From 3e37517c966396103c25fe584bff589364e92cef Mon Sep 17 00:00:00 2001
From: Hubert Kario <kario@wit.edu.pl>
Date: Sat, 11 Oct 2014 15:18:48 +0200
Subject: [PATCH] add ability to also save leaf certificates and untrusted ones

---
 cipherscan | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/cipherscan b/cipherscan
index 02831e7..ae2ca2b 100755
--- a/cipherscan
+++ b/cipherscan
@@ -47,6 +47,7 @@ TIMEOUT=30
 # place where to put the found intermediate CA certificates and where
 # trust anchors are stored
 CAPATH=""
+SAVECRT=""
 
 # because running external commands like sleep incurs a fork penalty, we
 # first check if it is necessary
@@ -57,7 +58,7 @@ ratelimit() {
 }
 
 usage() {
-    echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [--saveca] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
+    echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [--saveca] [--savecrt directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
     usage: $0 -h|--help
 
 $0 attempts to connect to a target site using all the ciphersuites it knows.
@@ -78,6 +79,7 @@ Use one of the options below:
 -h | --help         Shows this help text.
 -j | --json         Output results in JSON format.
 -o | --openssl      path/to/your/openssl binary you want to use.
+--savecrt           path where to save untrusted and leaf certificates
 -v | --verbose      Increase verbosity.
 
 The rest of the arguments will be interpreted as openssl s_client argument.
@@ -209,6 +211,7 @@ test_cipher_on_target() {
             # check if the certificate is actually trusted (server may present
             # unrelated certificates that are not trusted (including self
             # signed ones)
+            local saved="False"
             if ${OPENSSLBIN} verify "${trust_source[@]}" \
                 -untrusted <(echo "$tmp") <(echo "$cert") 2>/dev/null | \
                 grep 'OK$' >/dev/null; then
@@ -220,6 +223,12 @@ test_cipher_on_target() {
                         echo "$cert" > "$CAPATH/${sha256sum}.pem"
                         c_hash "$CAPATH" "${sha256sum}.pem"
                     fi
+                    saved="True"
+                fi
+            fi
+            if [[ -n $SAVECRT ]] && [[ $saved == "False" ]]; then
+                if [[ ! -e $SAVECRT/${sha256sum}.pem ]]; then
+                    echo "$cert" > "$SAVECRT/${sha256sum}.pem"
                 fi
             fi
             # save the sha sum for reporting
@@ -538,6 +547,10 @@ do
             SAVECA="True"
             shift 1
             ;;
+        --savecrt)
+            SAVECRT="$2"
+            shift 2
+            ;;
         --) # End of all options
             shift
             break