mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-21 07:59:31 +01:00
Save intermediate certificates for more use
As there as suggestions to check intermediate certificates for things such as expiration date, this commit saves the text versions of each of the intermediate certificates so that they are available to extract additional information.
This commit is contained in:
parent
17ee0245b5
commit
bd856e2ada
18
testssl.sh
18
testssl.sh
@ -8303,7 +8303,7 @@ certificate_info() {
|
|||||||
local -i certificate_number=$1
|
local -i certificate_number=$1
|
||||||
local -i number_of_certificates=$2
|
local -i number_of_certificates=$2
|
||||||
local cert_txt="$3"
|
local cert_txt="$3"
|
||||||
local intermediate_certs="$4"
|
local intermediates="$4"
|
||||||
local cipher=$5
|
local cipher=$5
|
||||||
local cert_keysize=$6
|
local cert_keysize=$6
|
||||||
local cert_type="$7"
|
local cert_type="$7"
|
||||||
@ -8321,13 +8321,14 @@ certificate_info() {
|
|||||||
local expire days2expire secs2warn ocsp_uri crl
|
local expire days2expire secs2warn ocsp_uri crl
|
||||||
local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
|
local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
|
||||||
local issuer_DC issuerfinding cn_nosni=""
|
local issuer_DC issuerfinding cn_nosni=""
|
||||||
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial intermediates cert
|
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial cert
|
||||||
|
local -a intermediate_certs=()
|
||||||
local policy_oid
|
local policy_oid
|
||||||
local spaces=""
|
local spaces=""
|
||||||
local -i trust_sni=0 trust_nosni=0 diffseconds=0
|
local -i trust_sni=0 trust_nosni=0 diffseconds=0
|
||||||
local has_dns_sans has_dns_sans_nosni
|
local has_dns_sans has_dns_sans_nosni
|
||||||
local trust_sni_finding
|
local trust_sni_finding
|
||||||
local -i certificates_provided
|
local -i i certificates_provided=0
|
||||||
local cnfinding trustfinding trustfinding_nosni
|
local cnfinding trustfinding trustfinding_nosni
|
||||||
local cnok="OK"
|
local cnok="OK"
|
||||||
local expfinding expok="OK"
|
local expfinding expok="OK"
|
||||||
@ -8980,14 +8981,20 @@ certificate_info() {
|
|||||||
#FIXME: We just raise the flag saying the chain is bad w/o naming the intermediate
|
#FIXME: We just raise the flag saying the chain is bad w/o naming the intermediate
|
||||||
# cert to blame.
|
# cert to blame.
|
||||||
|
|
||||||
intermediates="$intermediate_certs"
|
# Store all of the intermediate certificates in an array so that they can
|
||||||
|
# be used later (e.g., to check their expiration dates).
|
||||||
while true; do
|
while true; do
|
||||||
[[ "$intermediates" =~ \-\-\-\-\-\BEGIN\ CERTIFICATE\-\-\-\-\- ]] || break
|
[[ "$intermediates" =~ \-\-\-\-\-\BEGIN\ CERTIFICATE\-\-\-\-\- ]] || break
|
||||||
intermediates="${intermediates#*-----BEGIN CERTIFICATE-----}"
|
intermediates="${intermediates#*-----BEGIN CERTIFICATE-----}"
|
||||||
cert="${intermediates%%-----END CERTIFICATE-----*}"
|
cert="${intermediates%%-----END CERTIFICATE-----*}"
|
||||||
intermediates="${intermediates#${cert}-----END CERTIFICATE-----}"
|
intermediates="${intermediates#${cert}-----END CERTIFICATE-----}"
|
||||||
cert="-----BEGIN CERTIFICATE-----${cert}-----END CERTIFICATE-----"
|
cert="-----BEGIN CERTIFICATE-----${cert}-----END CERTIFICATE-----"
|
||||||
cert_ext_keyusage="$($OPENSSL x509 -text -noout 2>/dev/null <<< "$cert" | awk '/X509v3 Extended Key Usage:/ { getline; print $0 }')"
|
intermediate_certs[certificates_provided]="$($OPENSSL x509 -text -noout 2>/dev/null <<< "$cert")"
|
||||||
|
certificates_provided+=1
|
||||||
|
done
|
||||||
|
certificates_provided+=1
|
||||||
|
for (( i=0; i < certificates_provided-1; i++ )); do
|
||||||
|
cert_ext_keyusage="$(awk '/X509v3 Extended Key Usage:/ { getline; print $0 }' <<< "${intermediate_certs[i]}")"
|
||||||
[[ "$cert_ext_keyusage" =~ OCSP\ Signing ]] && badocsp=0 && break
|
[[ "$cert_ext_keyusage" =~ OCSP\ Signing ]] && badocsp=0 && break
|
||||||
done
|
done
|
||||||
if [[ $badocsp -eq 0 ]]; then
|
if [[ $badocsp -eq 0 ]]; then
|
||||||
@ -9121,7 +9128,6 @@ certificate_info() {
|
|||||||
fileout "cert_validityPeriod${json_postfix}" "INFO" "No finding"
|
fileout "cert_validityPeriod${json_postfix}" "INFO" "No finding"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
|
|
||||||
out "$indent"; pr_bold " # of certificates provided"; out " $certificates_provided"
|
out "$indent"; pr_bold " # of certificates provided"; out " $certificates_provided"
|
||||||
fileout "certs_countServer${json_postfix}" "INFO" "${certificates_provided}"
|
fileout "certs_countServer${json_postfix}" "INFO" "${certificates_provided}"
|
||||||
if "$certificate_list_ordering_problem"; then
|
if "$certificate_list_ordering_problem"; then
|
||||||
|
Loading…
Reference in New Issue
Block a user