Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

jsonID changed (server defaults), host certificate in JSON, HOSTCERT_TXT

Browse Source 
In ``must_staple()`` and ``certificate_info()``  were the jsonIDs
changed to OpenSSLi / IETF names so that testssl.sh is more compliant
to the rest of the world. There might be still space for improvements
are far as common naming scheme is concerned.

The host certificate is now being delivered in JSON and CSV. For
further usage " " needs to be converted back to linefeeds.

Certificate Expiration was renamed to Certificate Validity.

The order of outputting the certificate serial and SHA1 fingerprint
has been swapped.

Also ``certificate_info()`` makes more use of HOSTCERT_TXT.
This commit is contained in:
Dirk 2018-01-31 20:01:12 +01:00
parent 656016eae4
commit d2d62a9c55
1 changed files with 39 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
testssl.sh
View File

@ -6279,7 +6279,7 @@ compare_server_name_to_cert()
} }
must_staple() { must_staple() {
local jsonID="OCSP_must_staple" local jsonID="cert_mustStapleExtension"
local json_postfix="$1" local json_postfix="$1"
local provides_stapling="$2" local provides_stapling="$2"
local cert extn local cert extn
@ -6451,13 +6451,13 @@ certificate_info() {
[[ ! -s $HOSTCERT_TXT ]] && $OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE >$HOSTCERT_TXT [[ ! -s $HOSTCERT_TXT ]] && $OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE >$HOSTCERT_TXT
cert_sig_algo="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE| awk -F':' '/Signature Algorithm/ { print $2; if (++Match >= 1) exit; }')" cert_sig_algo="$(awk -F':' '/Signature Algorithm/ { print $2; if (++Match >= 1) exit; }' $HOSTCERT_TXT)"
cert_sig_algo="${cert_sig_algo// /}" cert_sig_algo="${cert_sig_algo// /}"
cert_key_algo="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | awk -F':' '/Public Key Algorithm:/ { print $2; if (++Match >= 1) exit; }')" cert_key_algo="$(awk -F':' '/Public Key Algorithm:/ { print $2; if (++Match >= 1) exit; }' $HOSTCERT_TXT)"
cert_key_algo="${cert_key_algo// /}" cert_key_algo="${cert_key_algo// /}"
out "$indent" ; pr_bold " Signature Algorithm " out "$indent" ; pr_bold " Signature Algorithm "
jsonID="cert_sig_algorithm" jsonID="cert_signatureAlgorithm"
case $cert_sig_algo in case $cert_sig_algo in
sha1WithRSAEncryption) sha1WithRSAEncryption)
pr_svrty_medium "SHA1 with RSA" pr_svrty_medium "SHA1 with RSA"
@ -6516,7 +6516,7 @@ certificate_info() {
fileout "${jsonID}${json_postfix}" "OK" "DSA with SHA256" fileout "${jsonID}${json_postfix}" "OK" "DSA with SHA256"
;; ;;
rsassaPss) rsassaPss)
cert_sig_hash_algo="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 1 "Signature Algorithm" | head -2 | tail -1 | sed 's/^.*Hash Algorithm: //')" cert_sig_hash_algo="$(grep -A 1 "Signature Algorithm" $HOSTCERT_TXT | head -2 | tail -1 | sed 's/^.*Hash Algorithm: //')"
case $cert_sig_hash_algo in case $cert_sig_hash_algo in
sha1) sha1)
prln_svrty_medium "RSASSA-PSS with SHA1" prln_svrty_medium "RSASSA-PSS with SHA1"
@ -6566,7 +6566,7 @@ certificate_info() {
# old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html # old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
out "$indent"; pr_bold " Server key size " out "$indent"; pr_bold " Server key size "
jsonID="cert_key_size" jsonID="cert_keySize"
if [[ -z "$cert_keysize" ]]; then if [[ -z "$cert_keysize" ]]; then
outln "(couldn't determine)" outln "(couldn't determine)"
fileout "${jsonID}${json_postfix}" "cannot be determined" fileout "${jsonID}${json_postfix}" "cannot be determined"
@ -6639,8 +6639,8 @@ certificate_info() {
out "$indent"; pr_bold " Server key usage "; out "$indent"; pr_bold " Server key usage ";
outok=true outok=true
jsonID="cert_key_usage" jsonID="cert_keyUsage"
cert_keyusage="$(strip_leading_space "$($OPENSSL x509 -noout -text -in $HOSTCERT 2>>$ERRFILE | awk '/X509v3 Key Usage:/ { getline; print $0 }')")" cert_keyusage="$(strip_leading_space "$(awk '/X509v3 Key Usage:/ { getline; print $0 }' $HOSTCERT_TXT)")"
if [[ -n "$cert_keyusage" ]]; then if [[ -n "$cert_keyusage" ]]; then
outln "$cert_keyusage" outln "$cert_keyusage"
if ( [[ " $cert_type " =~ " RSASig " ]] || [[ " $cert_type " =~ " DSA " ]] || [[ " $cert_type " =~ " ECDSA " ]] ) && \ if ( [[ " $cert_type " =~ " RSASig " ]] || [[ " $cert_type " =~ " DSA " ]] || [[ " $cert_type " =~ " ECDSA " ]] ) && \
@ -6670,10 +6670,9 @@ certificate_info() {
fi fi
out "$indent"; pr_bold " Server extended key usage "; out "$indent"; pr_bold " Server extended key usage ";
jsonID="cert_extended_key_usage" jsonID="cert_extKeyUsage"
outok=true outok=true
cert_ext_keyusage="$(strip_leading_space "$($OPENSSL x509 -noout -text -in $HOSTCERT 2>>$ERRFILE | awk '/X509v3 Extended Key Usage:/ { getline; print $0 }')")" cert_ext_keyusage="$(strip_leading_space "$(awk '/X509v3 Extended Key Usage:/ { getline; print $0 }' $HOSTCERT_TXT)")"
$OPENSSL x509 -noout -text -in $HOSTCERT 2>>$ERRFILE | awk '/X509v3 Extended Key Usage:/ { getline; print $0 }' | read cert_ext_keyusage
if [[ -n "$cert_ext_keyusage" ]]; then if [[ -n "$cert_ext_keyusage" ]]; then
outln "$cert_ext_keyusage" outln "$cert_ext_keyusage"
if [[ ! "$cert_ext_keyusage" =~ "TLS Web Server Authentication" ]] && [[ ! "$cert_ext_keyusage" =~ "Any Extended Key Usage" ]]; then if [[ ! "$cert_ext_keyusage" =~ "TLS Web Server Authentication" ]] && [[ ! "$cert_ext_keyusage" =~ "Any Extended Key Usage" ]]; then
@ -6690,18 +6689,21 @@ certificate_info() {
fileout "${jsonID}${json_postfix}" "INFO" "cert_ext_keyusage" fileout "${jsonID}${json_postfix}" "INFO" "cert_ext_keyusage"
fi fi
out "$indent"; pr_bold " Fingerprint / Serial " out "$indent"; pr_bold " Serial / Fingerprints "
cert_serial="$($OPENSSL x509 -noout -in $HOSTCERT -serial 2>>$ERRFILE | sed 's/serial=//')"
fileout "cert_serialNumber${json_postfix}" "INFO" "$cert_serial"
cert_fingerprint_sha1="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha1 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g')" cert_fingerprint_sha1="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha1 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g')"
fileout "cert_fingerprint_SHA1${json_postfix}" "INFO" "${cert_fingerprint_sha1//SHA1 /}" fileout "cert_fingerprintSHA1${json_postfix}" "INFO" "${cert_fingerprint_sha1//SHA1 /}"
outln "$cert_serial / $cert_fingerprint_sha1"
cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g' )" cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g' )"
fileout "cert_fingerprint_SHA256${json_postfix}" "INFO" "${cert_fingerprint_sha2//SHA256 /}" fileout "cert_fingerprintSHA256${json_postfix}" "INFO" "${cert_fingerprint_sha2//SHA256 /}"
cert_serial="$($OPENSSL x509 -noout -in $HOSTCERT -serial 2>>$ERRFILE | sed 's/serial=//')"
outln "$cert_fingerprint_sha1 / $cert_serial"
outln "$spaces$cert_fingerprint_sha2" outln "$spaces$cert_fingerprint_sha2"
fileout "cert_serial${json_postfix}" "INFO" "$cert_serial" # " " needs to be converted back to lf
fileout "cert" "INFO" "$(< $HOSTCERT)"
[[ -z $CERT_FINGERPRINT_SHA2 ]] && \ [[ -z $CERT_FINGERPRINT_SHA2 ]] && \
CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2" || CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2" ||
CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2 $CERT_FINGERPRINT_SHA2" CERT_FINGERPRINT_SHA2="$cert_fingerprint_sha2 $CERT_FINGERPRINT_SHA2"
@ -6721,7 +6723,7 @@ certificate_info() {
cnfinding="$cn" cnfinding="$cn"
cnok="INFO" cnok="INFO"
fi fi
fileout "cert_CN${json_postfix}" "$cnok" "$cnfinding" fileout "cert_commonName${json_postfix}" "$cnok" "$cnfinding"
cnfinding="" cnfinding=""
if [[ -n "$sni_used" ]]; then if [[ -n "$sni_used" ]]; then
@ -6753,9 +6755,9 @@ certificate_info() {
out " (CN in response to request w/o SNI: "; pr_italic "$cn_nosni"; outln ")" out " (CN in response to request w/o SNI: "; pr_italic "$cn_nosni"; outln ")"
cnfinding="$cn_nosni" cnfinding="$cn_nosni"
fi fi
fileout "cert_CN_without_SNI${json_postfix}" "INFO" "$cnfinding" fileout "cert_commonName_wo_SNI${json_postfix}" "INFO" "$cnfinding"
sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \ sans=$(grep -A2 "Subject Alternative Name" $HOSTCERT_TXT | \
egrep "DNS:|IP Address:|email:|URI:|DirName:|Registered ID:" | tr ',' '\n' | \ egrep "DNS:|IP Address:|email:|URI:|DirName:|Registered ID:" | tr ',' '\n' | \
sed -e 's/ *DNS://g' -e 's/ *IP Address://g' -e 's/ *email://g' -e 's/ *URI://g' -e 's/ *DirName://g' \ sed -e 's/ *DNS://g' -e 's/ *IP Address://g' -e 's/ *email://g' -e 's/ *URI://g' -e 's/ *DirName://g' \
-e 's/ *Registered ID://g' \ -e 's/ *Registered ID://g' \
@ -6763,7 +6765,7 @@ certificate_info() {
# ^^^ CACert # ^^^ CACert
out "$indent"; pr_bold " subjectAltName (SAN) " out "$indent"; pr_bold " subjectAltName (SAN) "
jsonID="cert_SAN" jsonID="cert_subjectAltName"
if [[ -n "$sans" ]]; then if [[ -n "$sans" ]]; then
while read san; do while read san; do
[[ -n "$san" ]] && all_san+="$san " [[ -n "$san" ]] && all_san+="$san "
@ -6781,7 +6783,7 @@ certificate_info() {
fi fi
out "$indent"; pr_bold " Issuer " out "$indent"; pr_bold " Issuer "
jsonID="cert_issuer" jsonID="cert_caIssuers"
#FIXME: oid would be better maybe (see above) #FIXME: oid would be better maybe (see above)
issuer="$($OPENSSL x509 -in $HOSTCERT -noout -issuer -nameopt multiline,-align,sname,-esc_msb,utf8,-space_eq 2>>$ERRFILE)" issuer="$($OPENSSL x509 -in $HOSTCERT -noout -issuer -nameopt multiline,-align,sname,-esc_msb,utf8,-space_eq 2>>$ERRFILE)"
issuer_CN="$(awk -F'=' '/CN=/ { print $2 }' <<< "$issuer")" issuer_CN="$(awk -F'=' '/CN=/ { print $2 }' <<< "$issuer")"
@ -6832,8 +6834,7 @@ certificate_info() {
# identifier of CN-ID if the presented identifiers include a DNS-ID, # identifier of CN-ID if the presented identifiers include a DNS-ID,
# SRV-ID, URI-ID, or any application-specific identifier types # SRV-ID, URI-ID, or any application-specific identifier types
# supported by the client. # supported by the client.
$OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | \ grep -A2 "Subject Alternative Name" $HOSTCERT_TXT | grep -q "DNS:" && \
grep -A2 "Subject Alternative Name" | grep -q "DNS:" && \
has_dns_sans=true || has_dns_sans=false has_dns_sans=true || has_dns_sans=false
case $trust_sni in case $trust_sni in
@ -6950,9 +6951,9 @@ certificate_info() {
# http://events.ccc.de/congress/2010/Fahrplan/attachments/1777_is-the-SSLiverse-a-safe-place.pdf, see page 40pp # http://events.ccc.de/congress/2010/Fahrplan/attachments/1777_is-the-SSLiverse-a-safe-place.pdf, see page 40pp
out "$indent"; pr_bold " EV cert"; out " (experimental) " out "$indent"; pr_bold " EV cert"; out " (experimental) "
jsonID="cert_EV" jsonID="cert_certificatePolicies_EV"
# only the first one, seldom we have two # only the first one, seldom we have two
policy_oid=$($OPENSSL x509 -in $HOSTCERT -text 2>>$ERRFILE | awk '/ .Policy: / { print $2 }' | awk 'NR < 2') policy_oid=$(awk '/ .Policy: / { print $2 }' $HOSTCERT_TXT | awk 'NR < 2')
if echo "$issuer" | egrep -q 'Extended Validation|Extended Validated|EV SSL|EV CA' || \ if echo "$issuer" | egrep -q 'Extended Validation|Extended Validated|EV SSL|EV CA' || \
[[ 2.16.840.1.114028.10.1.2 == "$policy_oid" ]] || \ [[ 2.16.840.1.114028.10.1.2 == "$policy_oid" ]] || \
[[ 2.16.840.1.114412.1.3.0.2 == "$policy_oid" ]] || \ [[ 2.16.840.1.114412.1.3.0.2 == "$policy_oid" ]] || \
@ -6975,7 +6976,7 @@ certificate_info() {
# https://certs.opera.com/03/ev-oids.xml # https://certs.opera.com/03/ev-oids.xml
# see #967 # see #967
out "$indent"; pr_bold " Certificate Expiration " out "$indent"; pr_bold " Certificate Validity (UTC) "
# FreeBSD + OSX can't swallow the leading blank: # FreeBSD + OSX can't swallow the leading blank:
enddate="$(strip_leading_space "$(awk -F':' '/Not After/ { print $2":"$3":"$4 }' $HOSTCERT_TXT)")" # in GMT enddate="$(strip_leading_space "$(awk -F':' '/Not After/ { print $2":"$3":"$4 }' $HOSTCERT_TXT)")" # in GMT
@ -7017,22 +7018,20 @@ certificate_info() {
expok="HIGH" expok="HIGH"
fi fi
fi fi
outln " (UTC: $startdate --> $enddate)" outln " ($startdate --> $enddate)"
fileout "cert_expiration_status${json_postfix}" "$expok" "$expfinding" fileout "cert_expiration_status${json_postfix}" "$expok" "$expfinding"
fileout "cert_expirationUTC_start${json_postfix}" "INFO" "$startdate" # we assume that the certificate has no start time in the future fileout "cert_notBefore${json_postfix}" "INFO" "$startdate" # we assume that the certificate has no start time in the future
fileout "cert_expirationUTC_end${json_postfix}" "$expok" "$enddate" fileout "cert_notAfter${json_postfix}" "$expok" "$enddate" # They are in UTC
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem) certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided" out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided"
fileout "certchain_count${json_postfix}" "INFO" "${certificates_provided}" fileout "certs_countServer${json_postfix}" "INFO" "${certificates_provided}"
# Get both CRL and OCSP URI upfront. If there's none, this is not good. And we need to penalize this in the output
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | \
awk '/X509v3 CRL Distribution/{i=50} i&&i--' | awk '/^$/,/^ [a-zA-Z0-9]+|^ Signature Algorithm:/' | awk -F'URI:' '/URI/ { print $2 }')"
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE)
out "$indent"; pr_bold " Certificate Revocation List " out "$indent"; pr_bold " Certificate Revocation List "
jsonID="cert_CRL" jsonID="cert_cRLDistributionPoints"
# ~ get next 50 lines after pattern , strip until Signature Algorithm and retrieve URIs
crl="$(awk '/X509v3 CRL Distribution/{i=50} i&&i--' $HOSTCERT_TXT | awk '/^$/,/^ [a-zA-Z0-9]+|^ Signature Algorithm:/' | awk -F'URI:' '/URI/ { print $2 }')"
if [[ -z "$crl" ]] ; then if [[ -z "$crl" ]] ; then
fileout "${jsonID}${json_postfix}" "INFO" "--" fileout "${jsonID}${json_postfix}" "INFO" "--"
outln "--" outln "--"
@ -7046,7 +7045,8 @@ certificate_info() {
fi fi
out "$indent"; pr_bold " OCSP URI " out "$indent"; pr_bold " OCSP URI "
jsonID="cert_OCSP_URI" jsonID="cert_ocspURL"
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE)
if [[ -z "$ocsp_uri" ]]; then if [[ -z "$ocsp_uri" ]]; then
outln "--" outln "--"
fileout "${jsonID}${json_postfix}" "INFO" "--" fileout "${jsonID}${json_postfix}" "INFO" "--"
@ -7099,7 +7099,7 @@ certificate_info() {
must_staple "$json_postfix" "$provides_stapling" must_staple "$json_postfix" "$provides_stapling"
out "$indent"; pr_bold " DNS CAA RR"; out " (experimental) " out "$indent"; pr_bold " DNS CAA RR"; out " (experimental) "
jsonID="CAA_record" jsonID="dns_CAArecord"
caa_node="$NODE" caa_node="$NODE"
caa="" caa=""
while ( [[ -z "$caa" ]] && [[ ! -z "$caa_node" ]] ); do while ( [[ -z "$caa" ]] && [[ ! -z "$caa_node" ]] ); do