Merge pull request #1652 from dcooper16/fix_wildcard

Fix and enhance CN matching
2025-01-03 23:39:45 +01:00 · 2020-06-09 10:48:59 +02:00 · 2020-06-09 10:48:59 +02:00 · d19aed2345
commit d19aed2345
parent 4f13298938 a6c2168cd9
1 changed files with 17 additions and 13 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -7804,9 +7804,9 @@ wildcard_match()

 compare_server_name_to_cert() {
     local cert="$1"
-     local servername cn dns_sans ip_sans san dercert tag
+     local servername cns cn dns_sans ip_sans san dercert tag
     local srv_id="" xmppaddr=""
-     local -i i len len1
+     local -i i len len1 cn_match=0
     local -i subret=0             # no error condition, passing results

     HAS_DNS_SANS=false
@ -7960,19 +7960,23 @@ compare_server_name_to_cert() {
          done <<< "$dns_sans"
     fi

-     cn="$(get_cn_from_cert "$cert")"
+     # Get every CN from the subject field and compare against the server name.
+     cns="$($OPENSSL x509 -in $1 -noout -subject -nameopt multiline,-align,sname,-esc_msb,utf8,-space_eq 2>>$ERRFILE | awk -F'=' '/CN=/ { print $2 }')"
+     while read cn; do
+          # If the CN contains any characters that are not valid for a DNS name,
+          # then assume it does not contain a DNS name.
+          [[ -n $(sed 's/^[_\.a-zA-Z0-9*\-]*//' <<< "$cn") ]] && continue

-     # If the CN contains any characters that are not valid for a DNS name,
-     # then assume it does not contain a DNS name.
-     [[ -n $(sed 's/^[_\.a-zA-Z0-9*\-]*//' <<< "$cn") ]] && return $subret
+          # Check whether the CN matches the servername
+          [[ $(toupper "$cn") == "$servername" ]] && cn_match=4 && break

-     # Check whether the CN in the certificate matches the servername
-     [[ $(toupper "$cn") == "$servername" ]] && subret+=4 && return $subret
-
-     # Check whether the CN in the certificate is a wildcard name that matches
-     # the servername
-     wildcard_match "$servername" "$cn"
-     [[ $? -eq 0 ]] && subret+=8
+          # Check whether the CN is a wildcard name that matches the servername
+          # NOTE: Don't stop loop on a wildcard match in case there is another CN
+          # that is an exact match.
+          wildcard_match "$servername" "$cn"
+          [[ $? -eq 0 ]] && cn_match=8
+     done <<< "$cns"
+     subret+=$cn_match
     return $subret
 }