70 lines
2.3 KiB
Bash
70 lines
2.3 KiB
Bash
|
#!/bin/bash
|
||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||
|
|
||
|
# https://medium.com/@appmattus/android-security-ssl-pinning-1db8acb6621e
|
||
|
|
||
|
prog=$( basename $0 .bash )
|
||
|
PREFIX=/usr/local
|
||
|
ROLE=proxy
|
||
|
|
||
|
. /usr/local/bin/proxy_ping_lib.bash || \
|
||
|
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
|
||
|
. /usr/local/bin/usr_local_base.bash || exit 2
|
||
|
|
||
|
proxy_ping_mode
|
||
|
#? . /usr/local/bin/proxy_export.bash $MODE
|
||
|
|
||
|
. /usr/local/bin/usr_local_base.bash || exit 2
|
||
|
CERT=$( proxy_ping_update_cacert )
|
||
|
[ "$?" -ne 0 -o -n "$CERT" ] && CAFILE=$CERT || \
|
||
|
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
|
||
|
|
||
|
openssl=openssl
|
||
|
OPENSSL_ARGS="-4 --CAfile $CAFILE -bugs -showcerts"
|
||
|
if [ -n "$https_proxy" ] ; then
|
||
|
HTTPS_HOST=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/https* //' -e 's/ .*//' )
|
||
|
HTTPS_PORT=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
|
||
|
|
||
|
OPENSSL_ARGS="$OPENSSL_ARGS -proxy ${HTTPS_HOST}:$HTTPS_PORT"
|
||
|
elif [ -n "$socks_proxy" ] ; then
|
||
|
SOCKS_HOST=$( echo $socks_proxy|sed -e 's/.*@//' -e 's@/@@g' -e 's/:/ /g' -e 's/socks5* //' -e 's/ .*//' )
|
||
|
SOCKS_PORT=$( echo $socks_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
|
||
|
# check /etc/tor/torsocks.conf
|
||
|
openssl='torsocks openssl'
|
||
|
fi
|
||
|
|
||
|
OUTR=/tmp/$prog$$
|
||
|
for item in "$@" ; do
|
||
|
i=0
|
||
|
OUTRF=$OUTR.$item
|
||
|
|
||
|
INFO openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS
|
||
|
$openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS \
|
||
|
</dev/null 2>$OUTRF.err >$OUTRF.out
|
||
|
[ $? -eq 0 ] || {
|
||
|
retval=$?
|
||
|
ERROR $prog $retval see $OUTRF.err
|
||
|
cat $OUTRF.err
|
||
|
exit 1$retval
|
||
|
}
|
||
|
[ -s $OUTRF.out ] || { ERROR $prog empty $OUTRF.out ; exit 2 ; }
|
||
|
|
||
|
sed -n '/Certificate chain/,/Server certificate/p' $OUTRF.out >$OUTRF.chain
|
||
|
DBUG $prog Certificate chain:
|
||
|
grep '^ [0-9][0-9]* ' $OUTRF.chain
|
||
|
INFO $prog Base64 Certificate sha256 digests:
|
||
|
rest=$( cat $OUTRF.chain )
|
||
|
while [[ "$rest" =~ '-----BEGIN CERTIFICATE-----' ]] ; do
|
||
|
cert="${rest%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----"
|
||
|
rest=${rest#*-----END CERTIFICATE-----}
|
||
|
echo $( echo "$cert" | grep 's:' | sed 's/.*s:\(.*\)/\1/' ) echo "$cert" |
|
||
|
openssl x509 -pubkey -noout |
|
||
|
openssl rsa -pubin -outform der 2>/dev/null |
|
||
|
openssl dgst -sha256 -binary | openssl enc -base64
|
||
|
done
|
||
|
|
||
|
# rm -f $OUTRF.chain $OUTRF.out $OUTRF.err
|
||
|
done
|
||
|
|
||
|
exit 0
|