From aeba340dcbff44489edd9559c53473b5d00d4476 Mon Sep 17 00:00:00 2001
From: David Cooper <dcooper16@gmail.com>
Date: Thu, 25 Aug 2016 11:41:16 -0400
Subject: [PATCH] Output correct error for unsupported certificate purpose

This PR is in response to issue #454. I tried repeating the reported problem by creating a certificate in which the extendedKeyUsage extension was present and only included the anyExtendedKeyUsage OID. In running the test, I discovered two problems.

First, when `determine_trust()` is calling `verify_retcode_helper()` to display the reason that path validation failed, it assumes that there are at least two certificate bundles provided. (I was running the test using just one certificate bundle, containing my local root.) So, I changed `determine_trust()` to use `${verify_retcode[1]}` rather than `${verify_retcode[2]}` in the case that all bundles failed (it seems that 2 vs. 1 was an arbitrary choice).

Once that was fixed, testssl.sh output "NOT ok  (unknown, pls report) 26". So, the second thing this PR fixes is to output "NOT ok (unsupported certificate purpose)" if OpenSSL responds with an unsupported certificate purpose error.
---
 testssl.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index 1d91590..7c09a94 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -3697,6 +3697,7 @@ verify_retcode_helper() {
 
 	case $retcode in
 		# codes from ./doc/apps/verify.pod | verify(1ssl)
+		26) out "(unsupported certificate purpose)" ;; 	# X509_V_ERR_INVALID_PURPOSE
 		24) out "(certificate unreadable)" ;; 	# X509_V_ERR_INVALID_CA
 		23) out "(certificate revoked)" ;; 		# X509_V_ERR_CERT_REVOKED
 		21) out "(chain incomplete, only 1 cert provided)" ;; 	# X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
@@ -3779,8 +3780,8 @@ determine_trust() {
 		if ! $some_ok; then
 		     # all failed (we assume with the same issue), we're displaying the reason
                out " "
-			verify_retcode_helper "${verify_retcode[2]}"
-               fileout "${json_prefix}chain_of_trust" "NOT ok" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[2]}"). $addtl_warning"
+			verify_retcode_helper "${verify_retcode[1]}"
+               fileout "${json_prefix}chain_of_trust" "NOT ok" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[1]}"). $addtl_warning"
 		else
 			# is one ok and the others not ==> display the culprit store
 			if $some_ok ; then