Add XML attributes for certificate strength. #54

rbsec · rbsec · commit 5007a79a7cc8 · 2019-06-16T14:36:02.000+01:00
diff --git a/sslscan.c b/sslscan.c
@@ -1905,20 +1905,22 @@ int checkCertificate(struct sslCheckOptions *options, const SSL_METHOD *sslMetho
                                     strtok(certAlgorithm, "\n");
                                     if (strstr(certAlgorithm, "md5") || strstr(certAlgorithm, "sha1"))
                                     {
+                                        printf_xml("   <signature-algorithm strength=\"weak\">");
                                         printf("%s%s%s\n", COL_RED, certAlgorithm, RESET);
                                     }
                                     else if (strstr(certAlgorithm, "sha512") || strstr(certAlgorithm, "sha256"))
                                     {
+                                        printf_xml("   <signature-algorithm strength=\"strong\">");
                                         printf("%s%s%s\n", COL_GREEN, certAlgorithm, RESET);
                                     }
                                     else
                                     {
+                                        printf_xml("   <signature-algorithm strength=\"acceptable\">");
                                         printf("%s\n", certAlgorithm);
                                     }
 
                                     if (options->xmlOutput)
                                     {
-                                        printf_xml("   <signature-algorithm>");
                                         i2a_ASN1_OBJECT(fileBIO, x509Cert->cert_info->signature->algorithm);
                                         printf_xml("</signature-algorithm>\n");
                                     }
@@ -1941,20 +1943,22 @@ int checkCertificate(struct sslCheckOptions *options, const SSL_METHOD *sslMetho
                                                 if (publicKey->pkey.rsa)
                                                 {
                                                     keyBits = BN_num_bits(publicKey->pkey.rsa->n);
+                                                    printf_xml("   <pk error=\"false\" type=\"RSA\" bits=\"%d\" ", BN_num_bits(publicKey->pkey.rsa->n));
                                                     if (keyBits < 2048 )
                                                     {
                                                         printf("RSA Key Strength:    %s%d%s\n", COL_RED, keyBits, RESET);
+                                                        printf_xml("strength=\"weak\" />\n");
                                                     }
                                                     else if (keyBits >= 4096 )
                                                     {
                                                         printf("RSA Key Strength:    %s%d%s\n", COL_GREEN, keyBits, RESET);
+                                                        printf_xml("strength=\"strong\" />\n");
                                                     }
                                                     else
                                                     {
                                                         printf("RSA Key Strength:    %d\n", keyBits);
+                                                        printf_xml("strength=\"acceptable\" />\n");
                                                     }
-
-                                                    printf_xml("   <pk error=\"false\" type=\"RSA\" bits=\"%d\" />\n", BN_num_bits(publicKey->pkey.rsa->n));
                                                 }
                                                 else
                                                 {

Original file line number	Diff line number	Diff line change
`@@ -1905,20 +1905,22 @@ int checkCertificate(struct sslCheckOptions options, const SSL_METHOD sslMetho`
`1905`	`1905`	`strtok(certAlgorithm, "\n");`
`1906`	`1906`	`if (strstr(certAlgorithm, "md5") \|\| strstr(certAlgorithm, "sha1"))`
`1907`	`1907`	`{`
	`1908`	`+ printf_xml(" <signature-algorithm strength=\"weak\">");`
`1908`	`1909`	`printf("%s%s%s\n", COL_RED, certAlgorithm, RESET);`
`1909`	`1910`	`}`
`1910`	`1911`	`else if (strstr(certAlgorithm, "sha512") \|\| strstr(certAlgorithm, "sha256"))`
`1911`	`1912`	`{`
	`1913`	`+ printf_xml(" <signature-algorithm strength=\"strong\">");`
`1912`	`1914`	`printf("%s%s%s\n", COL_GREEN, certAlgorithm, RESET);`
`1913`	`1915`	`}`
`1914`	`1916`	`else`
`1915`	`1917`	`{`
	`1918`	`+ printf_xml(" <signature-algorithm strength=\"acceptable\">");`
`1916`	`1919`	`printf("%s\n", certAlgorithm);`
`1917`	`1920`	`}`
`1918`	`1921`
`1919`	`1922`	`if (options->xmlOutput)`
`1920`	`1923`	`{`
`1921`		`- printf_xml(" <signature-algorithm>");`
`1922`	`1924`	`i2a_ASN1_OBJECT(fileBIO, x509Cert->cert_info->signature->algorithm);`
`1923`	`1925`	`printf_xml("</signature-algorithm>\n");`
`1924`	`1926`	`}`
`@@ -1941,20 +1943,22 @@ int checkCertificate(struct sslCheckOptions options, const SSL_METHOD sslMetho`
`1941`	`1943`	`if (publicKey->pkey.rsa)`
`1942`	`1944`	`{`
`1943`	`1945`	`keyBits = BN_num_bits(publicKey->pkey.rsa->n);`
	`1946`	`+ printf_xml(" <pk error=\"false\" type=\"RSA\" bits=\"%d\" ", BN_num_bits(publicKey->pkey.rsa->n));`
`1944`	`1947`	`if (keyBits < 2048 )`
`1945`	`1948`	`{`
`1946`	`1949`	`printf("RSA Key Strength: %s%d%s\n", COL_RED, keyBits, RESET);`
	`1950`	`+ printf_xml("strength=\"weak\" />\n");`
`1947`	`1951`	`}`
`1948`	`1952`	`else if (keyBits >= 4096 )`
`1949`	`1953`	`{`
`1950`	`1954`	`printf("RSA Key Strength: %s%d%s\n", COL_GREEN, keyBits, RESET);`
	`1955`	`+ printf_xml("strength=\"strong\" />\n");`
`1951`	`1956`	`}`
`1952`	`1957`	`else`
`1953`	`1958`	`{`
`1954`	`1959`	`printf("RSA Key Strength: %d\n", keyBits);`
	`1960`	`+ printf_xml("strength=\"acceptable\" />\n");`
`1955`	`1961`	`}`
`1956`		`-`
`1957`		`- printf_xml(" <pk error=\"false\" type=\"RSA\" bits=\"%d\" />\n", BN_num_bits(publicKey->pkey.rsa->n));`
`1958`	`1962`	`}`
`1959`	`1963`	`else`
`1960`	`1964`	`{`