Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Check keyUsage and extended key usage extensions

Browse Source 
This commit prints the contents of the keyUsage and extended key usage extensions in certificates and checks the public keys in the certificates are not being used in a manner that is inconsistent with these extensions.
This commit is contained in:
David Cooper 2018-01-19 11:31:45 -05:00 committed by David Cooper
parent 7a10e5514f
commit f0c9875696
1 changed files with 47 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
testssl.sh
View File

@ -6346,11 +6346,12 @@ certificate_info() {
local -i number_of_certificates=$2 local -i number_of_certificates=$2
local cipher=$3 local cipher=$3
local cert_keysize=$4 local cert_keysize=$4
local ocsp_response=$5 local cert_type="$5"
local ocsp_response_status=$6 local ocsp_response=$6
local sni_used=$7 local ocsp_response_status=$7
local ct="$8" local sni_used=$8
local cert_sig_algo cert_sig_hash_algo cert_key_algo local ct="$9"
local cert_sig_algo cert_sig_hash_algo cert_key_algo cert_keyusage cert_ext_keyusage
local expire days2expire secs2warn ocsp_uri crl local expire days2expire secs2warn ocsp_uri crl
local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn local startdate enddate issuer_CN issuer_C issuer_O issuer sans san all_san="" cn
local issuer_DC issuerfinding cn_nosni="" local issuer_DC issuerfinding cn_nosni=""
@ -6568,6 +6569,36 @@ certificate_info() {
fi fi
fi fi
out "$indent"; pr_bold " Server key usage ";
cert_keyusage=$($OPENSSL x509 -text -noout -in $HOSTCERT 2>>$ERRFILE | grep -A 1 "X509v3 Key Usage:" | tail -n +2 | sed 's/^[ \t]*//')
if [[ -n "$cert_keyusage" ]]; then
outln "$cert_keyusage"
if ( [[ " $cert_type " =~ " RSASig " ]] || [[ " $cert_type " =~ " DSA " ]] || [[ " $cert_type " =~ " ECDSA " ]] ) && \
[[ ! "$cert_keyusage" =~ "Digital Signature" ]]; then
prln_svrty_high "$indent -- certificate incorrectly used for digital signatures"
fi
if [[ " $cert_type " =~ " RSAKMK " ]] && [[ ! "$cert_keyusage" =~ "Key Encipherment" ]]; then
prln_svrty_high "$indent -- certificate incorrectly used for key encipherment"
fi
if ( [[ " $cert_type " =~ " DH " ]] || [[ " $cert_type " =~ " ECDH " ]] ) && \
[[ ! "$cert_keyusage" =~ "Key Agreement" ]]; then
prln_svrty_high "$indent -- certificate incorrectly used for key agreement"
fi
else
outln "(absent)"
fi
out "$indent"; pr_bold " Server extended key usage ";
cert_ext_keyusage="$($OPENSSL x509 -noout -text -in $HOSTCERT 2>>$ERRFILE | grep -A 1 "X509v3 Extended Key Usage: " | tail -1 | sed 's/^[ \t]*//')"
if [[ -n "$cert_ext_keyusage" ]]; then
outln "$cert_ext_keyusage"
if [[ ! "$cert_ext_keyusage" =~ "TLS Web Server Authentication" ]] && [[ ! "$cert_ext_keyusage" =~ "Any Extended Key Usage" ]]; then
prln_svrty_high "$indent -- certificate incorrectly used for TLS Web Server Authentication"
fi
else
outln "(absent)"
fi
out "$indent"; pr_bold " Fingerprint / Serial " out "$indent"; pr_bold " Fingerprint / Serial "
cert_fingerprint_sha1="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha1 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g')" cert_fingerprint_sha1="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha1 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g')"
cert_fingerprint_serial="$($OPENSSL x509 -noout -in $HOSTCERT -serial 2>>$ERRFILE | sed 's/serial=//')" cert_fingerprint_serial="$($OPENSSL x509 -noout -in $HOSTCERT -serial 2>>$ERRFILE | sed 's/serial=//')"
@ -7005,9 +7036,9 @@ run_server_defaults() {
local sessticket_lifetime_hint="" lifetime unit local sessticket_lifetime_hint="" lifetime unit
local -i i n local -i i n
local -i certs_found=0 local -i certs_found=0
local -a previous_hostcert previous_intermediates keysize cipher local -a previous_hostcert previous_hostcert_type previous_intermediates keysize cipher
local -a ocsp_response ocsp_response_status sni_used tls_version ct local -a ocsp_response ocsp_response_status sni_used tls_version ct
local -a ciphers_to_test local -a ciphers_to_test certificate_type
local -a -i success local -a -i success
local cn_nosni cn_sni sans_nosni sans_sni san tls_extensions local cn_nosni cn_sni sans_nosni sans_sni san tls_extensions
@ -7035,6 +7066,10 @@ run_server_defaults() {
ciphers_to_test[5]="aECDH" ciphers_to_test[5]="aECDH"
ciphers_to_test[6]="aECDSA" ciphers_to_test[6]="aECDSA"
ciphers_to_test[7]="aGOST" ciphers_to_test[7]="aGOST"
certificate_type[1]="RSASig" ; certificate_type[2]="RSAKMK"
certificate_type[3]="DSA"; certificate_type[4]="DH"
certificate_type[5]="ECDH" ; certificate_type[6]="ECDSA"
certificate_type[7]="GOST"
for (( n=1; n <= 14 ; n++ )); do for (( n=1; n <= 14 ; n++ )); do
# Some servers use a different certificate if the ClientHello # Some servers use a different certificate if the ClientHello
@ -7043,7 +7078,7 @@ run_server_defaults() {
# try again, but only with TLSv1.1 and without SNI. # try again, but only with TLSv1.1 and without SNI.
if [[ $n -ge 8 ]]; then if [[ $n -ge 8 ]]; then
ciphers_to_test[n]="" ciphers_to_test[n]=""
[[ ${success[n-7]} -eq 0 ]] && ciphers_to_test[n]="${ciphers_to_test[n-7]}" [[ ${success[n-7]} -eq 0 ]] && ciphers_to_test[n]="${ciphers_to_test[n-7]}" && certificate_type[n]="${certificate_type[n-7]}"
fi fi
if [[ -n "${ciphers_to_test[n]}" ]] && [[ $(count_ciphers $($OPENSSL ciphers "${ciphers_to_test[n]}" 2>>$ERRFILE)) -ge 1 ]]; then if [[ -n "${ciphers_to_test[n]}" ]] && [[ $(count_ciphers $($OPENSSL ciphers "${ciphers_to_test[n]}" 2>>$ERRFILE)) -ge 1 ]]; then
@ -7129,6 +7164,9 @@ run_server_defaults() {
previous_intermediates[certs_found]=$(cat $TEMPDIR/intermediatecerts.pem) previous_intermediates[certs_found]=$(cat $TEMPDIR/intermediatecerts.pem)
[[ $n -ge 8 ]] && sni_used[certs_found]="" || sni_used[certs_found]="$SNI" [[ $n -ge 8 ]] && sni_used[certs_found]="" || sni_used[certs_found]="$SNI"
tls_version[certs_found]="$DETECTED_TLS_VERSION" tls_version[certs_found]="$DETECTED_TLS_VERSION"
previous_hostcert_type[certs_found]=" ${certificate_type[n]}"
else
previous_hostcert_type[i]+=" ${certificate_type[n]}"
fi fi
fi fi
fi fi
@ -7260,7 +7298,7 @@ run_server_defaults() {
for (( i=1; i <= certs_found; i++ )); do for (( i=1; i <= certs_found; i++ )); do
echo "${previous_hostcert[i]}" > $HOSTCERT echo "${previous_hostcert[i]}" > $HOSTCERT
echo "${previous_intermediates[i]}" > $TEMPDIR/intermediatecerts.pem echo "${previous_intermediates[i]}" > $TEMPDIR/intermediatecerts.pem
certificate_info "$i" "$certs_found" "${cipher[i]}" "${keysize[i]}" "${ocsp_response[i]}" "${ocsp_response_status[i]}" "${sni_used[i]}" "${ct[i]}" certificate_info "$i" "$certs_found" "${cipher[i]}" "${keysize[i]}" "${previous_hostcert_type[i]}" "${ocsp_response[i]}" "${ocsp_response_status[i]}" "${sni_used[i]}" "${ct[i]}"
done done
} }