mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
Works now
* open: generation of intermediate certificate files. We do that at several places. But for some reasons I do not understand currently we remove those files. * we don't name the offending certificate
This commit is contained in:
parent
eb7b0c9644
commit
d07d1f102e
28
testssl.sh
28
testssl.sh
@ -8314,13 +8314,14 @@ certificate_info() {
|
|||||||
local certificate_list_ordering_problem="${12}"
|
local certificate_list_ordering_problem="${12}"
|
||||||
local cert_sig_algo cert_sig_hash_algo cert_key_algo cert_spki_info
|
local cert_sig_algo cert_sig_hash_algo cert_key_algo cert_spki_info
|
||||||
local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt"
|
local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt"
|
||||||
|
local badocspcerts="${TESTSSL_INSTALL_DIR}/etc/bad_ocsp_certs.txt"
|
||||||
local -i lineno_matched=0
|
local -i lineno_matched=0
|
||||||
local cert_keyusage cert_ext_keyusage short_keyAlgo
|
local cert_keyusage cert_ext_keyusage short_keyAlgo
|
||||||
local outok=true
|
local outok=true
|
||||||
local expire days2expire secs2warn ocsp_uri crl
|
local expire days2expire secs2warn ocsp_uri crl
|
||||||
local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
|
local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
|
||||||
local issuer_DC issuerfinding cn_nosni=""
|
local issuer_DC issuerfinding cn_nosni=""
|
||||||
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial
|
local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_serial cert
|
||||||
local policy_oid
|
local policy_oid
|
||||||
local spaces=""
|
local spaces=""
|
||||||
local -i trust_sni=0 trust_nosni=0 diffseconds=0
|
local -i trust_sni=0 trust_nosni=0 diffseconds=0
|
||||||
@ -8342,6 +8343,7 @@ certificate_info() {
|
|||||||
local response=""
|
local response=""
|
||||||
local yearstart yearend clockstart clockend y m d
|
local yearstart yearend clockstart clockend y m d
|
||||||
local gt_825=false gt_825warn=false
|
local gt_825=false gt_825warn=false
|
||||||
|
local badocsp=1
|
||||||
|
|
||||||
if [[ $number_of_certificates -gt 1 ]]; then
|
if [[ $number_of_certificates -gt 1 ]]; then
|
||||||
[[ $certificate_number -eq 1 ]] && outln
|
[[ $certificate_number -eq 1 ]] && outln
|
||||||
@ -8969,15 +8971,22 @@ certificate_info() {
|
|||||||
out "$indent"; pr_bold " Bad OCSP intermediate"
|
out "$indent"; pr_bold " Bad OCSP intermediate"
|
||||||
out " (exp.) "
|
out " (exp.) "
|
||||||
jsonID="cert_bad_ocsp"
|
jsonID="cert_bad_ocsp"
|
||||||
badocspcerts="${TESTSSL_INSTALL_DIR}/etc/bad_ocsp_certs.txt"
|
|
||||||
|
|
||||||
#FIXME: there might be >1 certificate. We parse the file intermediatecerts.pem
|
# There might be >1 certificate, so we split intermediatecerts.pem e.g. into
|
||||||
# but just raise the flag saying the chain is bad w/o naming the intermediate
|
# intermediatecert1.crt, intermediatecert2.cert.
|
||||||
# cert to blame. We should have split intermediatecerts.pem e.g. into
|
#FIXME: This is redundant code. We do that elsewhere, e.g. before in extract_certificates()
|
||||||
# intermediatecert1.pem, intermediatecert2.pem before
|
# and run_hpkp() at least but didn't keep the result
|
||||||
badocsp=1
|
#
|
||||||
for pem in "$TEMPDIR/intermediatecerts.pem"; do
|
#FIXME: We just raise the flag saying the chain is bad w/o naming the intermediate
|
||||||
hash=$($OPENSSL x509 -in "$pem" -outform der 2>/dev/null | $OPENSSL dgst -sha256 -binary | $OPENSSL base64)
|
# cert to blame.
|
||||||
|
|
||||||
|
awk -v n=-1 "{start=1}
|
||||||
|
/-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} }
|
||||||
|
inc { print > (\"$TEMPDIR/intermediatecert\" n \".crt\") }
|
||||||
|
/---END CERTIFICATE-----/{ inc=0 }" "$TEMPDIR/intermediatecerts.pem"
|
||||||
|
|
||||||
|
for cert in $TEMPDIR/intermediatecert?.crt; do
|
||||||
|
hash=$($OPENSSL x509 -in "$cert" -outform der 2>/dev/null | $OPENSSL dgst -sha256 -binary | $OPENSSL base64)
|
||||||
grep -q "$hash" "$badocspcerts"
|
grep -q "$hash" "$badocspcerts"
|
||||||
badocsp=$?
|
badocsp=$?
|
||||||
[[ $badocsp -eq 0 ]] && break
|
[[ $badocsp -eq 0 ]] && break
|
||||||
@ -8986,6 +8995,7 @@ certificate_info() {
|
|||||||
prln_svrty_medium "NOT ok"
|
prln_svrty_medium "NOT ok"
|
||||||
fileout "${jsonID}${json_postfix}" "MEDIUM" "NOT ok is/are intermediate certificate(s)"
|
fileout "${jsonID}${json_postfix}" "MEDIUM" "NOT ok is/are intermediate certificate(s)"
|
||||||
else
|
else
|
||||||
|
prln_svrty_good "Ok"
|
||||||
fileout "${jsonID}${json_postfix}" "OK" "intermediate certificate(s) is/are ok"
|
fileout "${jsonID}${json_postfix}" "OK" "intermediate certificate(s) is/are ok"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user