testssl.sh/utils/checkcert.sh

344 lines
10 KiB
Bash
Executable File

#!/usr/bin/env bash
# on the command line:
# STARTTLS="-starttls $protocol"; export STARTTLS
# protocol=smtp,impa,pop,xmpp,jabber
##### THIS WILL BE INTEGRATED INTO testssl.sh
##### it has no production qualiity yet and I'll likely disregard
##### any issues/patches until this will be done
#
# license is GPLv2, see file LICENSE
DAYS2WARN=60
ECHO="/bin/echo -e"
COLOR=0
CA_BUNDLE="/etc/ssl/ca-bundle.pem"
CA_BUNDLE_CMD="-CApath /etc/ssl/certs/"
#CA_BUNDLE_CMD="-CAfile $CA_BUNDLE"
#`openssl version -d` /certs/
off() {
if [ $COLOR = 0 ]; then $ECHO "\033[m\c"; fi
}
bold() {
$ECHO "\033[1m$1"; off
}
underscore() {
$ECHO "\033[4m$1\c"; off
}
blue() {
if [ $COLOR = 0 ]; then $ECHO "\033[1;34m$1 "; else $ECHO "**$1** "; fi
off
}
brown() {
[ $COLOR = 0 ] && $ECHO "\033[0;33m$1 " || out "**$1** "
off
}
green() {
if [ $COLOR = 0 ]; then $ECHO "\033[1;32m$1 "; else $ECHO "**$1** "; fi
off
}
lgreen() {
if [ $COLOR = 0 ]; then $ECHO "\033[0;32m$1 "; else $ECHO "**$1** "; fi
off
}
red() {
if [ $COLOR = 0 ]; then $ECHO "\033[1;31m$1 "; else $ECHO "**$1** "; fi
off
}
lred() {
if [ $COLOR = 0 ]; then $ECHO "\033[0;31m$1 "; else $ECHO "**$1** "; fi
off
}
datebanner() {
tojour=`date +%F`" "`date +%R`
echo
bold "$1 now ($tojour) ---> $NODEIP:$PORT ($NODE) <---"
}
dns() {
ip4=`host -t a $1 | grep -v alias | sed 's/^.*address //'`
command -v getent 2>&1 >/dev/null && getent ahostsv4 $1 2>&1 >/dev/null && ip4=`getent ahostsv4 $1 | awk '{ print $1}' | uniq`
NODEIP=`echo "$ip4" | head -1`
rDNS=`host -t PTR $NODEIP | sed -e 's/^.*pointer //' -e 's/\.$//'`
echo $rDNS | grep -q NXDOMAIN && rDNS=""
}
display_dns() {
$ECHO
[ -n "$rDNS" ] && $ECHO "rDNS: $rDNS"
if [ `echo "$ip4" | wc -l` -gt 1 ]; then
$ECHO "$1 other IPv4 addresses:\c"
for i in $ip4; do
[ "$i" == "$NODEIP" ] && continue
$ECHO " $i\c"
done
fi
echo
}
############## main
NODE="$1"
[ -z "$NODE" ] && echo "arg1 (=node) missing" && exit 1
PORT=${2:-443}
# strip "https" and trailing urlpath supposed it was supplied additionally
echo $NODE | grep -q 'https://' && NODE=`echo $NODE | sed -e 's/https\:\/\///' -e 's/\/.*$//'`
# determine port, supposed it was supplied additionally
echo $NODE | grep -q ':' && PORT=`echo $NODE | sed 's/^.*\://'` && NODE=`echo $NODE | sed 's/\:.*$//'`
dns $NODE
datebanner "Testing" $NODE
display_dns $NODE
TMPDIR=`mktemp -d /tmp/checkcert.$NODE.$PORT.XXXXXX` || exit 6
HOSTCERT_SNI="$TMPDIR/hostcert_sni.txt"
HOSTCERT="$TMPDIR/hostcert.txt"
FD2_HOST_SNI="$TMPDIR/fd2_host_sni.txt"
FD2_HOST="$TMPDIR/fd2_host.txt"
# test whether I can ssl to it:
#echo | openssl s_client -connect $NODE:$PORT 2>&1 >/dev/null || exit 7
SNI="-servername $NODE"
# dl pub key
openssl s_client $STARTTLS -connect $NODEIP:$PORT $SNI 2>$FD2_HOST_SNI </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT_SNI
openssl s_client $STARTTLS -connect $NODEIP:$PORT 2>$FD2_HOST </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' >$HOSTCERT
#bold "\nTrust\n"
#openssl verify -verbose $HOSTCERT
#http://www.madboa.com/geek/openssl/#verify-standardA
#http://www.madboa.com/geek/openssl/#verify-system
#echo $?
bold "\nPubkey"
openssl x509 -noout -in $HOSTCERT_SNI -pubkey
bold "\nFingerprint/Serial"
openssl x509 -noout -in $HOSTCERT_SNI -fingerprint
openssl x509 -noout -in $HOSTCERT_SNI -serial
bold "\nSignature Algorithm"
algo=`openssl x509 -noout -in $HOSTCERT_SNI -text | grep "Signature Algorithm" | sed 's/^.*Signature Algorithm: //' | sort -u `
case $algo in
sha1WithRSAEncryption) brown "SHA1withRSA" ;;
sha256WithRSAEncryption) lgreen "SHA256withRSA" ;;
sha512WithRSAEncryption) lgreen "SHA512withRSA" ;;
md5*) red "MD5" ;;
*) echo $algo ;;
#https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
esac
# Secs of a day:
SECS2WARN=`echo "24 * 60 * 60 * $DAYS2WARN" | bc`
bold "\nExpiration"
openssl x509 -noout -in $HOSTCERT_SNI -startdate -enddate
expire=`openssl x509 -in $HOSTCERT_SNI -checkend 0`
if ! echo $expire | grep -qw not; then
red "Certificate has expired!!"
else
expire=`openssl x509 -in $HOSTCERT_SNI -checkend $SECS2WARN`
echo "$expire" | grep -qw not && green "Certificate is ok for the next $DAYS2WARN days" || \
lred "Certificate will expire within the next $DAYS2WARN days!"
fi
#######
bold "\nSubject / CN issues"
SAN=""
SAN=`openssl x509 -noout -in $HOSTCERT -text | grep -A3 "Subject Alternative Name" | grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g' -e 's/,/\n/g'`
SAN_SNI=`openssl x509 -noout -in $HOSTCERT_SNI -text | grep -A3 "Subject Alternative Name" | grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g' -e 's/,/\n/g'`
subject_sni=`openssl x509 -noout -in $HOSTCERT_SNI -subject | sed 's/subject= //'`
subject_str=`openssl x509 -noout -in $HOSTCERT -subject | sed 's/subject= //'`
CN_SNI=`echo $subject_sni | sed -e 's/^.*CN=//' -e 's/\/emailAdd.*//'`
CN=`echo $subject_str | sed -e 's/^.*CN=//' -e 's/\/emailAdd.*//'`
$ECHO -n "Common Name: "; underscore "$CN_SNI"
test "$DEBUG" && $ECHO " ($subject_sni" # complete certificate subject
test "$DEBUG" && $ECHO " ($subject_str)" # complete certificate subject
#openssl x509 -noout -in $HOSTCERT_SNI -serial -startdate -enddate -dates -subject -issuer -email -ocsp_uri -ocspid -purpose >$TMPDIR/textout_sni.txt
openssl x509 -noout -in $HOSTCERT_SNI -text >$TMPDIR/textout_level0.cert_sni.txt
MATCHOK=0
REASON_MATCH=""
if [ "$CN_SNI" != "$CN" ]; then
$ECHO "\nSNI mandatory, otherwise \c"; underscore "$CN\c"; $ECHO " matches\c"
#FIXME: e.g. google.de hast google.com as $CN, and google.com includes SAN *.google.de
else
$ECHO " no SNI needed \c"
# haken? siehe lists.appsec.eu vs pm.appsec.eu --> beide haben wildcard
fi
if [ "$NODE" == "$CN" ]; then
# $ECHO " matches hostname directly, "
REASON_MATCH="direct match,"
MATCHOK=1
elif [ "$CN_SNI" == "$NODE" ]; then ###?????
# $ECHO " matches hostname via SNI, "
REASON_MATCH="SNI,"
MATCHOK=1
fi
if [ x"$SAN_SNI" != x"$CN_SNI" ]; then
$ECHO "\nSAN exist:\c"
for subjectAltName in `$ECHO $SAN_SNI`; do
if [ "$NODE" == "$subjectAltName" ] ; then
underscore "$subjectAltName, \c"
REASON_MATCH="$REASON_MATCH SAN,"
MATCHOK=1
else
$ECHO " $subjectAltName, \c"
fi
done
fi
if echo "$CN_SNI" | grep -q '^\*'; then
# *.domain.tld = *.domain.tld
[ "*.$NODE" == "$CN_SNI" ] && REASON_MATCH="$REASON_MATCH Wildcard (all subdomains)" && MATCHOK=1
# expr: können mehrere Gründe sein!
# prefix.domain.tld = *.domain.tld
domaintld=`echo $NODE | sed 's/^[0-9a-zA-Z]*\.//1'`
[ "*.$domaintld" == "$CN_SNI" ] && REASON_MATCH="$REASON_MATCH Wildcard (from TLD)" && MATCHOK=1
fi
if [ $MATCHOK -eq 1 ] ; then
green "\nMatch OK\c"
$ECHO ": $REASON_MATCH"
else
red "\nMatch failed"
fi
bold "\n\nCertificate chain\c"
#openssl x509 -text -in $HOSTCERT | awk '/Certificate chain/,/--/ { print $0 }' | sed -e 's/---//' -e 's/Certificate chain//'
openssl s_client $STARTTLS -connect $NODEIP:$PORT $SNI 2>/dev/null </dev/null | awk '/Certificate chain/,/--/ { print $0 }' | sed -e 's/---//' -e 's/Certificate chain//' | tee $TMPDIR/all-chain.txt
# so alle einsacken:
#openssl s_client -showcerts -connect $NODEIP:$PORT $SNI 2>/dev/null </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }'
savedir=`pwd`; cd $TMPDIR
openssl s_client -showcerts $STARTTLS -connect $NODEIP:$PORT $SNI 2>/dev/null </dev/null | \
awk -v c=-1 '/-----BEGIN CERTIFICATE-----/{inc=1;c++} inc {print > ("level" c ".crt")} /---END CERTIFICATE-----/{inc=0}'
nrsaved=`ls level?.crt | wc -w`
$ECHO "retrieved $nrsaved pub certs"
# die CA Kette hochgehen
for i in level?.crt; do openssl x509 -noout -serial -subject -issuer -in "$i"; echo; done > all.serial-subject-issuer.txt
NR_RETRIEVED=`ls -1 level* | wc -l`
cd $savedir
bold "\nChecking issuer chain against local certs"
issuerok=`echo | openssl s_client $CA_BUNDLE_CMD -connect $NODEIP:$PORT 2>/dev/null | grep "Verify return code" | sed 's/^.*Verify return code: //'`
if echo $issuerok | grep -qw ok ; then
green "$issuerok"
else
red "$issuerok"
fi
bold "\nE-mail"
email=`openssl x509 -noout -in $HOSTCERT_SNI -email`
[ x"$email" == "x" ] && underscore "<none>" || echo "$email"
echo
bold "\nOCSP"
echo -en "URL: "
ocsp_uri=`openssl x509 -noout -in $HOSTCERT_SNI -ocsp_uri`
[ x"$ocsp_uri" == "x" ] && lred "<none>" || echo "$ocsp_uri"
# ARG1: level2check
# ARG2: issuer of level2check cert
check_revocation() {
#FIXME: check ocsp/ocsp stapling with CA
# * CRLs/OCSP abfragen (http://backreference.org/2010/05/09/ocsp-verification-with-openssl/)
#FIXME:
#ocsp_uri=`openssl x509 -noout -in level$1.crt -ocsp_uri`
[ -z "$ocsp_uri" ] && lred ".. doesn't have a OCSP URL" && return 1
addissuer=""
if [ -s $TMPDIR/level$2.crt ]; then
addissuer="-issuer $TMPDIR/level$2.crt"
NO_ISSUER_PROVIDED=0
else
addissuer="-issuer $CA_BUNDLE"
NO_ISSUER_PROVIDED=1
fi
ocsp_hostheader=`echo $ocsp_uri | sed -e 's/http\:\/\///' -e 's/\/.*$//'` #sometimes needed
openssl ocsp $CA_BUNDLE_CMD $addissuer -cert $TMPDIR/level$1.crt -text -url $ocsp_uri -header HOST $ocsp_hostheader &>$TMPDIR/ocsp-longresponse$1.txt
openssl ocsp $CA_BUNDLE_CMD $addissuer -cert $TMPDIR/level$1.crt -url $ocsp_uri -header HOST $ocsp_hostheader &>$TMPDIR/ocsp-response$1.txt
#tmpdir_escaped=`echo $TMPDIR | sed 's/\//\\\//g'`
#cat $TMPDIR/ocsp-response.txt | grep -Ev "^WARNING: no nonce|^Response Verify Failure|OCSP_basic_verify" | sed 's/'"${tmpdir_escaped}"'//'
cat $TMPDIR/ocsp-response$1.txt | grep -Ev "^WARNING: no nonce|^Response Verify Failure|OCSP_basic_verify" | sed 's/^.*level/level/'
if grep -q "level$1.crt.*good" $TMPDIR/ocsp-response$1.txt ; then
green "not revoked (OK)\c"
else
lred "pls check manually (hint: $TMPDIR/ocsp-longresponse$1.txt). \c"
[ $NO_ISSUER_PROVIDED -eq 0 ] && lred " Also the chain might be incomplete\c"
fi
}
bold "\nChecking whether server certs have been revoked"
#set -x
#for level in `seq 1 $NR_RETRIEVED`; do
for level in 1; do
minus1=`expr $level - 1`
$ECHO "##### level$minus1 #####"
check_revocation $minus1 $level
$ECHO
done
#set +x
bold "\nPurpose"
openssl x509 -noout -in $HOSTCERT_SNI -purpose | grep -v 'Certificate purpose' | grep -i yes
datebanner "Done" $NODE
echo
printf "logdir is $TMPDIR . Save it? "
read a
case $a in
y|Y|yes|YES) cp -a $TMPDIR $PWD && echo "saved $TMPDIR to $PWD" ;;
*) $ECHO "left $TMPDIR"
esac
#rm -rf $TMPDIR
exit 0
# vim:ts=5:sw=5:expandtab
# $Id: checkcert.sh,v 1.20 2014/09/16 22:38:03 dirkw Exp $