mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
Handle critical subjectAltName extension
For XMPP servers, when extracting the SRV-ID and XmppAddr names from the subjectAltName extension, need to take into account that the subjectAltName extension may be marked as critical, in which case there will be the DER encoding of TRUE (0101FF) between the DER encoding of the subjectAltName extension's OID (0603551D11) and the tag for OCTET STRING (04).
This commit is contained in:
parent
e0f5c7513a
commit
c4db88526f
@ -7005,7 +7005,16 @@ compare_server_name_to_cert() {
|
||||
# For XMPP hosts, in addition to checking for a matching DNS name,
|
||||
# should also check for a matching SRV-ID or XmppAddr identifier.
|
||||
dercert="$($OPENSSL x509 -in "$cert" -outform DER 2>>$ERRFILE | hexdump -v -e '16/1 "%02X"')"
|
||||
# Look for the beginning of the subjectAltName extension. It
|
||||
# will begin with the OID (2.5.29.17 = 0603551D11). After the OID
|
||||
# there may be an indication that the extension is critical (0101FF).
|
||||
# Finally will be the tag indicating that the value of the extension is
|
||||
# encoded as an OCTET STRING (04).
|
||||
if [[ "$dercert" =~ 0603551D110101FF04 ]]; then
|
||||
dercert="${dercert##*0603551D110101FF04}"
|
||||
else
|
||||
dercert="${dercert##*0603551D1104}"
|
||||
fi
|
||||
# Skip over the encoding of the length of the OCTET STRING.
|
||||
if [[ "${dercert:0:1}" == "8" ]]; then
|
||||
i="${dercert:1:1}"
|
||||
|
Loading…
Reference in New Issue
Block a user