mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-07-24 14:41:45 +02:00
Fix JSON output for public key algorithm
For non-EC public key algorithm of the server certificate the terminal output contained the algorithm but not the file out put. This PR fixes that, see also #1187 and puts the public key algorithm first in the cert_keySize -- also for EC cerificates. In addition it fixes the recognition of ECDSA certificates which were detected as DSA certificates (order in case statement). Also there were in a few double sqaure brackets an assignment operator '=' instead of a test operator '=='
This commit is contained in:
Dirk
43
testssl.sh
43
testssl.sh
@ -7762,7 +7762,7 @@ certificate_info() {
|
|||||||
local sni_used="${10}"
|
local sni_used="${10}"
|
||||||
local ct="${11}"
|
local ct="${11}"
|
||||||
local certificate_list_ordering_problem="${12}"
|
local certificate_list_ordering_problem="${12}"
|
||||||
local cert_sig_algo cert_sig_hash_algo cert_key_algo cert_keyusage cert_ext_keyusage
|
local cert_sig_algo cert_sig_hash_algo cert_key_algo cert_keyusage cert_ext_keyusage short_keyAlgo
|
||||||
local outok=true
|
local outok=true
|
||||||
local expire days2expire secs2warn ocsp_uri crl
|
local expire days2expire secs2warn ocsp_uri crl
|
||||||
local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
|
local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
|
||||||
@ -7923,60 +7923,61 @@ certificate_info() {
|
|||||||
((ret++))
|
((ret++))
|
||||||
else
|
else
|
||||||
case $cert_key_algo in
|
case $cert_key_algo in
|
||||||
*RSA*|*rsa*) out "RSA ";;
|
*RSA*|*rsa*) short_keyAlgo="RSA";;
|
||||||
*DSA*|*dsa*) out "DSA ";;
|
*ecdsa*|*ecPublicKey) short_keyAlgo="EC";;
|
||||||
*ecdsa*|*ecPublicKey) out "EC ";;
|
*DSA*|*dsa*) short_keyAlgo="DSA";;
|
||||||
*GOST*|*gost*) out "GOST ";;
|
*GOST*|*gost*) short_keyAlgo="GOST";;
|
||||||
*dh*|*DH*) out "DH " ;;
|
*dh*|*DH*) short_keyAlgo="DH" ;;
|
||||||
*) pr_fixme "don't know $cert_key_algo "
|
*) pr_fixme "don't know $cert_key_algo "
|
||||||
let ret++ ;;
|
let ret++ ;;
|
||||||
esac
|
esac
|
||||||
|
out "$short_keyAlgo "
|
||||||
# https://tools.ietf.org/html/rfc4492, http://www.keylength.com/en/compare/
|
# https://tools.ietf.org/html/rfc4492, http://www.keylength.com/en/compare/
|
||||||
# http://infoscience.epfl.ch/record/164526/files/NPDF-22.pdf
|
# http://infoscience.epfl.ch/record/164526/files/NPDF-22.pdf
|
||||||
# see http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
|
# see http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
|
||||||
# Table 2 @ chapter 5.6.1 (~ p64)
|
# Table 2 @ chapter 5.6.1 (~ p64)
|
||||||
if [[ $cert_key_algo =~ ecdsa ]] || [[ $cert_key_algo =~ ecPublicKey ]]; then
|
if [[ $cert_key_algo =~ ecdsa ]] || [[ $cert_key_algo =~ ecPublicKey ]]; then
|
||||||
if [[ "$cert_keysize" -le 110 ]]; then # a guess
|
if [[ "$cert_keysize" -le 110 ]]; then # a guess
|
||||||
pr_svrty_critical "$cert_keysize"
|
pr_svrty_critical "$cert_keysize"
|
||||||
fileout "${jsonID}${json_postfix}" "CRITICAL" "$cert_keysize EC bits"
|
fileout "${jsonID}${json_postfix}" "CRITICAL" "$short_keyAlgo $cert_keysize bits"
|
||||||
elif [[ "$cert_keysize" -le 123 ]]; then # a guess
|
elif [[ "$cert_keysize" -le 123 ]]; then # a guess
|
||||||
pr_svrty_high "$cert_keysize"
|
pr_svrty_high "$cert_keysize"
|
||||||
fileout "${jsonID}${json_postfix}" "HIGH" "$cert_keysize EC bits"
|
fileout "${jsonID}${json_postfix}" "HIGH" "$short_keyAlgo $cert_keysize bits"
|
||||||
elif [[ "$cert_keysize" -le 163 ]]; then
|
elif [[ "$cert_keysize" -le 163 ]]; then
|
||||||
pr_svrty_medium "$cert_keysize"
|
pr_svrty_medium "$cert_keysize"
|
||||||
fileout "${jsonID}${json_postfix}" "MEDIUM" "$cert_keysize EC bits"
|
fileout "${jsonID}${json_postfix}" "MEDIUM" "$short_keyAlgo $cert_keysize bits"
|
||||||
elif [[ "$cert_keysize" -le 224 ]]; then
|
elif [[ "$cert_keysize" -le 224 ]]; then
|
||||||
out "$cert_keysize"
|
out "$cert_keysize"
|
||||||
fileout "${jsonID}${json_postfix}" "INFO" "$cert_keysize EC bits"
|
fileout "${jsonID}${json_postfix}" "INFO" "$short_keyAlgo $cert_keysize bits"
|
||||||
elif [[ "$cert_keysize" -le 533 ]]; then
|
elif [[ "$cert_keysize" -le 533 ]]; then
|
||||||
pr_svrty_good "$cert_keysize"
|
pr_svrty_good "$cert_keysize"
|
||||||
fileout "${jsonID}${json_postfix}" "OK" "$cert_keysize EC bits"
|
fileout "${jsonID}${json_postfix}" "OK" "$short_keyAlgo $cert_keysize bits"
|
||||||
else
|
else
|
||||||
out "keysize: $cert_keysize (not expected, FIXME)"
|
out "keysize: $cert_keysize (not expected, FIXME)"
|
||||||
fileout "${jsonID}${json_postfix}" "DEBUG" " $cert_keysize bits (not expected)"
|
fileout "${jsonID}${json_postfix}" "DEBUG" " $cert_keysize bits (not expected)"
|
||||||
((ret++))
|
((ret++))
|
||||||
fi
|
fi
|
||||||
outln " bits"
|
outln " bits"
|
||||||
elif [[ $cert_key_algo = *RSA* ]] || [[ $cert_key_algo = *rsa* ]] || [[ $cert_key_algo = *dsa* ]] || \
|
elif [[ $cert_key_algo =~ RSA ]] || [[ $cert_key_algo =~ rsa ]] || [[ $cert_key_algo =~ dsa ]] || \
|
||||||
[[ $cert_key_algo =~ dhKeyAgreement ]] || [[ $cert_key_algo =~ 'X9.42 DH' ]]; then
|
[[ $cert_key_algo =~ dhKeyAgreement ]] || [[ $cert_key_algo == X9.42\ DH ]]; then
|
||||||
if [[ "$cert_keysize" -le 512 ]]; then
|
if [[ "$cert_keysize" -le 512 ]]; then
|
||||||
pr_svrty_critical "$cert_keysize"
|
pr_svrty_critical "$cert_keysize"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
fileout "${jsonID}${json_postfix}" "CRITICAL" "$cert_keysize bits"
|
fileout "${jsonID}${json_postfix}" "CRITICAL" "$short_keyAlgo $cert_keysize bits"
|
||||||
elif [[ "$cert_keysize" -le 768 ]]; then
|
elif [[ "$cert_keysize" -le 768 ]]; then
|
||||||
pr_svrty_high "$cert_keysize"
|
pr_svrty_high "$cert_keysize"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
fileout "${jsonID}${json_postfix}" "HIGH" "$cert_keysize bits"
|
fileout "${jsonID}${json_postfix}" "HIGH" "$short_keyAlgo $cert_keysize bits"
|
||||||
elif [[ "$cert_keysize" -le 1024 ]]; then
|
elif [[ "$cert_keysize" -le 1024 ]]; then
|
||||||
pr_svrty_medium "$cert_keysize"
|
pr_svrty_medium "$cert_keysize"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
fileout "${jsonID}${json_postfix}" "MEDIUM" "$cert_keysize bits"
|
fileout "${jsonID}${json_postfix}" "MEDIUM" "$short_keyAlgo $cert_keysize bits"
|
||||||
elif [[ "$cert_keysize" -le 2048 ]]; then
|
elif [[ "$cert_keysize" -le 2048 ]]; then
|
||||||
outln "$cert_keysize bits"
|
outln "$cert_keysize bits"
|
||||||
fileout "${jsonID}${json_postfix}" "INFO" "$cert_keysize bits"
|
fileout "${jsonID}${json_postfix}" "INFO" "$short_keyAlgo $cert_keysize bits"
|
||||||
elif [[ "$cert_keysize" -le 4096 ]]; then
|
elif [[ "$cert_keysize" -le 4096 ]]; then
|
||||||
pr_svrty_good "$cert_keysize"
|
pr_svrty_good "$cert_keysize"
|
||||||
fileout "${jsonID}${json_postfix}" "OK" "$cert_keysize bits"
|
fileout "${jsonID}${json_postfix}" "OK" "$short_keyAlgo $cert_keysize bits"
|
||||||
outln " bits"
|
outln " bits"
|
||||||
else
|
else
|
||||||
pr_warning "weird key size: $cert_keysize bits"; outln " (could cause compatibility problems)"
|
pr_warning "weird key size: $cert_keysize bits"; outln " (could cause compatibility problems)"
|
||||||
@ -7984,10 +7985,10 @@ certificate_info() {
|
|||||||
((ret++))
|
((ret++))
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
out "$cert_keysize bits ("
|
out "$cert_key_algo + $cert_keysize bits ("
|
||||||
pr_warning "FIXME: can't tell whether this is good or not"
|
pr_warning "FIXME: can't tell whether this is good or not"
|
||||||
outln ")"
|
outln ")"
|
||||||
fileout "${jsonID}${json_postfix}" "WARN" "Server keys $cert_keysize bits (unknown signature algorithm)"
|
fileout "${jsonID}${json_postfix}" "WARN" "Server keys $cert_keysize bits, unknown public key algorithm $cert_key_algo"
|
||||||
((ret++))
|
((ret++))
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|||||||
Reference in New Issue
Block a user