whatssl

#!/bin/bash
# shellcheck disable=SC1007 disable=SC2230 disable=SC2236

if [ ! -n "$BASH_VERSION" ];then exec bash "$0" "$@";else set +o posix;fi

main() {
    [ $# -eq 0 ] && set -- -

    init_vars
    test_for_windows

    for file
    do
	[ "$#" -gt 1 ] && echo "Contents of File $file"

	case ".$file" in
	.- ) XDATA="$(cat | openssl enc -base64)" ;;
	.https://* )
	    RHOST="${file##https://}"
	    XDATA="$(:|
		openssl s_client -servername "$RHOST" -connect "$RHOST":443 |
		openssl enc -base64)"
	    ;;
	* ) XDATA="$(openssl enc -base64 <"$file")" ;;
	esac

	decode_binary_data "$XDATA" || continue

	decode_data "$DATA"

	[ "$#" -gt 1 ] && echo
    done
    exit 0
}

init_vars() {
NL='
'
    MYPASS="$PASSWORD"
    DICTIONARY=(${MYPASS:+"$MYPASS"} 0000 1234 12345 123456 12345678 password qwerty)
    MYPASS="${MYPASS:-slartibartfast}"
    NOPKEY="$(openssl no-pkey >/dev/null 2>&1 && echo yes || echo no)"
    PW=(-passin pass:"$MYPASS")

    UTF8=
    if [ "$(locale charmap 2>/dev/null)" = UTF-8 ]
    then
	if openssl req -help 2>&1 | grep -qe -utf8
	then UTF8=yes
	fi
    fi

    REQOPT=
    if openssl req -help 2>&1 | grep -qe -reqopt
    then REQOPT=yes
    fi

    return 0
}

pubkey_id() {
    local TKEY H keyid

    [[ "$1" = '' ]] && { echo '      Public key not available' ; return 0; }

    keyid="$(echo "$1" |
	openssl asn1parse | tr ':' ' ' | awk '/OBJECT/{print $NF;}' |
	tail -1 | sed -e 's/ *$//' -e 's/PublicKey//' -e 's/Encryption//'
    )"

    keyid="$keyid $(
	H=$(echo "$1" |
	openssl rsa -pubin -modulus -noout 2>/dev/null |
	sed -n 's/.*=//p' | wc -c)
	[ "$H" -gt 0 ] && echo "$((H*4/8*8)) bit"
    )"
    keyid="${keyid% }"

    keyid="$keyid $(
	H=$(echo "$1" |
	openssl dsa -pubin -modulus -noout 2>/dev/null |
	sed -n 's/.*=//p' | wc -c)
	[ "$H" -gt 0 ] && echo "$((H*4/8*8)) bit"
    )"
    keyid="${keyid% }"

    if openssl x509 -help 2>&1 | grep -qie -force_pubkey
    then
	# This is a somewhat insane way to get the "Subject Key Identifier",
	# well, it seems to be the only way that works!
	keyident="$(
	    TKEY=$(openssl ecparam -name prime256v1 -genkey -noout)
	    openssl x509 -req 2>/dev/null \
		-in <(openssl req 2>/dev/null -subj / -new -key <(echo "$TKEY") ) \
		-CA <(openssl req 2>/dev/null -subj / -new -key <(echo "$TKEY") -x509) \
		-CAkey <(echo "$TKEY") -set_serial 00 \
		-force_pubkey <(echo "$1") \
		-extfile <( echo subjectKeyIdentifier=hash ) |
	    openssl x509 2>/dev/null -noout -text -certopt no_pubkey |
	    awk 'f==1{print $1;exit;} /Subject Key Identifier/{f=1;}'
	)"
    else keyident=''
    fi

    if [[ "$keyident" = '' ]]
    then
	local -r Z=$(:|openssl sha1 -hex | awk '{print $NF;}')
	H=$(echo "$1" | openssl rsa -pubin -outform DER 2>/dev/null | openssl sha1 -hex | awk '{print $NF;}' )
	[[ "$H" = "$Z" ]] && H=$(echo "$1" | openssl dsa -pubin -outform DER 2>/dev/null | openssl sha1 -hex | awk '{print $NF;}' )
	[[ "$H" = "$Z" ]] && H=$(echo "$1" | openssl ec -pubin -outform DER 2>/dev/null | openssl sha1 -hex | awk '{print $NF;}' )
	[[ "$H" = "$Z" ]] && H='?'
	keyid="$keyid DER:$H"
    else
	keyid="$keyid ${keyident}"
    fi

    echo "      $keyid"
}

decode_binary_data() {
    local XDATA="$1" NOLOOP="$2"

    if echo "$XDATA" | openssl enc -base64 -d 2>/dev/null | grep -iq ^-----BEGIN
    then DATA="$(echo "$XDATA" | openssl enc -base64 -d )"
    elif echo "$XDATA" | openssl enc -base64 -d | openssl asn1parse -inform der >/dev/null 2>&1
    then
	echo "This is a DER (ASN1) format file${NOLOOP:+, encoded in base64}"
	DATA=''
	for cmd in x509 req pkey crl
	do  [ "$DATA" != "" ] && break
	    DATA="$(echo "$XDATA" | openssl enc -base64 -d | openssl $cmd -inform DER 2>/dev/null)"
	done

	[ "$DATA" = "" ] &&
	    DATA="$(echo "$XDATA" | openssl enc -base64 -d | openssl pkcs8 -inform DER "${PW[@]}" 2>/dev/null)"
	[ "$DATA" = "" ] &&
	    DATA="$(echo "$XDATA" | openssl enc -base64 -d | openssl pkcs12 -nodes -passin pass: 2>/dev/null)"

	[ "$DATA" = "" ] &&
	    for PASS in "${DICTIONARY[@]}"
	    do
		[ "$DATA" = "" ] &&
		    DATA="$(echo "$XDATA" | openssl enc -base64 -d | openssl pkcs8 -inform DER ${PASS:+-passin pass:"$PASS"} 2>/dev/null)"
		[ "$DATA" = "" ] &&
		    DATA="$(echo "$XDATA" | openssl enc -base64 -d | openssl pkcs12 -nodes ${PASS:+-passin pass:"$PASS"} 2>/dev/null)"
		[ "$DATA" != '' ] && {
		    [[ "$PASS" != "$PASSWORD" ]] &&
			echo "NOTE: Data encrypted with trivial password '$PASS'"
		    break
		}
	    done

	[ "$DATA" = "" ] && {
	    if echo "$XDATA" | openssl enc -base64 -d | openssl asn1parse -inform DER | grep -qi 'OBJECT *:pkcs7-signedData'
	    then echo "PKCS7 format data file:"
		 DATA="$(echo "$XDATA" | openssl enc -base64 -d | openssl pkcs7 -inform der -print_certs)"
	    elif echo "$XDATA" | openssl enc -base64 -d | openssl asn1parse -inform DER | grep -qi 'OBJECT *:pkcs7-data'
	    then echo "PKCS7/12 format data, encrypted pfx?"
		 return 1
	    else 
		 if [[ "$NOLOOP" != yes ]]
		 then
		     OBJ="$(echo "$XDATA" | openssl enc -base64 -d | openssl asn1parse -inform DER | awk '/OBJECT/{print $NF;exit;}')"
		     echo "File contents not identified${OBJ:+; starts with$OBJ}"
		 fi
		 return 1
	    fi
	}
    elif echo "$XDATA" | openssl enc -base64 -d | openssl enc -base64 -d | openssl asn1parse -inform der >/dev/null 2>&1
    then
	decode_binary_data "$(echo "$XDATA" | openssl enc -base64 -d)" yes
	return

    elif [ "$XDATA" = '' ]
    then return 1
    else
	echo >&2 "File not in PEM or DER format"
	return 1
    fi

    return 0
}

decode_data() {
    local ITEM FIRSTCERTPUB FIRSTPKEYPUB=
    local PKEYPARAM PUBKEY PUBKEYPEM STRICT SUBJ ENCKEY PKCS7DATA
    local failed success purpose tested
    local k=0 found=0 ISSU= CHAIN= PREVCERTPUB= C=

    local DATA="$1" NOLOOP="$2"

    PUBKEY="$(echo "$DATA" | openssl x509 -pubkey -noout 2>/dev/null)"
    [ "$PUBKEY" != "" ] && PUBKEY="$(echo "$PUBKEY" | openssl md5 | awk '{print $NF;}')"
    FIRSTCERTPUB="$PUBKEY"

    [[ "$NOPKEY" = no ]] && {
	PUBKEY="$(echo "$DATA" | openssl pkey -pubout "${PW[@]}" 2>/dev/null)"
	[ "$PUBKEY" != "" ] && PUBKEY="$(echo "$PUBKEY" | openssl md5 | awk '{print $NF;}')"
	FIRSTPKEYPUB="$PUBKEY"
    }

    while :
    do
	((k+=1))
	ITEM="$(echo "$DATA" | awk -v k=$k '/^-----BEGIN/ && k>1 {k--;next;} /^-----BEGIN/&& k {disp=1;} disp{print;} /^-----END/&&disp{disp=0;k=0;}')"
	[ "$ITEM" = "" ] && break
	((found+=1))

	for PEMTYPE in x509 req pkey dsaparam ecparam pkeyparam pubkey rsa ec dsa crl
	do  if [[ "$PEMTYPE" = 'pubkey' ]]
	    then PEMITEM="$(echo "$ITEM" | openssl pkey -pubin 2>/dev/null)"
	    elif [[ "$PEMTYPE" = 'pkey' || "$PEMTYPE" = rsa || "$PEMTYPE" = dsa || "$PEMTYPE" = ec ]]
	    then PEMITEM="$(echo "$ITEM" | openssl "$PEMTYPE" "${PW[@]}" 2>/dev/null)"
	    else PEMITEM="$(echo "$ITEM" | openssl "$PEMTYPE" 2>/dev/null)"
	    fi
	    [[ "$PEMITEM" != "" ]] && break
	done

	[[ "$PEMITEM" = '' ]] && {
	    for PASS in "${DICTIONARY[@]}"
	    do  for PEMTYPE in pkey rsa ec dsa
		do
		    PEMITEM="$(echo "$ITEM" | openssl "$PEMTYPE" ${PASS:+-passin pass:"$PASS"} 2>/dev/null)"
		    [ "$PEMITEM" != '' ] && {
			[[ "$PASS" != "$PASSWORD" ]] &&
			    echo "NOTE: Data encrypted with trivial password '$PASS'"

			MYPASS="$PASS"
			PW=(-passin pass:"$MYPASS")
			break 2
		    }
		done
	    done
	}
	[[ "$PEMITEM" = '' ]] && PEMTYPE=''

	PUBKEY=
	case "$PEMTYPE" in
	x509 ) PUBKEY="$(echo "$ITEM" | openssl x509 -pubkey -noout 2>/dev/null)" ;;
	req ) PUBKEY="$(echo "$ITEM" | openssl req -pubkey -noout 2>/dev/null)" ;;
	pkey ) PUBKEY="$(echo "$ITEM" | openssl pkey -pubout "${PW[@]}" 2>/dev/null)" ;;
	pubkey ) PUBKEY="$(echo "$ITEM" | openssl pkey -pubin 2>/dev/null)" ;;

	rsa|ec|dsa )
	    PUBKEY="$(echo "$ITEM" | openssl "$PEMTYPE" -pubout "${PW[@]}" 2>/dev/null)" ;;

	pkeyparam|dsaparam|ecparam )
	    PKEYPARAM="$(echo "$ITEM" | openssl "$PEMTYPE" -text -noout 2>/dev/null)" ;;
	esac

	PUBKEYPEM="$PUBKEY"
	[ "$PUBKEY" != "" ] && PUBKEY="$(echo "$PUBKEY" | openssl md5 | awk '{print $NF;}')"

	if [ "$PEMTYPE" = "x509" ]
	then
	    PREVCERTPUB="$PUBKEY"

	    if openssl x509 -help 2>&1 | grep -qie -issuer_hash_old
	    then
		echo "$ITEM" |
		    openssl x509 -noout -text -fingerprint \
			-certopt no_sigdump,no_pubkey \
			-nameopt esc_ctrl${UTF8:+,utf8,-esc_msb}
	    elif openssl x509 -help 2>&1 | grep -qie -issuer_hash
	    then
		echo "$ITEM" |
		    openssl x509 -noout -text -fingerprint \
			-certopt compatible,no_sigdump,no_pubkey
	    else
		echo "$ITEM" |
		    openssl x509 -noout -text
	    fi

	    echo "    Public key is:"
	    pubkey_id "$PUBKEYPEM"

	    SUBJ="$(echo "$ITEM" | openssl x509 -subject_hash -noout 2>/dev/null)"
	    [[ "$SUBJ" = "$ISSU" && "$ISSU" != '' ]] &&
		echo '    This certificate is the issuer for the previous one'

	    ISSU="$(echo "$ITEM" | openssl x509 -issuer_hash -noout 2>/dev/null)"

	    if openssl verify -help 2>&1 | grep -q -e -no-CApath
	    then NOCAPATH=-no-CApath
	    else NOCAPATH='-CApath /dev/null'
	    fi

	    if [ "$SUBJ" = "$ISSU" ]
	    then
		# shellcheck disable=SC2086
		if ( openssl verify $NOCAPATH \
			-CAfile <(echo "$ITEM") <(echo "$ITEM") 2>&1 ||
			echo error ) | grep -iq ^error
		then
		    if echo "$ITEM" | openssl x509 -checkend 0 >/dev/null 2>&1
		    then echo "    This self signed certificate fails validation"
		    else echo "    This self signed certificate has expired"
		    fi
		else
		    for STRICT in '-x509_strict' ''
		    do
			success=
			failed=
			tested=
			for purpose in  '' \
					sslclient sslserver nssslserver \
					smimesign smimeencrypt \
					crlsign ocsphelper timestampsign
			do
			    tested="$tested $purpose"
			    [ "$purpose" = '' ] && tested="${tested}unspecified"

			    if ! ( openssl verify $STRICT ${STRICT:+-check_ss_sig} \
					${purpose:+-purpose $purpose} \
					$NOCAPATH \
					-CAfile <(echo "$ITEM") \
					${CHAIN:+-untrusted <(echo "$CHAIN")} \
					<(echo "$DATA") 2>&1 || echo error ) |
				    grep -iq ^error
			    then success="$success $purpose"
				 [ "$purpose" = '' ] &&
				    success="${success}unspecified"
			    elif [ "$purpose" = '' ]
			    then break
			    else failed="$failed $purpose"
			    fi
			done
			[ "$success" ] && break
		    done

		    if [ "$tested" = "$success" ]
		    then
			echo "    This self signed certificate verifies the chain${STRICT:+ in strict mode} for all purposes"
		    elif [ "$success" != "" ]
		    then
			echo "    This self signed certificate verifies the chain${STRICT:+ in strict mode}"
			echo "        purposes:$success"
			[ "$failed" != "" ] &&
			    echo "        failed for:$failed"

		    elif ! openssl verify -check_ss_sig \
				    -CAfile <(echo "$ITEM") \
				    $NOCAPATH \
				    ${CHAIN:+-untrusted <(echo "$CHAIN")} \
				    <(echo "$DATA") 2>&1 | grep -iq ^error
		    then
			echo '    This self signed certificate verifies the chain when not strict'
		    else
			echo '    This certificate is self signed'
		    fi
		fi
	    elif [ "$PUBKEY" != "$FIRSTCERTPUB" ]
	    then
		CHAIN="$CHAIN$NL$ITEM"
	    fi

	elif [ "$PEMTYPE" = "req" ]
	then
	    PREVCERTPUB=
	    echo "$ITEM" | openssl req -noout -text ${REQOPT:+-reqopt no_sigdump,no_pubkey}
	    [[ "$PUBKEYPEM" != '' ]] &&  {
		echo "    Public key is:"
		pubkey_id "$PUBKEYPEM"
	    }

	    if [[ "$FIRSTPKEYPUB" != '' && "$PUBKEY" = "$FIRSTPKEYPUB" ]]
	    then echo "    WARNING: The file contains a private key that matches this request"
	    elif [[ "$FIRSTCERTPUB" != '' && "$PUBKEY" = "$FIRSTCERTPUB" ]]
	    then echo "    This request matches the first certificate"
	    fi

	elif [[ "$PEMTYPE" = 'pkey' || "$PEMTYPE" = rsa || "$PEMTYPE" = dsa || "$PEMTYPE" = ec ]]
	then

	    if [[ "$PUBKEY" != "" && "$PUBKEY" = "$PREVCERTPUB" ]]
	    then echo '    The file contains a private key that matches this certificate.'
	    elif [ "$PUBKEY" != "" ]
	    then
		echo 'A private key for this public key:'
		pubkey_id "$PUBKEYPEM"
		if [[ "$PUBKEY" = "$FIRSTCERTPUB" ]]
		then echo '    This key matches the first certificate.'
		fi
	    else
		echo "Item $k is a private key ($PEMTYPE)"
	    fi

	elif [[ "$PEMTYPE" = pkeyparam || "$PEMTYPE" = dsaparam || "$PEMTYPE" = ecparam ]]
	then
	    echo "Parameter file ($PEMTYPE):"
	    echo "$PKEYPARAM"

	elif [ "$PEMTYPE" = "pubkey" ]
	then
	    echo "Public key:"
	    pubkey_id "$ITEM"

	elif [ "$PEMTYPE" = "crl" ]
	then
	    C=$(echo "$ITEM" | openssl crl -noout -text | grep -c 'Serial Number:')
	    echo "A CRL file with $C entries:"
	    echo "$ITEM" | openssl crl -noout \
		-lastupdate -nextupdate -issuer \
		-nameopt multiline,esc_ctrl${UTF8:+,utf8,-esc_msb} \
		2>/dev/null

	else
	    ENCKEY=$(echo "$ITEM" | openssl pkey -pubout "${PW[@]}" 2>&1 | grep -qi 'bad.\(decrypt\|pass\)' && echo yes)
	    PKCS7DATA=$(echo "$ITEM" | openssl pkcs7 -print_certs 2>/dev/null ||:)

	    if [ "$ENCKEY" = "yes" ]
	    then
		echo Item $k is an encrypted key
	    elif [ "$PKCS7DATA" != "" ]
	    then
		echo A PKCS7 bag with the contents ...
		decode_data "$PKCS7DATA" yes
		echo
		echo End of PKCS7 file
		echo
	    else
		FIRSTOBJ="$(echo "$ITEM" | openssl asn1parse 2>/dev/null | awk '/OBJECT/{print $NF;exit;}')"
		PEM="$(echo "$ITEM" | sed -n 's/^-----BEGIN \(.*\)$/\1/p' | sed 's/-*\s*$//')"
		if [[ "$FIRSTOBJ" != '' && "$NOLOOP" = '' ]]
		then
		    echo "PEM item $k with name $PEM and object $FIRSTOBJ"
		    (
			decode_binary_data "$ITEM" yes &&
			decode_data "$DATA" yes
		    )
		elif [[ "$NOLOOP" != yes ]]
		then echo "PEM style item $k not identified: $PEM"
		fi
	    fi
	fi
    done
    [ "$found" -eq 0 ] &&
	echo No PEM data found in "$file"

    return 0
}

test_for_windows() {
    # MINGW has two copies of openssl, one compiled for Windows and one
    # compiled for Unix. The Windows version cannot be used with process
    # substitution ( the <(...) stuff ). Check to see if the default is
    # working, if not try to find the other one.
    local pgm

    if [ "$(openssl enc -a -in <(echo ok) 2>/dev/null )" != b2sK ]
    then
	for pgm in $(which -a openssl)
	do
	    eval "openssl() { command '$pgm' \"\$@\"; }"

	    if [ "$(openssl enc -a -in <(echo ok) 2>/dev/null )" = b2sK ]
	    then break
	    fi
	done
    fi
}

main "$@"