Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-31 04:41:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix Travis + mv issuer line down

Browse Source 
Travis failure was due to debug output in function which return a string.
The debug statement was removed, (stderr would have been choice \#2).

Issuer is heading now the intermediate certificate section, not
sure whethe this is redundant info.
This commit is contained in:
Dirk 2020-10-02 13:00:21 +02:00
parent d5a64ff4b6
commit c3f8207d93
1 changed files with 51 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
testssl.sh
View File

@ -2011,8 +2011,9 @@ else
} }
fi fi
# arg1: An ASCII-HEX string
# Print $arg1 in binary format # Print $arg1 in binary format. arg1: An ASCII-HEX string
#
asciihex_to_binary() { asciihex_to_binary() {
local string="$1" local string="$1"
local -i len local -i len
@ -8348,7 +8349,6 @@ determine_dates_certificate() {
startdate="${startdate%%GMT*}GMT" startdate="${startdate%%GMT*}GMT"
enddate="${cert_txt#*Validity*Not Before: *Not After : }" enddate="${cert_txt#*Validity*Not Before: *Not After : }"
enddate="${enddate%%GMT*}GMT" enddate="${enddate%%GMT*}GMT"
debugme echo "$enddate - $startdate"
# Now we have a normalized enddate and startdate like "Feb 27 10:03:20 2017 GMT" -- also for OpenBSD # Now we have a normalized enddate and startdate like "Feb 27 10:03:20 2017 GMT" -- also for OpenBSD
if "$HAS_OPENBSDDATE"; then if "$HAS_OPENBSDDATE"; then
# Best we want to do under old versions of OpenBSD, first just remove the GMT and keep start/endate for later output # Best we want to do under old versions of OpenBSD, first just remove the GMT and keep start/endate for later output
@ -8866,49 +8866,13 @@ certificate_info() {
fi fi
fi fi
out "$indent"; pr_bold " Issuer " # Determine the issuer now as we need them for host certificate warning
jsonID="cert_caIssuers"
#FIXME: oid would be better maybe (see above). And the line by line input could be done w/o awk
issuer="$($OPENSSL x509 -noout -issuer -nameopt multiline,-align,sname,-esc_msb,utf8,-space_eq 2>>$ERRFILE <<< "$hostcert")" issuer="$($OPENSSL x509 -noout -issuer -nameopt multiline,-align,sname,-esc_msb,utf8,-space_eq 2>>$ERRFILE <<< "$hostcert")"
issuer_CN="$(awk -F'=' '/CN=/ { print $2 }' <<< "$issuer")" issuer_CN="$(awk -F'=' '/CN=/ { print $2 }' <<< "$issuer")"
issuer_O="$(awk -F'=' '/O=/ { print $2 }' <<< "$issuer")" issuer_O="$(awk -F'=' '/O=/ { print $2 }' <<< "$issuer")"
issuer_C="$(awk -F'=' '/ C=/ { print $2 }' <<< "$issuer")" issuer_C="$(awk -F'=' '/ C=/ { print $2 }' <<< "$issuer")"
issuer_DC="$(awk -F'=' '/DC=/ { print $2 }' <<< "$issuer")" issuer_DC="$(awk -F'=' '/DC=/ { print $2 }' <<< "$issuer")"
if [[ "$issuer_O" == issuer= ]] || [[ "$issuer_O" == issuer=\ ]] || [[ "$issuer_CN" == "$cn" ]]; then
prln_svrty_critical "self-signed (NOT ok)"
fileout "${jsonID}${json_postfix}" "CRITICAL" "selfsigned"
set_grade_cap "T" "Self-signed certificate"
else
issuerfinding="$issuer_CN"
pr_italic "$issuer_CN"
if [[ -z "$issuer_O" ]] && [[ -n "$issuer_DC" ]]; then
for san in $issuer_DC; do
if [[ -z "$issuer_O" ]]; then
issuer_O="${san}"
else
issuer_O="${san}.${issuer_O}"
fi
done
fi
if [[ -n "$issuer_O" ]]; then
issuerfinding+=" ("
out " ("
issuerfinding+="$issuer_O"
pr_italic "$issuer_O"
if [[ -n "$issuer_C" ]]; then
issuerfinding+=" from "
out " from "
issuerfinding+="$issuer_C"
pr_italic "$issuer_C"
fi
issuerfinding+=")"
out ")"
fi
outln
fileout "${jsonID}${json_postfix}" "INFO" "$issuerfinding"
fi
out "$indent"; pr_bold " Trust (hostname) " out "$indent"; pr_bold " Trust (hostname) "
compare_server_name_to_cert "$HOSTCERT" compare_server_name_to_cert "$HOSTCERT"
trust_sni=$? trust_sni=$?
@ -9054,7 +9018,7 @@ certificate_info() {
out "no " out "no "
fileout "${jsonID}${json_postfix}" "INFO" "no" fileout "${jsonID}${json_postfix}" "INFO" "no"
fi fi
debugme echo "($(newline_to_spaces "$policy_oid"))" debugme1 echo -n "($(newline_to_spaces "$policy_oid"))"
outln outln
#TODO: check browser OIDs: #TODO: check browser OIDs:
# https://dxr.mozilla.org/mozilla-central/source/security/certverifier/ExtendedValidation.cpp # https://dxr.mozilla.org/mozilla-central/source/security/certverifier/ExtendedValidation.cpp
@ -9072,7 +9036,7 @@ certificate_info() {
days2warn1=$((days2warn1 / 2)) days2warn1=$((days2warn1 / 2))
fi fi
debugme echo -n "diffseconds: $diffseconds" debugme echo -n "(diffseconds: $diffseconds)"
if ! [[ "$($OPENSSL x509 -checkend 1 2>>$ERRFILE <<< "$hostcert")" =~ \ not\ ]]; then if ! [[ "$($OPENSSL x509 -checkend 1 2>>$ERRFILE <<< "$hostcert")" =~ \ not\ ]]; then
pr_svrty_critical "expired" pr_svrty_critical "expired"
expfinding="expired" expfinding="expired"
@ -9154,7 +9118,7 @@ certificate_info() {
else else
# All is fine with validity period # All is fine with validity period
# We ignore for now certificates < 2018/03/01. On the screen we only show debug info # We ignore for now certificates < 2018/03/01. On the screen we only show debug info
debugme1 outln "${spaces}DEBUG: all is fine with total certificate life time" debugme1 echo "${spaces}DEBUG: all is fine with total certificate life time"
fileout "cert_extlifeSpan${json_postfix}" "OK" "certificate has no extended life time according to browser forum" fileout "cert_extlifeSpan${json_postfix}" "OK" "certificate has no extended life time according to browser forum"
fi fi
@ -9298,7 +9262,7 @@ certificate_info() {
caa_node=${caa_node#*.} caa_node=${caa_node#*.}
done done
if [[ -n "$caa" ]]; then if [[ -n "$caa" ]]; then
pr_svrty_good "available"; out " - please check for match with \"Issuer\" above" pr_svrty_good "available"; out " - please check for match with \"Issuer\" below"
if [[ $(count_lines "$caa") -eq 1 ]]; then if [[ $(count_lines "$caa") -eq 1 ]]; then
out ": " out ": "
else else
@ -9344,6 +9308,44 @@ certificate_info() {
outln outln
fi fi
out "$indent"; pr_bold " Issuer "
jsonID="cert_caIssuers"
if [[ "$issuer_O" == issuer= ]] || [[ "$issuer_O" == issuer=\ ]] || [[ "$issuer_CN" == "$cn" ]]; then
prln_svrty_critical "self-signed (NOT ok)"
fileout "${jsonID}${json_postfix}" "CRITICAL" "selfsigned"
set_grade_cap "T" "Self-signed certificate"
else
issuerfinding="$issuer_CN"
pr_italic "$issuer_CN"
if [[ -z "$issuer_O" ]] && [[ -n "$issuer_DC" ]]; then
for san in $issuer_DC; do
if [[ -z "$issuer_O" ]]; then
issuer_O="${san}"
else
issuer_O="${san}.${issuer_O}"
fi
done
fi
if [[ -n "$issuer_O" ]]; then
issuerfinding+=" ("
out " ("
issuerfinding+="$issuer_O"
pr_italic "$issuer_O"
if [[ -n "$issuer_C" ]]; then
issuerfinding+=" from "
out " from "
issuerfinding+="$issuer_C"
pr_italic "$issuer_C"
fi
issuerfinding+=")"
out ")"
fi
outln
fileout "${jsonID}${json_postfix}" "INFO" "$issuerfinding"
fi
# Now we take care of the intermediate certificates. We basically (should) have them on disk # Now we take care of the intermediate certificates. We basically (should) have them on disk
# as "intermediatecerts.pem" (which could be split into intermediatecert1.crt, intermediatecert2.crt, ..) # as "intermediatecerts.pem" (which could be split into intermediatecert1.crt, intermediatecert2.crt, ..)
# However we do this in RAM which is better as it was passed to this function. # However we do this in RAM which is better as it was passed to this function.
@ -9388,7 +9390,7 @@ certificate_info() {
pr_svrty_medium "$cn_finding" pr_svrty_medium "$cn_finding"
expok="MEDIUM" expok="MEDIUM"
else else
cn_finding="valid > 40 days" cn_finding="ok > 40 days"
pr_svrty_good "$cn_finding" pr_svrty_good "$cn_finding"
expok="OK" expok="OK"
fi fi