diff options
| author | Michael Boelen <michael.boelen@cisofy.com> | 2018-03-05 13:32:23 +0300 |
|---|---|---|
| committer | Michael Boelen <michael.boelen@cisofy.com> | 2018-03-05 13:32:23 +0300 |
| commit | 211fb9117ce379cea5d040cb4dd9a392acaf5831 (patch) | |
| tree | ef5d37ae6a075e5f5a9891933d9d4074db15c34f /include/tests_crypto | |
| parent | 8b0cdb7ac469e2e9f1549a664da9e80760356045 (diff) | |
[CRYP-7902] - Do prevalidation for certificates before testing them
Diffstat (limited to 'include/tests_crypto')
| -rw-r--r-- | include/tests_crypto | 35 |
1 files changed, 21 insertions, 14 deletions
diff --git a/include/tests_crypto b/include/tests_crypto index 3d9d8a3a..3d564a5d 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -53,24 +53,31 @@ if [ ${CANREAD} -eq 1 ]; then # Only check the files that are not installed by a package if ! FileInstalledByPackage "${FILE}"; then - LogText "Test: checking file and determining if it is certificate ${FILE}" - FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter") + LogText "Test: test if file is a certificate" + OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}") if [ $? -eq 0 ]; then - # Check certificate where 'end date' has been expired - FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null) - EXIT_CODE=$? - CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') - CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') - Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|" - if [ ${EXIT_CODE} -eq 0 ]; then - LogText "Result: certificate ${FILE} seems to be correct and still valid" + LogText "Result: file is a certificate" + LogText "Test: checking certificate details" + FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter") + if [ $? -eq 0 ]; then + # Check certificate where 'end date' has been expired + FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null) + EXIT_CODE=$? + CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') + CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') + Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|" + if [ ${EXIT_CODE} -eq 0 ]; then + LogText "Result: certificate ${FILE} seems to be correct and still valid" + else + FOUNDPROBLEM=1 + COUNT_EXPIRED=$((COUNT_EXPIRED + 1)) + LogText "Result: certificate ${FILE} has been expired" + fi else - FOUNDPROBLEM=1 - COUNT_EXPIRED=$((COUNT_EXPIRED + 1)) - LogText "Result: certificate ${FILE} has been expired" + LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (a key file?)" fi else - LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (a key file?)" + LogText "Result: skipping test for this file (${FILE}) as we could not find 'BEGIN CERT'" fi fi else |