LittleNellie/cipherscan
2
0
Fork 0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-23 06:33:41 +01:00
Code Issues Releases Wiki Activity

don't calculate sha sums for the certificates over and over

Browse Source 
we can use cksum to calculate simple checksum much faster than
with using openssl, so we can compute sums only once
This commit is contained in:
Hubert Kario 2014-07-12 14:17:52 +02:00 committed by Hubert Kario
parent c2b3b6d7aa
commit 9f9af9c71d
1 changed files with 23 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
cipherscan
View File

@ -48,6 +48,10 @@ TIMEOUT=10
# trust anchors are stored # trust anchors are stored
CAPATH="" CAPATH=""
SAVECRT="" SAVECRT=""
unset known_certs
declare -A known_certs
unset cert_checksums
declare -A cert_checksums
usage() { usage() {
echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [--saveca] [--savecrt directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port> echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [--saveca] [--savecrt directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
@ -175,15 +179,25 @@ test_cipher_on_target() {
for ((i=0; i<$certificate_count; i=i+1 )); do for ((i=0; i<$certificate_count; i=i+1 )); do
# extract i'th certificate # extract i'th certificate
local cert=$(awk -v i=$i 'split_after == 1 {n++;split_after=0} local cert=$(awk -v i=$i 'BEGIN { output=0;n=0 }
/-----END CERTIFICATE-----/ {split_after=1} /-----BEGIN CERTIFICATE-----/ { output=1 }
{if (n == i) print } output==1 { if (n==i) print }
' <<<"$tmp") /-----END CERTIFICATE-----/ { output=0; n++ }' <<<"$tmp")
# clean up the cert from junk before BEGIN CERTIFICATE # put the output to an array instead awk '{print $1}'
cert=$(${OPENSSLBIN} x509 <<<"$cert" 2>/dev/null) local cksum=($(cksum <<<"$cert"))
# compare the values not just checksums so that eventual collision
# doesn't mess up results
if [[ ${known_certs[$cksum]} == $cert ]]; then
if [ -n "${current_certificates}" ]; then
current_certificates+=","
fi
current_certificates+="\"${cert_checksums[$cksum]}\""
continue
fi
# compute sha256 fingerprint of the certificate # compute sha256 fingerprint of the certificate
local sha256sum=$(${OPENSSLBIN} x509 -outform DER <<<"$cert" 2>/dev/null |\ local sha256sum=$(${OPENSSLBIN} x509 -outform DER\
<<<"$cert" 2>/dev/null |\
${OPENSSLBIN} dgst -sha256 -r 2>/dev/null| awk '{print $1}') ${OPENSSLBIN} dgst -sha256 -r 2>/dev/null| awk '{print $1}')
# check if it is a CA certificate # check if it is a CA certificate
@ -229,6 +243,8 @@ test_cipher_on_target() {
current_certificates+="," current_certificates+=","
fi fi
current_certificates+="\"${sha256sum}\"" current_certificates+="\"${sha256sum}\""
known_certs[$cksum]="$cert"
cert_checksums[$cksum]="$sha256sum"
done done
debug "current_certificates: $current_certificates" debug "current_certificates: $current_certificates"