mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-23 17:09:31 +01:00
- prework for checking hpkp fingerprints
This commit is contained in:
parent
7d43dd7c8a
commit
bdd0602c1f
20
testssl.sh
20
testssl.sh
@ -90,8 +90,6 @@ NODEIP=""
|
|||||||
IPS=""
|
IPS=""
|
||||||
SERVICE="" # is the server running an HTTP server, SMTP, POP or IMAP?
|
SERVICE="" # is the server running an HTTP server, SMTP, POP or IMAP?
|
||||||
|
|
||||||
BLA=""
|
|
||||||
|
|
||||||
|
|
||||||
# make sure that temporary files are cleaned up after use
|
# make sure that temporary files are cleaned up after use
|
||||||
trap "cleanup" QUIT EXIT
|
trap "cleanup" QUIT EXIT
|
||||||
@ -459,6 +457,8 @@ hsts() {
|
|||||||
hpkp() {
|
hpkp() {
|
||||||
local hpkp_age_sec
|
local hpkp_age_sec
|
||||||
local hpkp_age_days
|
local hpkp_age_days
|
||||||
|
local hpkp_nr_keys
|
||||||
|
local hpkp_key
|
||||||
|
|
||||||
if [ ! -s $HEADERFILE ] ; then
|
if [ ! -s $HEADERFILE ] ; then
|
||||||
http_header "$1" || return 3
|
http_header "$1" || return 3
|
||||||
@ -468,7 +468,8 @@ hpkp() {
|
|||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
egrep -aciw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE | egrep -wq "1" || out "(two HPKP header, using 1st one) "
|
egrep -aciw '^Public-Key-Pins|Public-Key-Pins-Report-Only' $HEADERFILE | egrep -wq "1" || out "(two HPKP header, using 1st one) "
|
||||||
# dirty trick so that grep -c really counts occurances and not lines w/ occurances:
|
# dirty trick so that grep -c really counts occurances and not lines w/ occurances:
|
||||||
if [ $(sed 's/pin-sha/pin-sha\n/g' < $TMPFILE | grep -c pin-sha) -eq 1 ]; then
|
hpkp_nr_keys=$(sed 's/pin-sha/pin-sha\n/g' < $TMPFILE | grep -c pin-sha)
|
||||||
|
if [ $hpkp_nr_keys -eq 1 ]; then
|
||||||
pr_brown "One key is not sufficent, "
|
pr_brown "One key is not sufficent, "
|
||||||
fi
|
fi
|
||||||
hpkp_age_sec=$(sed -e 's/\r//g' -e 's/^.*max-age=//' -e 's/;.*//' $TMPFILE)
|
hpkp_age_sec=$(sed -e 's/\r//g' -e 's/^.*max-age=//' -e 's/;.*//' $TMPFILE)
|
||||||
@ -481,6 +482,15 @@ hpkp() {
|
|||||||
|
|
||||||
includeSubDomains "$TMPFILE"
|
includeSubDomains "$TMPFILE"
|
||||||
preload "$TMPFILE"
|
preload "$TMPFILE"
|
||||||
|
|
||||||
|
# get the key fingerprints:
|
||||||
|
sed -i -e 's/Public-Key-Pins://g' -e s'/Public-Key-Pins-Report-Only://' $TMPFILE
|
||||||
|
while read hpkp_key; do
|
||||||
|
#FIXME: to be checked against level0.crt
|
||||||
|
# like openssl x509 -in level0.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl base64 -d
|
||||||
|
debugme echo "$hpkp_key="
|
||||||
|
done < <(sed -e 's/;/\n/g' -e 's/ //g' $TMPFILE | awk -F'=' '/pin.*=/ { print $2 }')
|
||||||
|
|
||||||
out " (fingerprints not checked)"
|
out " (fingerprints not checked)"
|
||||||
else
|
else
|
||||||
out "--"
|
out "--"
|
||||||
@ -2336,7 +2346,7 @@ old_fart() {
|
|||||||
find_openssl_binary() {
|
find_openssl_binary() {
|
||||||
# 0. check environment variable whether it's executable
|
# 0. check environment variable whether it's executable
|
||||||
if [ ! -z "$OPENSSL" ] && [ ! -x "$OPENSSL" ]; then
|
if [ ! -z "$OPENSSL" ] && [ ! -x "$OPENSSL" ]; then
|
||||||
pr_redln "\ncannot execute specified ($OPENSSL) openssl binary."
|
pr_redln "\ncannot find (\$OPENSSL=$OPENSSL) binary."
|
||||||
outln "continuing ..."
|
outln "continuing ..."
|
||||||
fi
|
fi
|
||||||
if [ -x "$OPENSSL" ]; then
|
if [ -x "$OPENSSL" ]; then
|
||||||
@ -2997,6 +3007,6 @@ case "$1" in
|
|||||||
exit $ret ;;
|
exit $ret ;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.203 2015/03/13 11:20:18 dirkw Exp $
|
# $Id: testssl.sh,v 1.205 2015/03/15 09:18:36 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user