mirror of https://github.com/CISOfy/lynis.git
[CRYP-7902] - Do prevalidation for certificates before testing them
This commit is contained in:
Michael Boelen
parent
8b0cdb7ac4
commit
211fb9117c
|
|
@ -53,24 +53,31 @@
|
|||
if [ ${CANREAD} -eq 1 ]; then
|
||||
# Only check the files that are not installed by a package
|
||||
if ! FileInstalledByPackage "${FILE}"; then
|
||||
LogText "Test: checking file and determining if it is certificate ${FILE}"
|
||||
FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
|
||||
LogText "Test: test if file is a certificate"
|
||||
OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
|
||||
if [ $? -eq 0 ]; then
|
||||
# Check certificate where 'end date' has been expired
|
||||
FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
|
||||
EXIT_CODE=$?
|
||||
CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
|
||||
CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
|
||||
Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
|
||||
if [ ${EXIT_CODE} -eq 0 ]; then
|
||||
LogText "Result: certificate ${FILE} seems to be correct and still valid"
|
||||
LogText "Result: file is a certificate"
|
||||
LogText "Test: checking certificate details"
|
||||
FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
|
||||
if [ $? -eq 0 ]; then
|
||||
# Check certificate where 'end date' has been expired
|
||||
FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
|
||||
EXIT_CODE=$?
|
||||
CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
|
||||
CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
|
||||
Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
|
||||
if [ ${EXIT_CODE} -eq 0 ]; then
|
||||
LogText "Result: certificate ${FILE} seems to be correct and still valid"
|
||||
else
|
||||
FOUNDPROBLEM=1
|
||||
COUNT_EXPIRED=$((COUNT_EXPIRED + 1))
|
||||
LogText "Result: certificate ${FILE} has been expired"
|
||||
fi
|
||||
else
|
||||
FOUNDPROBLEM=1
|
||||
COUNT_EXPIRED=$((COUNT_EXPIRED + 1))
|
||||
LogText "Result: certificate ${FILE} has been expired"
|
||||
LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (a key file?)"
|
||||
fi
|
||||
else
|
||||
LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (a key file?)"
|
||||
LogText "Result: skipping test for this file (${FILE}) as we could not find 'BEGIN CERT'"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
|
|
|
|||
Loading…
Reference in New Issue