mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-22 22:33:40 +01:00
don't calculate sha sums for the certificates over and over
we can use cksum to calculate simple checksum much faster than with using openssl, so we can compute sums only once
This commit is contained in:
parent
ef4786f1d7
commit
bcfe0dbae1
30
cipherscan
30
cipherscan
@ -35,6 +35,10 @@ CAPATH=""
|
|||||||
SAVECRT=""
|
SAVECRT=""
|
||||||
unset ok_protocols
|
unset ok_protocols
|
||||||
declare -A ok_protocols
|
declare -A ok_protocols
|
||||||
|
unset known_certs
|
||||||
|
declare -A known_certs
|
||||||
|
unset cert_checksums
|
||||||
|
declare -A cert_checksums
|
||||||
|
|
||||||
usage() {
|
usage() {
|
||||||
echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [--savecrt directory] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
|
echo -e "usage: $0 [-a|--allciphers] [-b|--benchmark] [--capath directory] [-d|--delay seconds] [-D|--debug] [-j|--json] [--savecrt directory] [-v|--verbose] [-o|--openssl file] [openssl s_client args] <target:port>
|
||||||
@ -165,15 +169,25 @@ test_cipher_on_target() {
|
|||||||
for ((i=0; i<$certificate_count; i=i+1 )); do
|
for ((i=0; i<$certificate_count; i=i+1 )); do
|
||||||
|
|
||||||
# extract i'th certificate
|
# extract i'th certificate
|
||||||
local cert=$(awk -v i=$i 'split_after == 1 {n++;split_after=0}
|
local cert=$(awk -v i=$i 'BEGIN { output=0;n=0 }
|
||||||
/-----END CERTIFICATE-----/ {split_after=1}
|
/-----BEGIN CERTIFICATE-----/ { output=1 }
|
||||||
{if (n == i) print }
|
output==1 { if (n==i) print }
|
||||||
' <<<"$tmp")
|
/-----END CERTIFICATE-----/ { output=0; n++ }' <<<"$tmp")
|
||||||
# clean up the cert from junk before BEGIN CERTIFICATE
|
# put the output to an array instead awk '{print $1}'
|
||||||
cert=$(${OPENSSLBIN} x509 <<<"$cert" 2>/dev/null)
|
local cksum=($(cksum <<<"$cert"))
|
||||||
|
# compare the values not just checksums so that eventual collision
|
||||||
|
# doesn't mess up results
|
||||||
|
if [[ ${known_certs[$cksum]} == $cert ]]; then
|
||||||
|
if [ -n "${current_certificates}" ]; then
|
||||||
|
current_certificates+=","
|
||||||
|
fi
|
||||||
|
current_certificates+="\"${cert_checksums[$cksum]}\""
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
# compute sha256 fingerprint of the certificate
|
# compute sha256 fingerprint of the certificate
|
||||||
local sha256sum=$(${OPENSSLBIN} x509 -outform DER <<<"$cert" 2>/dev/null |\
|
local sha256sum=$(${OPENSSLBIN} x509 -outform DER\
|
||||||
|
<<<"$cert" 2>/dev/null |\
|
||||||
${OPENSSLBIN} dgst -sha256 -r 2>/dev/null| awk '{print $1}')
|
${OPENSSLBIN} dgst -sha256 -r 2>/dev/null| awk '{print $1}')
|
||||||
|
|
||||||
# check if it is a CA certificate
|
# check if it is a CA certificate
|
||||||
@ -219,6 +233,8 @@ test_cipher_on_target() {
|
|||||||
current_certificates+=","
|
current_certificates+=","
|
||||||
fi
|
fi
|
||||||
current_certificates+="\"${sha256sum}\""
|
current_certificates+="\"${sha256sum}\""
|
||||||
|
known_certs[$cksum]="$cert"
|
||||||
|
cert_checksums[$cksum]="$sha256sum"
|
||||||
done
|
done
|
||||||
debug "current_certificates: $current_certificates"
|
debug "current_certificates: $current_certificates"
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user