Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 22:05:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Save work

Browse Source 
* old OpenBSD kinda works
* let's encrypt section moved so that OpenBSD can use it too

* Days are wrong
* Date format is not the same as with e.g. GNUdate (but should be)
* variables y m d not declared
* date warning for openbsd completely missing
This commit is contained in:
Dirk
2020-01-07 13:56:08 +01:00
parent 7ff4ebfc0c
commit a42b98c0ff
1 changed files with 48 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
testssl.sh
View File

@@ -150,7 +150,7 @@ declare -r -a CMDLINE_ARRAY=("$@") # When performing mass testing
declare -a MASS_TESTING_CMDLINE # command line in the form of an array (see #702 and http://mywiki.wooledge.org/BashFAQ/050). declare -a MASS_TESTING_CMDLINE # command line in the form of an array (see #702 and http://mywiki.wooledge.org/BashFAQ/050).
########### Some predefinitions: date, sed (we always use test and not try to determine ########### Some predefinitions: date, sed (we always use test and NOT try to determine
# capabilities by querying the OS) # capabilities by querying the OS)
# #
HAS_GNUDATE=false HAS_GNUDATE=false
@@ -158,13 +158,14 @@ HAS_FREEBSDDATE=false
HAS_OPENBSDDATE=false HAS_OPENBSDDATE=false
if date -d @735275209 >/dev/null 2>&1; then if date -d @735275209 >/dev/null 2>&1; then
if date -r @735275209 >/dev/null 2>&1; then if date -r @735275209 >/dev/null 2>&1; then
# it can't do any conversion from a plain date output # It can't do any conversion from a plain date output.
HAS_OPENBSDDATE=true HAS_OPENBSDDATE=true
else else
HAS_GNUDATE=true HAS_GNUDATE=true
fi fi
fi fi
# FreeBSD and OS X date(1) accept "-f inputformat" # FreeBSD and OS X date(1) accept "-f inputformat"
# so newer OpenBSD versions >~ 6.6.
date -j -f '%s' 1234567 >/dev/null 2>&1 && \ date -j -f '%s' 1234567 >/dev/null 2>&1 && \
HAS_FREEBSDDATE=true HAS_FREEBSDDATE=true
@@ -1873,18 +1874,28 @@ wait_kill(){
} }
# parse_date date format input-format # parse_date date format input-format
if "$HAS_GNUDATE"; then # Linux and NetBSD if "$HAS_GNUDATE"; then # Linux and NetBSD
parse_date() { parse_date() {
LC_ALL=C date -d "$1" "$2" LC_ALL=C date -d "$1" "$2"
} }
elif "$HAS_FREEBSDDATE"; then # FreeBSD and OS X elif "$HAS_FREEBSDDATE"; then # FreeBSD, OS X and newer (~6.6) OpenBSD versions
parse_date() { parse_date() {
LC_ALL=C date -j -f "$3" "$2" "$1" LC_ALL=C date -j -f "$3" "$2" "$1"
} }
elif "$HAS_OPENBSDDATE"; then elif "$HAS_OPENBSDDATE"; then
# We bascially echo it as a conversion as we want it is too difficult. Approach for that would be:
# printf '%s\n' "$1" | awk '{ printf "%04d%02d%02d\n", $4, $2, (index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3}'
# 4: year, 1: month, 2: day, $3: time (e.g. "Dec 8 10:16:13 2016")
# This way we *could* also convert args to epoch but as newer OpenBSDs "date" behave like FreeBSD
# we leave this like it is --> a legacy crutch
parse_date() { parse_date() {
# we just echo it as a conversion as we want it is not possible local tmp=""
echo "$1" if [[ $2 == +%s* ]]; then
echo "${1// GMT}"
else
tmp="$(printf '%s\n' "$1" | awk '{ printf "%04d%02d%02d %08s\n", $4, (index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3, $2, $3 }')"
echo "${tmp//:/}" # remove colons in h:m:s. Result: 20161208 101613
fi
} }
else else
parse_date() { parse_date() {
@@ -8119,7 +8130,7 @@ certificate_info() {
local provides_stapling=false local provides_stapling=false
local caa_node="" all_caa="" caa_property_name="" caa_property_value="" local caa_node="" all_caa="" caa_property_name="" caa_property_value=""
local response="" local response=""
local a b c yearstart yearend local yearstart yearend clockstart clockend
if [[ $number_of_certificates -gt 1 ]]; then if [[ $number_of_certificates -gt 1 ]]; then
[[ $certificate_number -eq 1 ]] && outln [[ $certificate_number -eq 1 ]] && outln
@@ -8674,37 +8685,44 @@ certificate_info() {
# For now we leave this here. We may want to change that later or add infos to other sections (PFS & vulnerability) # For now we leave this here. We may want to change that later or add infos to other sections (PFS & vulnerability)
out "$indent"; pr_bold " Certificate Validity (UTC) " out "$indent"; pr_bold " Certificate Validity (UTC) "
# FreeBSD + OSX can't swallow the leading blank: # FreeBSD + OSX can't swallow the leading blank:
enddate="${cert_txt#*Validity*Not Before: *Not After : }"
enddate="${enddate%%GMT*}GMT"
startdate="${cert_txt#*Validity*Not Before: }" startdate="${cert_txt#*Validity*Not Before: }"
startdate="${startdate%%GMT*}GMT" startdate="${startdate%%GMT*}GMT"
# Now we have a normalized enddate and startdate like "Feb 27 10:03:20 2017 GMT" -- also for OpenBSD enddate="${cert_txt#*Validity*Not Before: *Not After : }"
enddate="${enddate%%GMT*}GMT"
debugme echo "$enddate - $startdate" debugme echo "$enddate - $startdate"
# In all OS except OpenBSD it'll be reduced to "2017-02-27 11:03" # Now we have a normalized enddate and startdate like "Feb 27 10:03:20 2017 GMT" -- also for OpenBSD
enddate="$(parse_date "$enddate" +"%F %H:%M" "%b %d %T %Y %Z")"
startdate="$(parse_date "$startdate" +"%F %H:%M" "%b %d %T %Y %Z")"
if "$HAS_OPENBSDDATE"; then if "$HAS_OPENBSDDATE"; then
# best we are able to do under OpenBSD # Best we want to do under old versions of OpenBSD, first just remove the GMT and keep start/endate for later output
days2expire="" startdate="$(parse_date "$startdate" "+%s")"
read a b c yearstart tz <<< "$startdate" enddate="$(parse_date "$enddate" "+%s")"
read a b c yearend tz <<< "$enddate" # Now we extract a date block and a time block
# we only take the year here as OpenBSD's date is not for conversion read yearstart clockstart <<< "$(parse_date "$startdate" +"%F %H:%M" "%b %d %T %Y %Z")"
diffseconds=$((yearend - yearstart)) read yearend clockend <<< "$(parse_date "$enddate" +"%F %H:%M" "%b %d %T %Y %Z")"
diffseconds=$((diffseconds * 3600 * 24 * 365)) debugme echo "$yearstart, $clockstart"
debugme echo "$yearend, $clockend"
y=$(( ${yearend:0:4} - ${yearstart:0:4} ))
m=$(( ${yearend:4:1} - ${yearstart:4:1} + ${yearend:5:1} - ${yearstart:5:1} ))
d=$(( ${yearend:6:2} - ${yearstart:6:2} ))
# We only take the year here as old OpenBSD's date is too difficult for conversion, see comment in parse_date()
# We estimate the days left, length of month/year:
days2expire=$(( d + ((m*30)) + ((y*365)) ))
diffseconds=$((days2expire * 3600 * 24))
else else
startdate="$(parse_date "$startdate" +"%F %H:%M" "%b %d %T %Y %Z")"
enddate="$(parse_date "$enddate" +"%F %H:%M" "%b %d %T %Y %Z")"
days2expire=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(LC_ALL=C date "+%s") )) # first in seconds days2expire=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(LC_ALL=C date "+%s") )) # first in seconds
days2expire=$((days2expire / 3600 / 24 )) days2expire=$((days2expire / 3600 / 24 ))
# we adjust the thresholds by %50 for LE certificates, relaxing those warnings
# . instead of \' because it does not break syntax highlighting in vim
if [[ "$issuer_CN" =~ ^Let.s\ Encrypt\ Authority ]] ; then
days2warn2=$((days2warn2 / 2))
days2warn1=$((days2warn1 / 2))
fi
diffseconds=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(parse_date "$startdate" "+%s" $'%F %H:%M') )) diffseconds=$(( $(parse_date "$enddate" "+%s" $'%F %H:%M') - $(parse_date "$startdate" "+%s" $'%F %H:%M') ))
fi fi
# We adjust the thresholds by %50 for LE certificates, relaxing those warnings
# . instead of \' because it does not break syntax highlighting in vim
if [[ "$issuer_CN" =~ ^Let.s\ Encrypt\ Authority ]] ; then
days2warn2=$((days2warn2 / 2))
days2warn1=$((days2warn1 / 2))
fi
debugme echo -n "diffseconds: $diffseconds" debugme echo -n "diffseconds: $diffseconds"
expire=$($OPENSSL x509 -in $HOSTCERT -checkend 1 2>>$ERRFILE) expire=$($OPENSSL x509 -in $HOSTCERT -checkend 1 2>>$ERRFILE)
if ! grep -qw not <<< "$expire" ; then if ! grep -qw not <<< "$expire" ; then
@@ -8748,9 +8766,11 @@ certificate_info() {
out "$spaces" out "$spaces"
prln_svrty_medium ">= 5 years is too long" prln_svrty_medium ">= 5 years is too long"
fileout "cert_validityPeriod${json_postfix}" "MEDIUM" "$((diffseconds / (3600 * 24) )) days" fileout "cert_validityPeriod${json_postfix}" "MEDIUM" "$((diffseconds / (3600 * 24) )) days"
elif "$HAS_OPENBSDDATE"; then
:
elif [[ $diffseconds -ge $((3600 * 24 * 825)) ]] && [[ $(parse_date "$startdate" "+%s" $'%F %H:%M') -ge 1517353200 ]]; then elif [[ $diffseconds -ge $((3600 * 24 * 825)) ]] && [[ $(parse_date "$startdate" "+%s" $'%F %H:%M') -ge 1517353200 ]]; then
out "$spaces" out "$spaces"
prln_svrty_medium ">= 825 days and issue >= 2018/03/01 is too long" prln_svrty_medium ">= 825 days issued after 2018/03/01 is too long"
fileout "cert_validityPeriod${json_postfix}" "MEDIUM" "$((diffseconds / (3600 * 24) )) >= 825 days" fileout "cert_validityPeriod${json_postfix}" "MEDIUM" "$((diffseconds / (3600 * 24) )) >= 825 days"
else else
# We ignore for now certificates < 2018/03/01. It's only debug info # We ignore for now certificates < 2018/03/01. It's only debug info