysize" -le 224 ]]; then
out "$cert_keysize" out "$cert_keysize"
fileout "${jsonID}${json_postfix}" "INFO" "$short_keyAlgo $cert_keysize bits" json_rating="INFO"; json_msg="$short_keyAlgo $cert_keysize bits"
elif [[ "$cert_keysize" -le 533 ]]; then elif [[ "$cert_keysize" -le 533 ]]; then
pr_svrty_good "$cert_keysize" pr_svrty_good "$cert_keysize"
fileout "${jsonID}${json_postfix}" "OK" "$short_keyAlgo $cert_keysize bits" json_rating="OK"; json_msg="$short_keyAlgo $cert_keysize bits"
else else
out "keysize: $cert_keysize (not expected, FIXME)" out "keysize: $cert_keysize (not expected, FIXME)"
fileout "${jsonID}${json_postfix}" "DEBUG" " $cert_keysize bits (not expected)" json_rating="DEBUG"; json_msg=" $cert_keysize bits (not expected)"
((ret++)) ((ret++))
fi fi
outln " bits" out " bits"
set_key_str_score "$short_keyAlgo" "$cert_keysize" # TODO: should be $dh_param_size set_key_str_score "$short_keyAlgo" "$cert_keysize" # TODO: should be $dh_param_size
elif [[ $cert_key_algo =~ RSA ]] || [[ $cert_key_algo =~ rsa ]] || [[ $cert_key_algo =~ dsa ]] || \ elif [[ $cert_key_algo =~ RSA ]] || [[ $cert_key_algo =~ rsa ]] || [[ $cert_key_algo =~ dsa ]] || \
[[ $cert_key_algo =~ dhKeyAgreement ]] || [[ $cert_key_algo == X9.42\ DH ]]; then [[ $cert_key_algo =~ dhKeyAgreement ]] || [[ $cert_key_algo == X9.42\ DH ]]; then
if [[ "$cert_keysize" -le 512 ]]; then if [[ "$cert_keysize" -le 512 ]]; then
pr_svrty_critical "$cert_keysize" pr_svrty_critical "$cert_keysize"
outln " bits" out " bits"
fileout "${jsonID}${json_postfix}" "CRITICAL" "$short_keyAlgo $cert_keysize bits" json_rating="CRITICAL"; json_msg="$short_keyAlgo $cert_keysize bits"
elif [[ "$cert_keysize" -le 768 ]]; then elif [[ "$cert_keysize" -le 768 ]]; then
pr_svrty_high "$cert_keysize" pr_svrty_high "$cert_keysize"
outln " bits" out " bits"
fileout "${jsonID}${json_postfix}" "HIGH" "$short_keyAlgo $cert_keysize bits" json_rating="HIGH"; json_msg="$short_keyAlgo $cert_keysize bits"
elif [[ "$cert_keysize" -le 1024 ]]; then elif [[ "$cert_keysize" -le 1024 ]]; then
pr_svrty_medium "$cert_keysize" pr_svrty_medium "$cert_keysize"
outln " bits" out " bits"
fileout "${jsonID}${json_postfix}" "MEDIUM" "$short_keyAlgo $cert_keysize bits" json_rating="MEDIUM"; json_msg="$short_keyAlgo $cert_keysize bits"
elif [[ "$cert_keysize" -le 2048 ]]; then elif [[ "$cert_keysize" -le 2048 ]]; then
outln "$cert_keysize bits" out "$cert_keysize bits"
fileout "${jsonID}${json_postfix}" "INFO" "$short_keyAlgo $cert_keysize bits" json_rating="INFO"; json_msg="$short_keyAlgo $cert_keysize bits"
elif [[ "$cert_keysize" -le 4096 ]]; then elif [[ "$cert_keysize" -le 4096 ]]; then
pr_svrty_good "$cert_keysize" pr_svrty_good "$cert_keysize"
fileout "${jsonID}${json_postfix}" "OK" "$short_keyAlgo $cert_keysize bits" json_rating="OK"; json_msg="$short_keyAlgo $cert_keysize bits"
outln " bits" out " bits"
else else
pr_warning "weird key size: $cert_keysize bits"; outln " (could cause compatibility problems)" pr_warning "weird key size: $cert_keysize bits"; out " (could cause compatibility problems)"
fileout "${jsonID}${json_postfix}" "WARN" "$cert_keysize bits (Odd)" json_rating="WARN"; json_msg="$cert_keysize bits (Odd)"
((ret++)) ((ret++))
fi fi
@ -8528,12 +8532,53 @@ certificate_info() {
else else
out "$cert_key_algo + $cert_keysize bits (" out "$cert_key_algo + $cert_keysize bits ("
pr_warning "FIXME: can't tell whether this is good or not" pr_warning "FIXME: can't tell whether this is good or not"
outln ")" out ")"
fileout "${jsonID}${json_postfix}" "WARN" "Server keys $cert_keysize bits, unknown public key algorithm $cert_key_algo" json_rating="WARN"; json_msg="Server keys $cert_keysize bits, unknown public key algorithm $cert_key_algo"
((ret++)) ((ret++))
fi fi
fi fi
case "$short_keyAlgo" in
"RSA") cert_spki_info="${cert_txt##*Subject Public Key Info:}"
cert_spki_info="${cert_spki_info##*Public Key Algorithm:}"
cert_spki_info="${cert_spki_info#*Exponent:}"
cert_spki_info="$(strip_leading_space "$cert_spki_info")"
cert_spki_info="${cert_spki_info%%[[:space:]]*}"
if [[ -n "$cert_spki_info" ]]; then
out " (exponent is $cert_spki_info)"
json_msg+=" (exponent is $cert_spki_info)"
fi
;;
"EC") cert_spki_info="${cert_txt##*Subject Public Key Info:}"
cert_spki_info="${cert_spki_info##*Public Key Algorithm:}"
cert_spki_info="${cert_spki_info##*ASN1 OID: }"
[[ "$cert_spki_info" =~ NIST\ CURVE:\ ]] && cert_spki_info="${cert_spki_info##*NIST CURVE: }"
cert_spki_info="${cert_spki_info%%[[:space:]]*}"
cert_spki_info="$(strip_lf "$(strip_spaces "$cert_spki_info")")"
if [[ -n "$cert_spki_info" ]]; then
out " (curve $cert_spki_info)"
json_msg+=" (curve $cert_spki_info)"
fi
;;
"DH") if [[ -s "$common_primes_file" ]]; then
cert_spki_info="${cert_txt##*Subject Public Key Info:}"
cert_spki_info="${cert_spki_info##*Public Key Algorithm:}"
cert_spki_info="$(awk '/prime:|prime P:/,/generator:|generator G:/' <<< "$cert_spki_info" | grep -Ev "prime|generator")"
cert_spki_info="$(strip_spaces "$(colon_to_spaces "$(newline_to_spaces "$cert_spki_info")")")"
[[ "${cert_spki_info:0:2}" == 00 ]] && cert_spki_info="${cert_spki_info:2}"
cert_spki_info="$(toupper "$cert_spki_info")"
lineno_matched=$(grep -n "$cert_spki_info" "$common_primes_file" 2>/dev/null | awk -F':' '{ print $1 }')
if [[ "$lineno_matched" -ne 0 ]]; then
cert_spki_info="$(awk "NR == $lineno_matched-1" "$common_primes_file" | awk -F'"' '{ print $2 }')"
out " ($cert_spki_info)"
json_msg+=" ($cert_spki_info)"
fi
fi
;;
esac
outln
fileout "${jsonID}${json_postfix}" "$json_rating" "$json_msg"
out "$indent"; pr_bold " Server key usage "; out "$indent"; pr_bold " Server key usage ";
outok=true outok=true
jsonID="cert_keyUsage" jsonID="cert_keyUsage"