proxy_role/overlay/Linux/usr/local/bin/proxy_ssl_certs.bash

70 lines
2.3 KiB
Bash
Raw Permalink Normal View History

2024-01-06 01:57:28 +00:00
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# https://medium.com/@appmattus/android-security-ssl-pinning-1db8acb6621e
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/proxy_ping_lib.bash || \
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
. /usr/local/bin/usr_local_base.bash || exit 2
proxy_ping_mode
#? . /usr/local/bin/proxy_export.bash $MODE
. /usr/local/bin/usr_local_base.bash || exit 2
CERT=$( proxy_ping_update_cacert )
[ "$?" -ne 0 -o -n "$CERT" ] && CAFILE=$CERT || \
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
openssl=openssl
OPENSSL_ARGS="-4 --CAfile $CAFILE -bugs -showcerts"
if [ -n "$https_proxy" ] ; then
HTTPS_HOST=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/https* //' -e 's/ .*//' )
HTTPS_PORT=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
OPENSSL_ARGS="$OPENSSL_ARGS -proxy ${HTTPS_HOST}:$HTTPS_PORT"
elif [ -n "$socks_proxy" ] ; then
SOCKS_HOST=$( echo $socks_proxy|sed -e 's/.*@//' -e 's@/@@g' -e 's/:/ /g' -e 's/socks5* //' -e 's/ .*//' )
SOCKS_PORT=$( echo $socks_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
# check /etc/tor/torsocks.conf
openssl='torsocks openssl'
fi
OUTR=/tmp/$prog$$
for item in "$@" ; do
i=0
OUTRF=$OUTR.$item
INFO openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS
$openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS \
</dev/null 2>$OUTRF.err >$OUTRF.out
[ $? -eq 0 ] || {
retval=$?
ERROR $prog $retval see $OUTRF.err
cat $OUTRF.err
exit 1$retval
}
[ -s $OUTRF.out ] || { ERROR $prog empty $OUTRF.out ; exit 2 ; }
sed -n '/Certificate chain/,/Server certificate/p' $OUTRF.out >$OUTRF.chain
DBUG $prog Certificate chain:
grep '^ [0-9][0-9]* ' $OUTRF.chain
INFO $prog Base64 Certificate sha256 digests:
rest=$( cat $OUTRF.chain )
while [[ "$rest" =~ '-----BEGIN CERTIFICATE-----' ]] ; do
cert="${rest%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----"
rest=${rest#*-----END CERTIFICATE-----}
echo $( echo "$cert" | grep 's:' | sed 's/.*s:\(.*\)/\1/' ) echo "$cert" |
openssl x509 -pubkey -noout |
openssl rsa -pubin -outform der 2>/dev/null |
openssl dgst -sha256 -binary | openssl enc -base64
done
# rm -f $OUTRF.chain $OUTRF.out $OUTRF.err
done
exit 0