Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-06 00:39:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1652 from dcooper16/fix_wildcard

Browse Source 
Fix and enhance CN matching
This commit is contained in:
Dirk Wetter 2020-06-09 10:48:59 +02:00 committed by GitHub
commit d19aed2345
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
testssl.sh
View File

@ -7804,9 +7804,9 @@ wildcard_match()
compare_server_name_to_cert() { compare_server_name_to_cert() {
local cert="$1" local cert="$1"
local servername cn dns_sans ip_sans san dercert tag local servername cns cn dns_sans ip_sans san dercert tag
local srv_id="" xmppaddr="" local srv_id="" xmppaddr=""
local -i i len len1 local -i i len len1 cn_match=0
local -i subret=0 # no error condition, passing results local -i subret=0 # no error condition, passing results
HAS_DNS_SANS=false HAS_DNS_SANS=false
@ -7960,19 +7960,23 @@ compare_server_name_to_cert() {
done <<< "$dns_sans" done <<< "$dns_sans"
fi fi
cn="$(get_cn_from_cert "$cert")" # Get every CN from the subject field and compare against the server name.
cns="$($OPENSSL x509 -in $1 -noout -subject -nameopt multiline,-align,sname,-esc_msb,utf8,-space_eq 2>>$ERRFILE | awk -F'=' '/CN=/ { print $2 }')"
while read cn; do
# If the CN contains any characters that are not valid for a DNS name,
# then assume it does not contain a DNS name.
[[ -n $(sed 's/^[_\.a-zA-Z0-9*\-]*//' <<< "$cn") ]] && continue
# If the CN contains any characters that are not valid for a DNS name, # Check whether the CN matches the servername
# then assume it does not contain a DNS name. [[ $(toupper "$cn") == "$servername" ]] && cn_match=4 && break
[[ -n $(sed 's/^[_\.a-zA-Z0-9*\-]*//' <<< "$cn") ]] && return $subret
# Check whether the CN in the certificate matches the servername # Check whether the CN is a wildcard name that matches the servername
[[ $(toupper "$cn") == "$servername" ]] && subret+=4 && return $subret # NOTE: Don't stop loop on a wildcard match in case there is another CN
# that is an exact match.
# Check whether the CN in the certificate is a wildcard name that matches wildcard_match "$servername" "$cn"
# the servername [[ $? -eq 0 ]] && cn_match=8
wildcard_match "$servername" "$cn" done <<< "$cns"
[[ $? -eq 0 ]] && subret+=8 subret+=$cn_match
return $subret return $subret
} }