Skip to content

Added test: Check for extraneous CA certificates #1693

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pyllyukko wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Added test: Check for extraneous CA certificates #1693

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions include/tests_crypto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,47 @@
fi
fi

#
#################################################################################
#
# Test : CRYP-7903
# Description : Check for extraneous CA certificates
if [ "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CRYP-7903 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for extraneous CA certificates"
if [ ${SKIPTEST} -eq 0 ]; then
FOUNDPROBLEM=0
# CERTSDIR and LOCALCERTSDIR from update-ca-certificates
for DIR in /usr/share/ca-certificates /usr/local/share/ca-certificates; do
if [ -d "${DIR}" ]; then
FileIsReadable "${DIR}"
if [ ${CANREAD} -eq 0 ]; then
LogText "Result: can not read directory ${DIR} (no permission)"
continue
fi
FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${GREPBINARY} -E ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
for FILE in ${FILES}; do
FILE="$(echo "${FILE}" | ${SEDBINARY} 's/__space__/ /g')"
FileIsReadable "${FILE}"
if [ ${CANREAD} -eq 0 ]; then
LogText "Result: can not read file ${FILE} (no permission)"
continue
fi
if ! FileInstalledByPackage "${FILE}"
then
LogText "Result: certificate ${FILE} not provided by any package"
FOUNDPROBLEM=1
fi
done
fi
done
if [ ${FOUNDPROBLEM} -eq 0 ]; then
Display --indent 2 --text "- Checking for extraneous CA certificates" --result "${STATUS_NONE}" --color GREEN
else
Display --indent 2 --text "- Checking for extraneous CA certificates" --result "${STATUS_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check your CA certificates that are not provided by any package and verify that they are legit"
fi
fi

#
#################################################################################
#
Expand Down