Check cert serial len + fix output when too big#2014
Merged
Conversation
OpenSSL shows certificate serial numbers >35 with a LF (0A). Testssl.sh just output that which makes JSON invalid and displays the LF in the terminal too. This commit fixes that (#2010) by adding filters so that the serialnumber is not a multiline string. Also this commit introduces a new function: a size check of the cert serial. Below 8 bytes the CAB Forum's lower limit is hit which says the *entropy* from a CSPRNG should be at least 64 bits. It is assumed that below 8 bytes length this requirement isn't possible to meet (needs to be clarified with Shannon, 8 bytes seems to low to me). The high threshold is according to RFC 5280, Section-4.1.2.2 . See also #2013. The output has changed, so that on the terminal the serial has one line, SHA1 and SHA256 each one line. The new json key is "cert_serialNumberLen".
drwetter
added a commit
that referenced
this pull request
Oct 19, 2021
Same as #2014, this is for 3.0 though. OpenSSL shows certificate serial numbers >35 with a LF (0A). Testssl.sh just output that which makes JSON invalid and displays the LF in the terminal too. This PR fixes that (#2010) by adding text filters so that the serial number is not a multiline string. Also this PR introduces a new function: a size check of the cert serial. Below 8 bytes the CAB Forum's lower limit is hit which says the entropy from a CSPRNG should be at least 64 bits. It is assumed that below 8 bytes length this requirement isn't possible to meet (needs to be clarified with Shannon, 8 bytes seems to low to me). The high threshold is according to RFC 5280, Section-4.1.2.2 . See also #2013. The output has changed, so that on the terminal the serial has one line, SHA1 and SHA256 each one line. The new json key is "cert_serialNumberLen".
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
OpenSSL shows certificate serial numbers >35 with a LF (0A). Testssl.sh
just output that which makes JSON invalid and displays the LF in the terminal
too.
This PR fixes that (#2010) by adding filters so that the
serialnumber is not a multiline string.
Also this PR introduces a new function: a size check of the cert serial.
Below 8 bytes the CAB Forum's lower limit is hit which says the entropy
from a CSPRNG should be at least 64 bits. It is assumed that below 8 bytes
length this requirement isn't possible to meet (needs to be clarified with
Shannon, 8 bytes seems to low to me).
The high threshold is according to RFC 5280, Section-4.1.2.2 .
See also #2013.
The output has changed, so that on the terminal the serial has one line,
SHA1 and SHA256 each one line. The new json key is "cert_serialNumberLen".