From b4f76845ce3840f5e9fd7cf6351aac2374631f19 Mon Sep 17 00:00:00 2001
From: David Cooper <dcooper16@gmail.com>
Date: Thu, 26 Apr 2018 15:20:53 -0400
Subject: [PATCH] Support LDAP crLDistrubutionPoints

This PR adds support for retrieving CRLs from an LDAP URL in the cRLDistributionPoints extension if curl if available.
---
 testssl.sh | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 0c44932..9d83426 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -1429,14 +1429,29 @@ check_revocation_crl() {
      local crl="$1"
      local jsonID="$2"
      local tmpfile=""
+     local scheme
+     local ldif
+     local -i success
 
      "$PHONE_OUT" || return 0
-     # The code for obtaining CRLs only supports HTTP and HTTPS URLs.
-     [[ "$(tolower "${crl:0:4}")" == "http" ]] || return 0
+     scheme="$(tolower "${crl%%://*}")"
+     # The code for obtaining CRLs only supports LDAP, HTTP, and HTTPS URLs.
+     [[ "$scheme" == "http" ]] || [[ "$scheme" == "https" ]] || [[ "$scheme" == "ldap" ]] || return 0
      tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${crl##*\/} || exit $ERR_FCREATE
 
-     http_get "$crl" "$tmpfile"
-     if [[ $? -ne 0 ]]; then
+     if [[ "$scheme" == "ldap" ]]; then
+          which curl &>/dev/null || return 0
+          ldif="$(curl -s "$crl")"
+          success=$?
+          if [[ $success -eq 0 ]]; then
+               awk '/certificateRevocationList/ { print $2 }' <<< "$ldif" | $OPENSSL base64 -d -A -out "$tmpfile" 2>/dev/null
+               [[ -s "$tmpfile" ]] || success=1
+          fi
+     else
+          http_get "$crl" "$tmpfile"
+          success=$?
+     fi
+     if [[ $success -ne 0 ]]; then
           pr_warning "retrieval of \"$1\" failed"
           fileout "$jsonID" "WARN" "CRL retrieval from $1 failed"
           return 1