From 346c52dc7c65b87cce9881b5e045756ee1c26f7e Mon Sep 17 00:00:00 2001 From: David Cooper Date: Wed, 20 Jul 2016 11:37:51 -0400 Subject: [PATCH] CA names with domain component attributes `certificate_info()` does not correctly display the Issuer name for CAs that use domain component attributes. There is a server on the NIST intra-net that I test against that has a certificate issued by a NIST CA, and the issuer name in the certificate is of the form: `/DC=net/DC=example/DC=internal/CN=CAname` Since there is no organizational name, testssl.sh displays the name as: ``` Issuer "CAname" ("") ``` In this PR, if the Issuer name has 'DC=' attributes, but does not have an 'O=' attribute, the "DC=" attributes are combined into a DNS name that is used as if it were the organizational name: ``` Issuer "CAname" ("internal.example.net") ``` I should note, however, that I have not been able to find any other examples of TLS server certificates that have been issued by CAs that have domain components ("DC=") in their names. So, it may not be worthwhile to change the code to try to accommodate such CAs. --- testssl.sh | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/testssl.sh b/testssl.sh index e513d20..194b8df 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3839,7 +3839,7 @@ certificate_info() { local ocsp_response=$5 local ocsp_response_status=$6 local cert_sig_algo cert_sig_hash_algo cert_key_algo - local expire days2expire secs2warn ocsp_uri crl startdate enddate issuer_CN issuer_C issuer_O issuer sans san cn cn_nosni + local expire days2expire secs2warn ocsp_uri crl startdate enddate issuer_CN issuer_C issuer_O issuer_DC issuer issuerfinding sans san cn cn_nosni local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial local policy_oid local spaces="" @@ -4146,22 +4146,33 @@ certificate_info() { issuer_CN="$(awk -F'=' '/CN=/ { print $2 }' <<< "$issuer")" issuer_O="$(awk -F'=' '/O=/ { print $2 }' <<< "$issuer")" issuer_C="$(awk -F'=' '/ C=/ { print $2 }' <<< "$issuer")" + issuer_DC="$(awk -F'=' '/DC=/ { print $2 }' <<< "$issuer")" if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$CN" ]]; then pr_svrty_criticalln "self-signed (NOT ok)" fileout "${json_prefix}issuer" "NOT ok" "Issuer: selfsigned (NOT ok)" else - pr_dquoted "$issuer_CN" - out " (" - pr_dquoted "$issuer_O" - if [[ -n "$issuer_C" ]]; then - out " from " - pr_dquoted "$issuer_C" - fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer_CN\" ( \"$issuer_O\" from \"$issuer_C\")" - else - fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer_CN\" ( \"$issuer_O\" )" + issuerfinding="$(pr_dquoted "$issuer_CN")" + if [[ -z "$issuer_O" ]] && [[ -n "$issuer_DC" ]]; then + for san in $issuer_DC; do + if [[ -z "$issuer_O" ]]; then + issuer_O="${san}" + else + issuer_O="${san}.${issuer_O}" + fi + done fi - outln ")" + if [[ -n "$issuer_O" ]]; then + issuerfinding+=" (" + issuerfinding+="$(pr_dquoted "$issuer_O")" + if [[ -n "$issuer_C" ]]; then + issuerfinding+=" from " + issuerfinding+="$(pr_dquoted "$issuer_C")" + fi + issuerfinding+=")" + fi + outln "$issuerfinding" + fileout "${json_prefix}issuer" "INFO" "Issuer: $issuerfinding" fi # http://events.ccc.de/congress/2010/Fahrplan/attachments/1777_is-the-SSLiverse-a-safe-place.pdf, see page 40pp