ALPHA version of cert checker. TO BE INTGRATED INTO testssl.sh
This commit is contained in:
parent
3dee100ac2
commit
e117fd9612
|
@ -0,0 +1,341 @@
|
|||
#!/bin/bash
|
||||
|
||||
|
||||
# on the command line:
|
||||
# STARTTLS="-starttls $protocol"; export STARTTLS
|
||||
# protocol=smtp,impa,pop,xmpp,jabber
|
||||
|
||||
##### THIS WILL BE INTEGRATED INTO testssl.sh
|
||||
##### it has no production qualiity yet and I'll likely disregard
|
||||
##### any issues/patches until this will be done
|
||||
|
||||
|
||||
DAYS2WARN=60
|
||||
|
||||
ECHO="/bin/echo -e"
|
||||
COLOR=0
|
||||
|
||||
CA_BUNDLE="/etc/ssl/ca-bundle.pem"
|
||||
CA_BUNDLE_CMD="-CApath /etc/ssl/certs/"
|
||||
#CA_BUNDLE_CMD="-CAfile $CA_BUNDLE"
|
||||
#`openssl version -d` /certs/
|
||||
|
||||
off() {
|
||||
if [ $COLOR = 0 ]; then $ECHO "\033[m\c"; fi
|
||||
}
|
||||
|
||||
bold() {
|
||||
$ECHO "\033[1m$1"; off
|
||||
}
|
||||
|
||||
underscore() {
|
||||
$ECHO "\033[4m$1\c"; off
|
||||
}
|
||||
|
||||
|
||||
blue() {
|
||||
if [ $COLOR = 0 ]; then $ECHO "\033[1;34m$1 "; else $ECHO "**$1** "; fi
|
||||
off
|
||||
}
|
||||
|
||||
brown() {
|
||||
[ $COLOR = 0 ] && $ECHO "\033[0;33m$1 " || out "**$1** "
|
||||
off
|
||||
}
|
||||
|
||||
|
||||
green() {
|
||||
if [ $COLOR = 0 ]; then $ECHO "\033[1;32m$1 "; else $ECHO "**$1** "; fi
|
||||
off
|
||||
}
|
||||
lgreen() {
|
||||
if [ $COLOR = 0 ]; then $ECHO "\033[0;32m$1 "; else $ECHO "**$1** "; fi
|
||||
off
|
||||
}
|
||||
|
||||
red() {
|
||||
if [ $COLOR = 0 ]; then $ECHO "\033[1;31m$1 "; else $ECHO "**$1** "; fi
|
||||
off
|
||||
}
|
||||
lred() {
|
||||
if [ $COLOR = 0 ]; then $ECHO "\033[0;31m$1 "; else $ECHO "**$1** "; fi
|
||||
off
|
||||
}
|
||||
|
||||
|
||||
datebanner() {
|
||||
tojour=`date +%F`" "`date +%R`
|
||||
echo
|
||||
bold "$1 now ($tojour) ---> $NODEIP:$PORT ($NODE) <---"
|
||||
}
|
||||
|
||||
|
||||
dns() {
|
||||
ip4=`host -t a $1 | grep -v alias | sed 's/^.*address //'`
|
||||
which getent 2>&1 >/dev/null && getent ahostsv4 $1 2>&1 >/dev/null && ip4=`getent ahostsv4 $1 | awk '{ print $1}' | uniq`
|
||||
NODEIP=`echo "$ip4" | head -1`
|
||||
rDNS=`host -t PTR $NODEIP | sed -e 's/^.*pointer //' -e 's/\.$//'`
|
||||
echo $rDNS | grep -q NXDOMAIN && rDNS=""
|
||||
}
|
||||
|
||||
|
||||
display_dns() {
|
||||
$ECHO
|
||||
[ -n "$rDNS" ] && $ECHO "rDNS: $rDNS"
|
||||
if [ `echo "$ip4" | wc -l` -gt 1 ]; then
|
||||
$ECHO "$1 other IPv4 adresses:\c"
|
||||
for i in $ip4; do
|
||||
[ "$i" == "$NODEIP" ] && continue
|
||||
$ECHO " $i\c"
|
||||
done
|
||||
fi
|
||||
echo
|
||||
}
|
||||
|
||||
|
||||
############## main
|
||||
|
||||
NODE="$1"
|
||||
[ -z "$NODE" ] && echo "arg1 (=node) missing" && exit 1
|
||||
PORT=${2:-443}
|
||||
|
||||
# strip "https" and trailing urlpath supposed it was supplied additionally
|
||||
echo $NODE | grep -q 'https://' && NODE=`echo $NODE | sed -e 's/https\:\/\///' -e 's/\/.*$//'`
|
||||
|
||||
# determine port, supposed it was supplied additionally
|
||||
echo $NODE | grep -q ':' && PORT=`echo $NODE | sed 's/^.*\://'` && NODE=`echo $NODE | sed 's/\:.*$//'`
|
||||
|
||||
dns $NODE
|
||||
datebanner "Testing" $NODE
|
||||
display_dns $NODE
|
||||
|
||||
TMPDIR=`mktemp -d /tmp/checkcert.$NODE.$PORT.XXXXXX` || exit 6
|
||||
HOSTCERT_SNI="$TMPDIR/hostcert_sni.txt"
|
||||
HOSTCERT="$TMPDIR/hostcert.txt"
|
||||
|
||||
FD2_HOST_SNI="$TMPDIR/fd2_host_sni.txt"
|
||||
FD2_HOST="$TMPDIR/fd2_host.txt"
|
||||
|
||||
# test whether I can ssl to it:
|
||||
#echo | openssl s_client -connect $NODE:$PORT 2>&1 >/dev/null || exit 7
|
||||
|
||||
SNI="-servername $NODE"
|
||||
# dl pub key
|
||||
openssl s_client $STARTTLS -connect $NODEIP:$PORT $SNI 2>$FD2_HOST_SNI </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT_SNI
|
||||
openssl s_client $STARTTLS -connect $NODEIP:$PORT 2>$FD2_HOST </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT
|
||||
|
||||
#bold "\nTrust\n"
|
||||
#openssl verify -verbose $HOSTCERT
|
||||
#http://www.madboa.com/geek/openssl/#verify-standardA
|
||||
#http://www.madboa.com/geek/openssl/#verify-system
|
||||
#echo $?
|
||||
|
||||
bold "\nPubkey"
|
||||
openssl x509 -noout -in $HOSTCERT_SNI -pubkey
|
||||
|
||||
bold "\nFingerprint/Serial"
|
||||
openssl x509 -noout -in $HOSTCERT_SNI -fingerprint
|
||||
openssl x509 -noout -in $HOSTCERT_SNI -serial
|
||||
|
||||
bold "\nSignature Algorithm"
|
||||
algo=`openssl x509 -noout -in $HOSTCERT_SNI -text | grep "Signature Algorithm" | sed 's/^.*Signature Algorithm: //' | sort -u `
|
||||
case $algo in
|
||||
sha1WithRSAEncryption) brown "SHA1withRSA" ;;
|
||||
sha256WithRSAEncryption) lgreen "SHA256withRSA" ;;
|
||||
sha512WithRSAEncryption) lgreen "SHA512withRSA" ;;
|
||||
md5*) red "MD5" ;;
|
||||
*) echo $algo ;;
|
||||
#https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
|
||||
esac
|
||||
|
||||
# Secs of a day:
|
||||
SECS2WARN=`echo "24 * 60 * 60 * $DAYS2WARN" | bc`
|
||||
|
||||
bold "\nExpiration"
|
||||
openssl x509 -noout -in $HOSTCERT_SNI -startdate -enddate
|
||||
|
||||
expire=`openssl x509 -in $HOSTCERT_SNI -checkend 0`
|
||||
if ! echo $expire | grep -qw not; then
|
||||
red "Certificate has expired!!"
|
||||
else
|
||||
expire=`openssl x509 -in $HOSTCERT_SNI -checkend $SECS2WARN`
|
||||
echo "$expire" | grep -qw not && green "Certificate is ok for the next $DAYS2WARN days" || \
|
||||
lred "Certificate will expire within the next $DAYS2WARN days!"
|
||||
fi
|
||||
|
||||
|
||||
#######
|
||||
bold "\nSubject / CN issues"
|
||||
|
||||
SAN=""
|
||||
SAN=`openssl x509 -noout -in $HOSTCERT -text | grep -A3 "Subject Alternative Name" | grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g' -e 's/,/\n/g'`
|
||||
SAN_SNI=`openssl x509 -noout -in $HOSTCERT_SNI -text | grep -A3 "Subject Alternative Name" | grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g' -e 's/,/\n/g'`
|
||||
|
||||
subject_sni=`openssl x509 -noout -in $HOSTCERT_SNI -subject | sed 's/subject= //'`
|
||||
subject_str=`openssl x509 -noout -in $HOSTCERT -subject | sed 's/subject= //'`
|
||||
CN_SNI=`echo $subject_sni | sed -e 's/^.*CN=//' -e 's/\/emailAdd.*//'`
|
||||
CN=`echo $subject_str | sed -e 's/^.*CN=//' -e 's/\/emailAdd.*//'`
|
||||
$ECHO -n "Common Name: "; underscore "$CN_SNI"
|
||||
|
||||
test "$DEBUG" && $ECHO " ($subject_sni" # complete certificate subject
|
||||
test "$DEBUG" && $ECHO " ($subject_str)" # complete certificate subject
|
||||
#openssl x509 -noout -in $HOSTCERT_SNI -serial -startdate -enddate -dates -subject -issuer -email -ocsp_uri -ocspid -purpose >$TMPDIR/textout_sni.txt
|
||||
openssl x509 -noout -in $HOSTCERT_SNI -text >$TMPDIR/textout_level0.cert_sni.txt
|
||||
|
||||
MATCHOK=0
|
||||
REASON_MATCH=""
|
||||
|
||||
if [ "$CN_SNI" != "$CN" ]; then
|
||||
$ECHO "\nSNI mandatory, otherwise \c"; underscore "$CN\c"; $ECHO " matches\c"
|
||||
#FIXME: e.g. google.de hast google.com as $CN, and google.com includes SAN *.google.de
|
||||
else
|
||||
$ECHO " no SNI needed \c"
|
||||
# haken? siehe lists.appsec.eu vs pm.appsec.eu --> beide haben wildcard
|
||||
fi
|
||||
|
||||
if [ "$NODE" == "$CN" ]; then
|
||||
# $ECHO " matches hostname directly, "
|
||||
REASON_MATCH="direct match,"
|
||||
MATCHOK=1
|
||||
elif [ "$CN_SNI" == "$NODE" ]; then ###?????
|
||||
# $ECHO " matches hostname via SNI, "
|
||||
REASON_MATCH="SNI,"
|
||||
MATCHOK=1
|
||||
fi
|
||||
|
||||
if [ x"$SAN_SNI" != x"$CN_SNI" ]; then
|
||||
$ECHO "\nSAN exist:\c"
|
||||
for subjectAltName in `$ECHO $SAN_SNI`; do
|
||||
if [ "$NODE" == "$subjectAltName" ] ; then
|
||||
underscore "$subjectAltName, \c"
|
||||
REASON_MATCH="$REASON_MATCH SAN,"
|
||||
MATCHOK=1
|
||||
else
|
||||
$ECHO " $subjectAltName, \c"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
if echo "$CN_SNI" | grep -q '^\*'; then
|
||||
# *.domain.tld = *.domain.tld
|
||||
[ "*.$NODE" == "$CN_SNI" ] && REASON_MATCH="$REASON_MATCH Wildcard (all subdomains)" && MATCHOK=1
|
||||
# expr: können mehrere Gründe sein!
|
||||
|
||||
# prefix.domain.tld = *.domain.tld
|
||||
domaintld=`echo $NODE | sed 's/^[0-9a-zA-Z]*\.//1'`
|
||||
[ "*.$domaintld" == "$CN_SNI" ] && REASON_MATCH="$REASON_MATCH Wildcard (from TLD)" && MATCHOK=1
|
||||
fi
|
||||
|
||||
if [ $MATCHOK -eq 1 ] ; then
|
||||
green "\nMatch OK\c"
|
||||
$ECHO ": $REASON_MATCH"
|
||||
else
|
||||
red "\nMatch failed"
|
||||
fi
|
||||
|
||||
|
||||
bold "\n\nCertificate chain\c"
|
||||
#openssl x509 -text -in $HOSTCERT | awk '/Certificate chain/,/--/ { print $0 }' | sed -e 's/---//' -e 's/Certificate chain//'
|
||||
openssl s_client $STARTTLS -connect $NODEIP:$PORT $SNI 2>/dev/null </dev/null | awk '/Certificate chain/,/--/ { print $0 }' | sed -e 's/---//' -e 's/Certificate chain//' | tee $TMPDIR/all-chain.txt
|
||||
|
||||
# so alle einsacken:
|
||||
#openssl s_client -showcerts -connect $NODEIP:$PORT $SNI 2>/dev/null </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }'
|
||||
savedir=`pwd`; cd $TMPDIR
|
||||
openssl s_client -showcerts $STARTTLS -connect $NODEIP:$PORT $SNI 2>/dev/null </dev/null | \
|
||||
awk -v c=-1 '/-----BEGIN CERTIFICATE-----/{inc=1;c++} inc {print > ("level" c ".crt")} /---END CERTIFICATE-----/{inc=0}'
|
||||
nrsaved=`ls level?.crt | wc -w`
|
||||
$ECHO "retrieved $nrsaved pub certs"
|
||||
# die CA Kette hochgehen
|
||||
for i in level?.crt; do openssl x509 -noout -serial -subject -issuer -in "$i"; echo; done > all.serial-subject-issuer.txt
|
||||
NR_RETRIEVED=`ls -1 level* | wc -l`
|
||||
cd $savedir
|
||||
|
||||
bold "\nChecking issuer chain against local certs"
|
||||
issuerok=`echo | openssl s_client $CA_BUNDLE_CMD -connect $NODEIP:$PORT 2>/dev/null | grep "Verify return code" | sed 's/^.*Verify return code: //'`
|
||||
if echo $issuerok | grep -qw ok ; then
|
||||
green "$issuerok"
|
||||
else
|
||||
red "$issuerok"
|
||||
fi
|
||||
|
||||
bold "\nE-mail"
|
||||
email=`openssl x509 -noout -in $HOSTCERT_SNI -email`
|
||||
[ x"$email" == "x" ] && underscore "<none>" || echo "$email"
|
||||
echo
|
||||
|
||||
|
||||
|
||||
bold "\nOCSP"
|
||||
echo -en "URL: "
|
||||
ocsp_uri=`openssl x509 -noout -in $HOSTCERT_SNI -ocsp_uri`
|
||||
[ x"$ocsp_uri" == "x" ] && lred "<none>" || echo "$ocsp_uri"
|
||||
|
||||
|
||||
# ARG1: level2check
|
||||
# ARG2: issuer of level2check cert
|
||||
check_revocation() {
|
||||
#FIXME: check ocsp/ocsp stapling with CA
|
||||
# * CRLs/OCSP abfragen (http://backreference.org/2010/05/09/ocsp-verification-with-openssl/)
|
||||
|
||||
#FIXME:
|
||||
#ocsp_uri=`openssl x509 -noout -in level$1.crt -ocsp_uri`
|
||||
|
||||
[ -z "$ocsp_uri" ] && lred ".. doesn't have a OCSP URL" && return 1
|
||||
addissuer=""
|
||||
if [ -s $TMPDIR/level$2.crt ]; then
|
||||
addissuer="-issuer $TMPDIR/level$2.crt"
|
||||
NO_ISSUER_PROVIDED=0
|
||||
else
|
||||
addissuer="-issuer $CA_BUNDLE"
|
||||
NO_ISSUER_PROVIDED=1
|
||||
fi
|
||||
|
||||
ocsp_hostheader=`echo $ocsp_uri | sed -e 's/http\:\/\///' -e 's/\/.*$//'` #sometimes needed
|
||||
openssl ocsp $CA_BUNDLE_CMD $addissuer -cert $TMPDIR/level$1.crt -text -url $ocsp_uri -header HOST $ocsp_hostheader &>$TMPDIR/ocsp-longresponse$1.txt
|
||||
openssl ocsp $CA_BUNDLE_CMD $addissuer -cert $TMPDIR/level$1.crt -url $ocsp_uri -header HOST $ocsp_hostheader &>$TMPDIR/ocsp-response$1.txt
|
||||
|
||||
#tmpdir_escaped=`echo $TMPDIR | sed 's/\//\\\//g'`
|
||||
#cat $TMPDIR/ocsp-response.txt | egrep -v "^WARNING: no nonce|^Response Verify Failure|OCSP_basic_verify" | sed 's/'"${tmpdir_escaped}"'//'
|
||||
cat $TMPDIR/ocsp-response$1.txt | egrep -v "^WARNING: no nonce|^Response Verify Failure|OCSP_basic_verify" | sed 's/^.*level/level/'
|
||||
if grep -q "level$1.crt.*good" $TMPDIR/ocsp-response$1.txt ; then
|
||||
green "not revoked (OK)\c"
|
||||
else
|
||||
lred "pls check manually (hint: $TMPDIR/ocsp-longresponse$1.txt). \c"
|
||||
[ $NO_ISSUER_PROVIDED -eq 0 ] && lred " Also the chain might be incomplete\c"
|
||||
fi
|
||||
}
|
||||
|
||||
bold "\nChecking whether server certs have been revoked"
|
||||
#set -x
|
||||
#for level in `seq 1 $NR_RETRIEVED`; do
|
||||
for level in 1; do
|
||||
minus1=`expr $level - 1`
|
||||
$ECHO "##### level$minus1 #####"
|
||||
check_revocation $minus1 $level
|
||||
$ECHO
|
||||
done
|
||||
#set +x
|
||||
|
||||
|
||||
bold "\nPurpose"
|
||||
openssl x509 -noout -in $HOSTCERT_SNI -purpose | grep -v 'Certificate purpose' | grep -i yes
|
||||
|
||||
datebanner "Done" $NODE
|
||||
echo
|
||||
|
||||
printf "logdir is $TMPDIR . Save it? "
|
||||
read a
|
||||
case $a in
|
||||
y|Y|yes|YES) cp -a $TMPDIR $PWD && echo "saved $TMPDIR to $PWD" ;;
|
||||
*) $ECHO "left $TMPDIR"
|
||||
esac
|
||||
|
||||
|
||||
#rm -rf $TMPDIR
|
||||
|
||||
exit 0
|
||||
|
||||
# vim:ts=5:sw=5
|
||||
# $Id: checkcert.sh,v 1.20 2014/09/16 22:38:03 dirkw Exp $
|
||||
|
||||
|
Loading…
Reference in New Issue