From c4db88526f6cee9dc95b7aed6f85787ff22e2aa7 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Wed, 26 Sep 2018 09:59:52 -0400 Subject: [PATCH] Handle critical subjectAltName extension For XMPP servers, when extracting the SRV-ID and XmppAddr names from the subjectAltName extension, need to take into account that the subjectAltName extension may be marked as critical, in which case there will be the DER encoding of TRUE (0101FF) between the DER encoding of the subjectAltName extension's OID (0603551D11) and the tag for OCTET STRING (04). --- testssl.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 0e51e1d..229d402 100755 --- a/testssl.sh +++ b/testssl.sh @@ -7005,7 +7005,16 @@ compare_server_name_to_cert() { # For XMPP hosts, in addition to checking for a matching DNS name, # should also check for a matching SRV-ID or XmppAddr identifier. dercert="$($OPENSSL x509 -in "$cert" -outform DER 2>>$ERRFILE | hexdump -v -e '16/1 "%02X"')" - dercert="${dercert##*0603551D1104}" + # Look for the beginning of the subjectAltName extension. It + # will begin with the OID (2.5.29.17 = 0603551D11). After the OID + # there may be an indication that the extension is critical (0101FF). + # Finally will be the tag indicating that the value of the extension is + # encoded as an OCTET STRING (04). + if [[ "$dercert" =~ 0603551D110101FF04 ]]; then + dercert="${dercert##*0603551D110101FF04}" + else + dercert="${dercert##*0603551D1104}" + fi # Skip over the encoding of the length of the OCTET STRING. if [[ "${dercert:0:1}" == "8" ]]; then i="${dercert:1:1}"