From 4d77c8749451f256a29e0cefb9147648a8b48fbd Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Tue, 17 Nov 2015 15:31:46 +0100
Subject: [PATCH] properly detect ECDSA certs for keysize compare

since ECDSA certificates during the transition are likely to be
signed using RSA keys, we need to check the cipher rather than the
signature in the certificate to tell if the cert is ECDSA and as such
can have small key sizes
---
 cipherscan | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cipherscan b/cipherscan
index c5b9714..236b34f 100755
--- a/cipherscan
+++ b/cipherscan
@@ -762,6 +762,7 @@ display_results_in_terminal() {
         fi
         local cipher_data=($cipher)
         if [[ $ctr -eq 1 ]]; then
+            cipher="${cipher_data[1]}"
             pubkey="${cipher_data[2]}"
             sigalg="${cipher_data[3]}"
             trusted="${cipher_data[4]}"
@@ -826,7 +827,7 @@ display_results_in_terminal() {
     done|column -t
     echo
     
-    if [[ ($sigalg =~ RSA && $pubkey -ge 2047) || ($sigalg =~ ECDSA && $pubkey -gt 255) ]]; then
+    if [[ ($sigalg =~ RSA && $pubkey -ge 2047) || ($cipher =~ ECDSA && $pubkey -gt 255) ]]; then
         pubkey="${c_green}${pubkey}${c_reset}"
     else
         pubkey="${c_red}${pubkey}${c_reset}"