Save intermediate certificates for more use

As there as suggestions to check intermediate certificates for things such as expiration date, this commit saves the text versions of each of the intermediate certificates so that they are available to extract additional information.
This commit is contained in:
David Cooper 2020-07-16 07:57:27 -04:00
parent 17ee0245b5
commit bd856e2ada

View File

@ -8303,7 +8303,7 @@ certificate_info() {
local -i certificate_number=$1 local -i certificate_number=$1
local -i number_of_certificates=$2 local -i number_of_certificates=$2
local cert_txt="$3" local cert_txt="$3"
local intermediate_certs="$4" local intermediates="$4"
local cipher=$5 local cipher=$5
local cert_keysize=$6 local cert_keysize=$6
local cert_type="$7" local cert_type="$7"
@ -8321,13 +8321,14 @@ certificate_info() {
local expire days2expire secs2warn ocsp_uri crl local expire days2expire secs2warn ocsp_uri crl
local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
local issuer_DC issuerfinding cn_nosni="" local issuer_DC issuerfinding cn_nosni=""
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial intermediates cert local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial cert
local -a intermediate_certs=()
local policy_oid local policy_oid
local spaces="" local spaces=""
local -i trust_sni=0 trust_nosni=0 diffseconds=0 local -i trust_sni=0 trust_nosni=0 diffseconds=0
local has_dns_sans has_dns_sans_nosni local has_dns_sans has_dns_sans_nosni
local trust_sni_finding local trust_sni_finding
local -i certificates_provided local -i i certificates_provided=0
local cnfinding trustfinding trustfinding_nosni local cnfinding trustfinding trustfinding_nosni
local cnok="OK" local cnok="OK"
local expfinding expok="OK" local expfinding expok="OK"
@ -8980,14 +8981,20 @@ certificate_info() {
#FIXME: We just raise the flag saying the chain is bad w/o naming the intermediate #FIXME: We just raise the flag saying the chain is bad w/o naming the intermediate
# cert to blame. # cert to blame.
intermediates="$intermediate_certs" # Store all of the intermediate certificates in an array so that they can
# be used later (e.g., to check their expiration dates).
while true; do while true; do
[[ "$intermediates" =~ \-\-\-\-\-\BEGIN\ CERTIFICATE\-\-\-\-\- ]] || break [[ "$intermediates" =~ \-\-\-\-\-\BEGIN\ CERTIFICATE\-\-\-\-\- ]] || break
intermediates="${intermediates#*-----BEGIN CERTIFICATE-----}" intermediates="${intermediates#*-----BEGIN CERTIFICATE-----}"
cert="${intermediates%%-----END CERTIFICATE-----*}" cert="${intermediates%%-----END CERTIFICATE-----*}"
intermediates="${intermediates#${cert}-----END CERTIFICATE-----}" intermediates="${intermediates#${cert}-----END CERTIFICATE-----}"
cert="-----BEGIN CERTIFICATE-----${cert}-----END CERTIFICATE-----" cert="-----BEGIN CERTIFICATE-----${cert}-----END CERTIFICATE-----"
cert_ext_keyusage="$($OPENSSL x509 -text -noout 2>/dev/null <<< "$cert" | awk '/X509v3 Extended Key Usage:/ { getline; print $0 }')" intermediate_certs[certificates_provided]="$($OPENSSL x509 -text -noout 2>/dev/null <<< "$cert")"
certificates_provided+=1
done
certificates_provided+=1
for (( i=0; i < certificates_provided-1; i++ )); do
cert_ext_keyusage="$(awk '/X509v3 Extended Key Usage:/ { getline; print $0 }' <<< "${intermediate_certs[i]}")"
[[ "$cert_ext_keyusage" =~ OCSP\ Signing ]] && badocsp=0 && break [[ "$cert_ext_keyusage" =~ OCSP\ Signing ]] && badocsp=0 && break
done done
if [[ $badocsp -eq 0 ]]; then if [[ $badocsp -eq 0 ]]; then
@ -9121,7 +9128,6 @@ certificate_info() {
fileout "cert_validityPeriod${json_postfix}" "INFO" "No finding" fileout "cert_validityPeriod${json_postfix}" "INFO" "No finding"
fi fi
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
out "$indent"; pr_bold " # of certificates provided"; out " $certificates_provided" out "$indent"; pr_bold " # of certificates provided"; out " $certificates_provided"
fileout "certs_countServer${json_postfix}" "INFO" "${certificates_provided}" fileout "certs_countServer${json_postfix}" "INFO" "${certificates_provided}"
if "$certificate_list_ordering_problem"; then if "$certificate_list_ordering_problem"; then