diff options
author | Michael Boelen <michael.boelen@cisofy.com> | 2019-07-08 16:08:56 +0300 |
---|---|---|
committer | Michael Boelen <michael.boelen@cisofy.com> | 2019-07-08 16:08:56 +0300 |
commit | 2c17c14c3b8235c906e3435369b278e95f09b1ad (patch) | |
tree | 6132af484ac9ee810c39545cc3885eb5b5ac5eaa /include/tests_crypto | |
parent | 1854e51e7e116c2fe3322ed53bf38e6ce27787e0 (diff) |
New profile option to ignore specified certificate directories
Diffstat (limited to 'include/tests_crypto')
-rw-r--r-- | include/tests_crypto | 73 |
1 files changed, 43 insertions, 30 deletions
diff --git a/include/tests_crypto b/include/tests_crypto index 4188dea9..2d064b5f 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -34,10 +34,13 @@ COUNT_EXPIRED=0 COUNT_TOTAL=0 FOUNDPROBLEM=0 - sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:/ /g') - sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${TRBINARY} " " "\n" | ${SORTBINARY} | uniq | ${TRBINARY} "\n" " ") + sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:space:/__space__/g' | ${SEDBINARY} 's/:/ /g') + sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${SORTBINARY} | ${UNIQBINARY}) LogText "Paths to scan: ${sSSL_PATHS}" + IGNORE_PATHS_PRINT=$(echo ${SSL_CERTIFICATE_PATHS_TO_IGNORE} | ${SEDBINARY} 's/:/, /g' | ${SEDBINARY} 's/__space__/ /g' | ${SEDBINARY} 's/^ //' | ${SORTBINARY} | ${UNIQBINARY}) + LogText "Paths to ignore: ${IGNORE_PATHS_PRINT}" + for DIR in ${sSSL_PATHS}; do COUNT_DIR=0 if [ -d ${DIR} ]; then @@ -45,43 +48,53 @@ if [ ${CANREAD} -eq 1 ]; then LogText "Result: found directory ${DIR}" # Search for certificate files - FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /:space:/g') + FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g') for FILE in ${FILES}; do - FILE=$(echo ${FILE} |${SEDBINARY} 's/:space:/ /g') - COUNT_DIR=$((COUNT_DIR + 1)) - FileIsReadable "${FILE}" - if [ ${CANREAD} -eq 1 ]; then - # Only check the files that are not installed by a package - if ! FileInstalledByPackage "${FILE}"; then - LogText "Test: test if file is a certificate" - OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}") - if [ $? -eq 0 ]; then - LogText "Result: file is a certificate" - LogText "Test: checking certificate details" - FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter") + SKIP=0 + FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g') + # See if we need to skip this path + SUBDIR=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}' | ${SEDBINARY} 's/__space__/ /g') + for D in ${SSL_CERTIFICATE_PATHS_TO_IGNORE}; do + if Equals "${D}" "${SUBDIR}"; then + SKIP=1 + fi + done + if [ ${SKIP} -eq 0 ]; then + COUNT_DIR=$((COUNT_DIR + 1)) + FileIsReadable "${FILE}" + if [ ${CANREAD} -eq 1 ]; then + # Only check the files that are not installed by a package + if ! FileInstalledByPackage "${FILE}"; then + OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}") if [ $? -eq 0 ]; then - # Check certificate where 'end date' has been expired - FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null) - EXIT_CODE=$? - CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') - CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') - Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|" - if [ ${EXIT_CODE} -eq 0 ]; then - LogText "Result: certificate ${FILE} seems to be correct and still valid" + LogText "Result: file is a certificate file" + FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter") + if [ $? -eq 0 ]; then + # Check certificate where 'end date' has been expired + FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null) + EXIT_CODE=$? + CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') + CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') + Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|" + if [ ${EXIT_CODE} -eq 0 ]; then + LogText "Result: certificate ${FILE} seems to be correct and still valid" + else + FOUNDPROBLEM=1 + COUNT_EXPIRED=$((COUNT_EXPIRED + 1)) + LogText "Result: certificate ${FILE} has been expired" + fi else - FOUNDPROBLEM=1 - COUNT_EXPIRED=$((COUNT_EXPIRED + 1)) - LogText "Result: certificate ${FILE} has been expired" + LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (is it a key file?)" fi else - LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (a key file?)" + LogText "Result: skipping test for this file (${FILE}) as we could not find 'BEGIN CERT'" fi - else - LogText "Result: skipping test for this file (${FILE}) as we could not find 'BEGIN CERT'" fi + else + LogText "Result: can not read file ${FILE} (no permission)" fi else - LogText "Result: can not read file ${FILE} (no permission)" + LogText "Result: path ${SUBDIR} skipped according to profile" fi done COUNT_TOTAL=$((COUNT_TOTAL + COUNT_DIR)) |