Skip to content

Commit 02239be

Browse files
dcooper16dcooper16
committed
Detect multiple certificates cleanup
This corrects the indentation within determine_trust() when there are multiple certificates and the output for "Chain of trust (experim.)" takes up more than one lines. In addition, it fixes the ID field of the JSON output for entries related to the certificate. At the moment, each ID string begins with a blank space. This changes it to remove the space if there is one certificate and to add "Server Certificate #X" at the beginning of each ID if there is more than one certificate. Perhaps there's a better way than just using, for example, "Server Certificate #1 key_size" as a way to distinguish multiple "key_size" entries in the JSON file. This is just one idea, and it can certainly be changed if those who intend to use the JSON output prefer something else.
1 parent 70cd658 commit 02239be

File tree

1 file changed

+56
-50
lines changed

1 file changed

+56
-50
lines changed

testssl.sh

+56-50
Original file line numberDiff line numberDiff line change
@@ -2658,7 +2658,7 @@ verify_retcode_helper() {
26582658
}
26592659

26602660
determine_trust() {
2661-
local heading=$1
2661+
local json_prefix=$1
26622662
local -i i=1
26632663
local -i num_ca_bundles=0
26642664
local bundle_fname
@@ -2669,16 +2669,20 @@ determine_trust() {
26692669
local some_ok=false
26702670
local code
26712671
local ca_bundles="$INSTALL_DIR/etc/*.pem"
2672-
local spaces=" "
2672+
local spaces=" "
26732673
local -i certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
26742674
local addtl_warning
2675+
2676+
# If $json_prefix is not empty, then there is more than one certificate
2677+
# and the output should should be indented by two more spaces.
2678+
[[ -n $json_prefix ]] && spaces=" "
26752679

26762680
if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR == "1.1.0" ]]; then
26772681
addtl_warning="(Your openssl 1.1.0 might be too new for a reliable check)"
2678-
fileout "$heading trust" "WARN" "Your $OPENSSL is too new, need version 1.0.2 to determine trust"
2682+
fileout "${json_prefix}trust" "WARN" "Your $OPENSSL is too new, need version 1.0.2 to determine trust"
26792683
elif [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]]; then
26802684
addtl_warning="(Your openssl <= 1.0.2 might be too unreliable to determine trust)"
2681-
fileout "$heading trust_warn" "WARN" "$addtl_warning"
2685+
fileout "${json_prefix}trust_warn" "WARN" "$addtl_warning"
26822686
fi
26832687
debugme outln
26842688
for bundle_fname in $ca_bundles; do
@@ -2715,15 +2719,15 @@ determine_trust() {
27152719
if $all_ok; then
27162720
# all stores ok
27172721
pr_litegreen "Ok "; pr_litemagenta "$addtl_warning"
2718-
fileout "$heading trust" "OK" "All certificate trust checks passed. $addtl_warning"
2722+
fileout "${json_prefix}trust" "OK" "All certificate trust checks passed. $addtl_warning"
27192723
else
27202724
# at least one failed
27212725
pr_red "NOT ok"
27222726
if ! $some_ok; then
27232727
# all failed (we assume with the same issue), we're displaying the reason
27242728
out " "
27252729
verify_retcode_helper "${verify_retcode[2]}"
2726-
fileout "$heading trust" "NOT OK" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[2]}"). $addtl_warning"
2730+
fileout "${json_prefix}trust" "NOT OK" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[2]}"). $addtl_warning"
27272731
else
27282732
# is one ok and the others not ==> display the culprit store
27292733
if $some_ok ; then
@@ -2746,7 +2750,7 @@ determine_trust() {
27462750
[[ "$DEBUG" -eq 0 ]] && out "$spaces"
27472751
pr_litegreen "OK: $ok_was"
27482752
fi
2749-
fileout "$heading trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning"
2753+
fileout "${json_prefix}trust" "NOT OK" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning"
27502754
fi
27512755
[[ -n "$addtl_warning" ]] && out "\n$spaces" && pr_litemagenta "$addtl_warning"
27522756
fi
@@ -2895,13 +2899,15 @@ certificate_info() {
28952899
local cnfinding
28962900
local cnok="OK"
28972901
local expfinding expok="OK"
2902+
local json_prefix="" # string to place at begging of JSON IDs when there is more than one certificate
28982903
local indent=""
28992904

29002905
if [[ $number_of_certificates -gt 1 ]]; then
29012906
[[ $certificate_number -eq 1 ]] && outln
29022907
indent=" "
29032908
out "$indent"
29042909
pr_headlineln "Server Certificate #$certificate_number"
2910+
json_prefix="Server Certificate #$certificate_number "
29052911
spaces=" "
29062912
else
29072913
spaces=" "
@@ -2914,41 +2920,41 @@ certificate_info() {
29142920
case $sig_algo in
29152921
sha1WithRSAEncryption)
29162922
pr_brownln "SHA1 with RSA"
2917-
fileout "$heading algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)"
2923+
fileout "${json_prefix}algorithm" "WARN" "Signature Algorithm: SHA1 with RSA (warning)"
29182924
;;
29192925
sha256WithRSAEncryption)
29202926
pr_litegreenln "SHA256 with RSA"
2921-
fileout "$heading algorithm" "OK" "Signature Algorithm: SHA256 with RSA (OK)"
2927+
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA256 with RSA (OK)"
29222928
;;
29232929
sha384WithRSAEncryption)
29242930
pr_litegreenln "SHA384 with RSA"
2925-
fileout "$heading algorithm" "OK" "Signature Algorithm: SHA384 with RSA (OK)"
2931+
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA384 with RSA (OK)"
29262932
;;
29272933
sha512WithRSAEncryption)
29282934
pr_litegreenln "SHA512 with RSA"
2929-
fileout "$heading algorithm" "OK" "Signature Algorithm: SHA512 with RSA (OK)"
2935+
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: SHA512 with RSA (OK)"
29302936
;;
29312937
ecdsa-with-SHA256)
29322938
pr_litegreenln "ECDSA with SHA256"
2933-
fileout "$heading algorithm" "OK" "Signature Algorithm: ECDSA with SHA256 (OK)"
2939+
fileout "${json_prefix}algorithm" "OK" "Signature Algorithm: ECDSA with SHA256 (OK)"
29342940
;;
29352941
md5*)
29362942
pr_redln "MD5"
2937-
fileout "$heading algorithm" "NOT OK" "Signature Algorithm: MD5 (NOT ok)"
2943+
fileout "${json_prefix}algorithm" "NOT OK" "Signature Algorithm: MD5 (NOT ok)"
29382944
;;
29392945
*)
29402946
out "$sig_algo ("
29412947
pr_litemagenta "Unknown"
29422948
outln ")"
2943-
fileout "$heading algorithm" "INFO" "Signature Algorithm: $sign_algo"
2949+
fileout "${json_prefix}algorithm" "INFO" "Signature Algorithm: $sign_algo"
29442950
;;
29452951
esac
29462952
# old, but interesting: https://blog.hboeck.de/archives/754-Playing-with-the-EFF-SSL-Observatory.html
29472953

29482954
out "$indent"; pr_bold " Server key size "
29492955
if [[ -z "$keysize" ]]; then
29502956
outln "(couldn't determine)"
2951-
fileout "$heading key_size" "WARN" "Server keys size cannot be determined"
2957+
fileout "${json_prefix}key_size" "WARN" "Server keys size cannot be determined"
29522958
else
29532959
# https://tools.ietf.org/html/rfc4492, http://www.keylength.com/en/compare/
29542960
# http://infoscience.epfl.ch/record/164526/files/NPDF-22.pdf
@@ -2957,53 +2963,53 @@ certificate_info() {
29572963
if [[ $sig_algo =~ ecdsa ]] || [[ $key_algo =~ ecPublicKey ]]; then
29582964
if [[ "$keysize" -le 110 ]]; then # a guess
29592965
pr_red "$keysize"
2960-
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
2966+
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
29612967
elif [[ "$keysize" -le 123 ]]; then # a guess
29622968
pr_litered "$keysize"
2963-
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
2969+
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
29642970
elif [[ "$keysize" -le 163 ]]; then
29652971
pr_brown "$keysize"
2966-
fileout "$heading key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
2972+
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize EC bits (NOT ok)"
29672973
elif [[ "$keysize" -le 224 ]]; then
29682974
out "$keysize"
2969-
fileout "$heading key_size" "INFO" "Server keys $keysize EC bits"
2975+
fileout "${json_prefix}key_size" "INFO" "Server keys $keysize EC bits"
29702976
elif [[ "$keysize" -le 533 ]]; then
29712977
pr_litegreen "$keysize"
2972-
fileout "$heading key_size" "OK" "Server keys $keysize EC bits (OK)"
2978+
fileout "${json_prefix}key_size" "OK" "Server keys $keysize EC bits (OK)"
29732979
else
29742980
out "keysize: $keysize (not expected, FIXME)"
2975-
fileout "$heading key_size" "WARN" "Server keys $keysize bits (not expected)"
2981+
fileout "${json_prefix}key_size" "WARN" "Server keys $keysize bits (not expected)"
29762982
fi
29772983
outln " bit"
29782984
elif [[ $sig_algo = *RSA* ]]; then
29792985
if [[ "$keysize" -le 512 ]]; then
29802986
pr_red "$keysize"
29812987
outln " bits"
2982-
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
2988+
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
29832989
elif [[ "$keysize" -le 768 ]]; then
29842990
pr_litered "$keysize"
29852991
outln " bits"
2986-
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
2992+
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
29872993
elif [[ "$keysize" -le 1024 ]]; then
29882994
pr_brown "$keysize"
29892995
outln " bits"
2990-
fileout "$heading key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
2996+
fileout "${json_prefix}key_size" "NOT OK" "Server keys $keysize bits (NOT ok)"
29912997
elif [[ "$keysize" -le 2048 ]]; then
29922998
outln "$keysize bits"
2993-
fileout "$heading key_size" "INFO" "Server keys $keysize bits"
2999+
fileout "${json_prefix}key_size" "INFO" "Server keys $keysize bits"
29943000
elif [[ "$keysize" -le 4096 ]]; then
29953001
pr_litegreen "$keysize"
2996-
fileout "$heading key_size" "OK" "Server keys $keysize bits (OK)"
3002+
fileout "${json_prefix}key_size" "OK" "Server keys $keysize bits (OK)"
29973003
outln " bits"
29983004
else
29993005
pr_magenta "weird keysize: $keysize bits"; outln " (could cause compatibility problems)"
3000-
fileout "$heading key_size" "WARN" "Server keys $keysize bits (Odd)"
3006+
fileout "${json_prefix}key_size" "WARN" "Server keys $keysize bits (Odd)"
30013007
fi
30023008
else
30033009
out "$keysize bits ("
30043010
pr_litemagenta "can't tell whether $keysize bits is good or not"
30053011
outln ")"
3006-
fileout "$heading key_size" "WARN" "Server keys $keysize bits (unknown signature algorithm)"
3012+
fileout "${json_prefix}key_size" "WARN" "Server keys $keysize bits (unknown signature algorithm)"
30073013
fi
30083014
fi
30093015

@@ -3013,7 +3019,7 @@ certificate_info() {
30133019
cert_fingerprint_sha2="$($OPENSSL x509 -noout -in $HOSTCERT -fingerprint -sha256 2>>$ERRFILE | sed 's/Fingerprint=//' | sed 's/://g' )"
30143020
outln "$cert_fingerprint_sha1 / $cert_fingerprint_serial"
30153021
outln "$spaces$cert_fingerprint_sha2"
3016-
fileout "$heading fingerprint" "INFO" "Fingerprints / Serial: $cert_fingerprint_sha1 / $cert_fingerprint_serial, $cert_fingerprint_sha2"
3022+
fileout "${json_prefix}fingerprint" "INFO" "Fingerprints / Serial: $cert_fingerprint_sha1 / $cert_fingerprint_serial, $cert_fingerprint_sha2"
30173023

30183024
out "$indent"; pr_bold " Common Name (CN) "
30193025
cnfinding="Common Name (CN) : "
@@ -3084,7 +3090,7 @@ certificate_info() {
30843090
cnfinding+=" (CN in response to request w/o SNI: \"$cn_nosni\")"
30853091
fi
30863092
fi
3087-
fileout "$heading cn" "$cnok" "$cnfinding"
3093+
fileout "${json_prefix}cn" "$cnok" "$cnfinding"
30883094

30893095
sans=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \
30903096
sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername:<unsupported>//g')
@@ -3095,10 +3101,10 @@ certificate_info() {
30953101
pr_dquoted "$san"
30963102
out " "
30973103
done
3098-
fileout "$heading san" "INFO" "subjectAltName (SAN) : $sans"
3104+
fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : $sans"
30993105
else
31003106
out "-- "
3101-
fileout "$heading san" "INFO" "subjectAltName (SAN) : --"
3107+
fileout "${json_prefix}san" "INFO" "subjectAltName (SAN) : --"
31023108
fi
31033109
outln
31043110
out "$indent"; pr_bold " Issuer "
@@ -3110,17 +3116,17 @@ certificate_info() {
31103116

31113117
if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$CN" ]]; then
31123118
pr_redln "self-signed (NOT ok)"
3113-
fileout "$heading issuer" "NOT OK" "Issuer: selfsigned (NOT ok)"
3119+
fileout "${json_prefix}issuer" "NOT OK" "Issuer: selfsigned (NOT ok)"
31143120
else
31153121
pr_dquoted "$issuer_CN"
31163122
out " ("
31173123
pr_dquoted "$issuer_O"
31183124
if [[ -n "$issuer_C" ]]; then
31193125
out " from "
31203126
pr_dquoted "$issuer_C"
3121-
fileout "$heading issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" from \"$issuer_C\")"
3127+
fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" from \"$issuer_C\")"
31223128
else
3123-
fileout "$heading issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" )"
3129+
fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer\" ( \"$issuer_O\" )"
31243130
fi
31253131
outln ")"
31263132
fi
@@ -3137,10 +3143,10 @@ certificate_info() {
31373143
[[ 1.3.6.1.4.1.17326.10.8.12.1.2 == "$policy_oid" ]] || \
31383144
[[ 1.3.6.1.4.1.13177.10.1.3.10 == "$policy_oid" ]] ; then
31393145
out "yes "
3140-
fileout "$heading ev" "OK" "Extended Validation (EV) (experimental) : yes"
3146+
fileout "${json_prefix}ev" "OK" "Extended Validation (EV) (experimental) : yes"
31413147
else
31423148
out "no "
3143-
fileout "$heading ev" "INFO" "Extended Validation (EV) (experimental) : no"
3149+
fileout "${json_prefix}ev" "INFO" "Extended Validation (EV) (experimental) : no"
31443150
fi
31453151
debugme echo "($(newline_to_spaces "$policy_oid"))"
31463152
outln
@@ -3188,60 +3194,60 @@ certificate_info() {
31883194
fi
31893195
fi
31903196
outln " ($startdate --> $enddate)"
3191-
fileout "$heading expiration" "$expok" "Certificate Expiration : $expfinding ($startdate --> $enddate)"
3197+
fileout "${json_prefix}expiration" "$expok" "Certificate Expiration : $expfinding ($startdate --> $enddate)"
31923198

31933199
certificates_provided=1+$(grep -c "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem)
31943200
out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided"
3195-
fileout "$heading certcount" "INFO" "# of certificates provided : $certificates_provided"
3201+
fileout "${json_prefix}certcount" "INFO" "# of certificates provided : $certificates_provided"
31963202

31973203

31983204
out "$indent"; pr_bold " Chain of trust"; out " (experim.) "
3199-
determine_trust "$heading" # Also handles fileout
3205+
determine_trust "$json_prefix" # Also handles fileout
32003206

32013207
out "$indent"; pr_bold " Certificate Revocation List "
32023208
crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')"
32033209
if [[ -z "$crl" ]]; then
32043210
pr_literedln "--"
3205-
fileout "$heading crl" "NOT OK" "No CRL provided (NOT ok)"
3211+
fileout "${json_prefix}crl" "NOT OK" "No CRL provided (NOT ok)"
32063212
elif grep -q http <<< "$crl"; then
32073213
if [[ $(count_lines "$crl") -eq 1 ]]; then
32083214
outln "$crl"
3209-
fileout "$heading crl" "INFO" "Certificate Revocation List : $crl"
3215+
fileout "${json_prefix}crl" "INFO" "Certificate Revocation List : $crl"
32103216
else # more than one CRL
32113217
out_row_aligned "$crl" "$spaces"
3212-
fileout "$heading crl" "INFO" "Certificate Revocation List : $crl"
3218+
fileout "${json_prefix}crl" "INFO" "Certificate Revocation List : $crl"
32133219
fi
32143220
else
32153221
pr_litemagentaln "no parsable output \"$crl\", pls report"
3216-
fileout "$heading crl" "WARN" "Certificate Revocation List : no parsable output \"$crl\", pls report"
3222+
fileout "${json_prefix}crl" "WARN" "Certificate Revocation List : no parsable output \"$crl\", pls report"
32173223
fi
32183224

32193225
out "$indent"; pr_bold " OCSP URI "
32203226
ocsp_uri=$($OPENSSL x509 -in $HOSTCERT -noout -ocsp_uri 2>>$ERRFILE)
32213227
if [[ -z "$ocsp_uri" ]]; then
32223228
pr_literedln "--"
3223-
fileout "$heading ocsp_uri" "NOT OK" "OCSP URI : -- (NOT ok)"
3229+
fileout "${json_prefix}ocsp_uri" "NOT OK" "OCSP URI : -- (NOT ok)"
32243230
else
32253231
outln "$ocsp_uri"
3226-
fileout "$heading ocsp_uri" "INFO" "OCSP URI : $ocsp_uri"
3232+
fileout "${json_prefix}ocsp_uri" "INFO" "OCSP URI : $ocsp_uri"
32273233
fi
32283234

32293235
out "$indent"; pr_bold " OCSP stapling "
32303236
if grep -a "OCSP response" <<<"$ocsp_response" | grep -q "no response sent" ; then
32313237
pr_yellow "--"
3232-
fileout "$heading ocsp_stapling" "INFO" "OCSP stapling : not offered"
3238+
fileout "${json_prefix}ocsp_stapling" "INFO" "OCSP stapling : not offered"
32333239
else
32343240
if grep -a "OCSP Response Status" <<<"$ocsp_response_status" | grep -q successful; then
32353241
pr_litegreen "offered"
3236-
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : offered"
3242+
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : offered"
32373243
else
32383244
if $GOST_STATUS_PROBLEM; then
32393245
outln "(GOST servers make problems here, sorry)"
3240-
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : (GOST servers make problems here, sorry)"
3246+
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : (GOST servers make problems here, sorry)"
32413247
ret=0
32423248
else
32433249
out "(response status unknown)"
3244-
fileout "$heading ocsp_stapling" "OK" "OCSP stapling : not sure what's going on here, debug: grep -aA 20 "OCSP response" <<<"$ocsp_response""
3250+
fileout "${json_prefix}ocsp_stapling" "OK" "OCSP stapling : not sure what's going on here, debug: grep -aA 20 "OCSP response" <<<"$ocsp_response""
32453251
debugme grep -a -A20 -B2 "OCSP response" <<<"$ocsp_response"
32463252
ret=2
32473253
fi

0 commit comments

Comments
 (0)