add ability to also save leaf certificates and untrusted ones

2014-07-04 18:51:21 +02:00 · 2014-07-04 18:51:21 +02:00 · 431b453e43
parent 56893f7b2f
commit 431b453e43
1 changed files with 14 additions and 1 deletions
--- a/15
+++ b/15
@ -32,9 +32,10 @@ TIMEOUT=10
 # place where to put the found intermediate CA certificates and where
 # trust anchors are stored
 CAPATH=""
+SAVECRT=""

 usage() {
-    echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
+    echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [--savecrt directory] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
    usage: $0 -h|--help

 $0 attempts to connect to a target site using all the ciphersuites it knows.
@ -54,6 +55,7 @@ Use one of the options below:
 -h | --help         Shows this help text.
 -j | --json         Output results in JSON format.
 -o | --openssl      path/to/your/openssl binary you want to use.
+--savecrt           path where to save untrusted and leaf certificates
 -v | --verbose      Increase verbosity.

 The rest of the arguments will be interpreted as openssl s_client argument.
@ -184,6 +186,7 @@ test_cipher_on_target() {
            # check if the certificate is actually trusted (server may present
            # unrelated certificates that are not trusted (including self
            # signed ones)
+            local saved="False"
            if ${OPENSSLBIN} verify "${trust_source[@]}" \
                -untrusted <(echo "$tmp") <(echo "$cert") 2>/dev/null | \
                grep 'OK$' >/dev/null; then
@ -195,6 +198,12 @@ test_cipher_on_target() {
                        echo "$cert" > "$CAPATH/${sha256sum}.pem"
                        c_hash "$CAPATH" "${sha256sum}.pem"
                    fi
+                    saved="True"
+                fi
+            fi
+            if [[ -n $SAVECRT ]] && [[ $saved == "False" ]]; then
+                if [[ ! -e $SAVECRT/${sha256sum}.pem ]]; then
+                    echo "$cert" > "$SAVECRT/${sha256sum}.pem"
                fi
            fi
            # save the sha sum for reporting
@ -518,6 +527,10 @@ do
            CAPATH="$2"
            shift 2
            ;;
+        --savecrt)
+            SAVECRT="$2"
+            shift 2
+            ;;
        --) # End of all options
            shift
            break