From f9fdd62a59b5968650b916175a08811d1d9e24e6 Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Sat, 5 Apr 2014 19:09:05 +0200
Subject: [PATCH] report key size used in server's certificate

Extend the report to show also server certificate key size:
prio  ciphersuite              protocols                    pubkey_size  pfs_keysize
1     ECDHE-RSA-AES128-SHA256  TLSv1.2                      2048         ECDH,P-256,256bits
2     ECDHE-ECDSA-AES128-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2  256          ECDH,P-256,256bits
3     AES128-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
4     RC4-MD5                  SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048
5     EXP-RC4-MD5              SSLv3,TLSv1,TLSv1.1,TLSv1.2  2048         RSA,512bits
---
 cipherscan | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/cipherscan b/cipherscan
index 4bb7b75..2eca621 100755
--- a/cipherscan
+++ b/cipherscan
@@ -72,6 +72,10 @@ test_cipher_on_target() {
         current_cipher=$(grep "New, " <<<"$tmp"|awk '{print $5}')
         current_pfs=$(grep 'Server Temp Key' <<<"$tmp"|awk '{print $4$5$6$7}')
         current_protocol=$(egrep "^\s+Protocol\s+:" <<<"$tmp"|awk '{print $3}')
+        current_pubkey=$(grep 'Server public key is ' <<<"$tmp"|awk '{print $5}')
+        if [ -z $current_pubkey ]; then
+            current_pubkey=0
+        fi
         if [[ -z "$current_protocol" || "$current_cipher" == '(NONE)' ]]; then
             # connection failed, try again with next TLS version
             continue
@@ -92,6 +96,7 @@ test_cipher_on_target() {
         fi
         cipher=$current_cipher
         pfs=$current_pfs
+        pubkey=$current_pubkey
         # grab the cipher and PFS key size
     done
     # if cipher is empty, that means none of the TLS version worked with
@@ -103,13 +108,13 @@ test_cipher_on_target() {
 
     # if cipher contains NONE, the cipher wasn't accepted
     elif [ "$cipher" == '(NONE)  ' ]; then
-        result="$cipher $protocols $pfs"
+        result="$cipher $protocols $pubkey $pfs"
         verbose "handshake failed, server returned ciphersuite '$result'"
         return 1
 
     # the connection succeeded
     else
-        result="$cipher $protocols $pfs"
+        result="$cipher $protocols $pubkey $pfs"
         verbose "handshake succeeded, server returned ciphersuite '$result'"
         return 0
     fi
@@ -173,9 +178,9 @@ display_results_in_terminal() {
     done
 
     if [ $DOBENCHMARK -eq 1 ]; then
-        header="prio ciphersuite protocols pfs_keysize avg_handshake_microsec"
+        header="prio ciphersuite protocols pubkey_size pfs_keysize avg_handshake_microsec"
     else
-        header="prio ciphersuite protocols pfs_keysize"
+        header="prio ciphersuite protocols pubkey_size pfs_keysize"
     fi
     ctr=0
     for result in "${results[@]}"; do
@@ -196,7 +201,8 @@ display_results_in_json() {
         [ $ctr -gt 0 ] && echo -n ','
         echo -n "{\"cipher\":\"$(echo $cipher|awk '{print $1}')\","
         echo -n "\"protocols\":[\"$(echo $cipher|awk '{print $2}'|sed 's/,/","/g')\"],"
-        pfs=$(echo $cipher|awk '{print $3}')
+        echo -n "\"pubkey\":[\"$(echo $cipher|awk '{print $3}'|sed 's/,/","/g')\"],"
+        pfs=$(echo $cipher|awk '{print $4}')
         [ "$pfs" == "" ] && pfs="None"
         echo -n "\"pfs\":\"$pfs\"}"
         ctr=$((ctr+1))