diff options
author | Michael Boelen <michael.boelen@cisofy.com> | 2016-09-08 22:04:02 +0300 |
---|---|---|
committer | Michael Boelen <michael.boelen@cisofy.com> | 2016-09-08 22:04:02 +0300 |
commit | 81d8486cb07d2d68aa71c52df363bb70aa226f4d (patch) | |
tree | 691e6cfff7a2d7b89024e7887167167adaa1b5df /include/tests_crypto | |
parent | a596bdc3493ad611d330188e662d93efa6484497 (diff) |
[CRYP-7902] Gather more certificate details and style improvements
Diffstat (limited to 'include/tests_crypto')
-rw-r--r-- | include/tests_crypto | 72 |
1 files changed, 42 insertions, 30 deletions
diff --git a/include/tests_crypto b/include/tests_crypto index 0fb1d35e..219cabbb 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -31,47 +31,59 @@ if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates" if [ ${SKIPTEST} -eq 0 ]; then + COUNT_TOTAL=0 FOUNDPROBLEM=0 - sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | sed 's/:/ /g') - sSSL_PATHS=`echo ${sSSL_PATHS} | sed 's/^ //' | tr " " "\n" | ${SORTBINARY} | uniq | tr "\n" " "` - LogText "Result after sorting: ${sSSL_PATHS}" + sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:/ /g') + sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${TRBINARY} " " "\n" | ${SORTBINARY} | uniq | ${TRBINARY} "\n" " ") + LogText "Paths to scan: ${sSSL_PATHS}" - for I in ${sSSL_PATHS}; do - if [ -d ${I} ]; then - FileIsReadable ${I} + for DIR in ${sSSL_PATHS}; do + COUNT_DIR=0 + if [ -d ${DIR} ]; then + FileIsReadable ${DIR} if [ ${CANREAD} -eq 1 ]; then - LogText "Result: found directory ${I}" + LogText "Result: found directory ${DIR}" # Search for CRT files - sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null` - for J in ${sFINDCRTS}; do - FileIsReadable ${J} - if [ ${CANREAD} -eq 1 ]; then - LogText "Test: checking certificate ${J}" - # Check certificate where 'end date' has been expired - FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?` - if [ "${FIND}" = "0" ]; then - LogText "Result: certificate ${J} seems to be correct and still valid" - Report "valid_certificate[]=${J}|unknown entity|" - else - FOUNDPROBLEM=1 - LogText "Result: certificate ${J} has been expired" - Report "expired_certificate[]=${J}|unknown entity|" + sFINDCRTS=$(${FINDBINARY} ${DIR} -name "*.crt" -type f -print 2> /dev/null) + if [ ! -z "${sFINDCRTS}" ]; then + for FILE in ${sFINDCRTS}; do + FileIsReadable ${FILE} + if [ ${CANREAD} -eq 1 ]; then + COUNT_DIR=$((COUNT_DIR + 1)) + LogText "Test: checking certificate ${FILE}" + # Check certificate where 'end date' has been expired + EXIT_CODE=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in ${FILE} -enddate > /dev/null ; echo $?) + CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in ${FILE} 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') + CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in ${FILE} 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') + Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|" + if [ "${EXIT_CODE}" = "0" ]; then + LogText "Result: certificate ${FILE} seems to be correct and still valid" + else + FOUNDPROBLEM=1 + LogText "Result: certificate ${FILE} has been expired" + fi + else + LogText "Result: can not read file ${FILE} (no permission)" fi - else - LogText "Result: can not read file ${J} (no permission)" - fi - done - else - LogText "Result: can not read path ${I} (no permission)" + done + else + LogText "Result: no certificates found in directory ${DIR}" + fi + else + LogText "Result: can not read path ${DIR} (no permission)" fi - else - LogText "Result: SSL path ${I} does not exist" + else + LogText "Result: SSL path ${DIR} does not exist" fi + COUNT_TOTAL=$((COUNT_TOTAL + COUNT_DIR)) + LogText "Result: found ${COUNT_DIR} certificates in ${DIR}" done + Report "certificates=${COUNT_TOTAL}" + LogText "Result: found a total of ${COUNT_TOTAL} certificates" if [ ${FOUNDPROBLEM} -eq 0 ]; then Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_NONE}" --color GREEN - else + else Display --indent 2 --text "- Checking for expired SSL certificates" --result "${STATUS_FOUND}" --color RED ReportSuggestion ${TEST_NO} "Check available certificates for expiration" fi |