sslyze: backup and fix certinfo patch, https://github.com/nabla-c0d3/sslyze/issues/320

2026-04-25 00:01:15 +02:00 · 2018-07-02 22:20:32 +08:00 · 2018-07-02 22:20:32 +08:00 · fb3bd84673
commit fb3bd84673
parent 3c83af8c91
2 changed files with 93 additions and 0 deletions
--- a/net-analyzer/sslyze/files/sslyze-certinfo.patch
+++ b/net-analyzer/sslyze/files/sslyze-certinfo.patch
@ -0,0 +1,68 @@
+diff -urN sslyze-1.4.2.orig/sslyze/plugins/certificate_info_plugin.py sslyze-1.4.2/sslyze/plugins/certificate_info_plugin.py
+--- sslyze-1.4.2.orig/sslyze/plugins/certificate_info_plugin.py	2018-05-20 07:40:29.000000000 +0800
+++ sslyze-1.4.2/sslyze/plugins/certificate_info_plugin.py	2018-07-01 19:07:22.794032931 +0800
+@@ -232,8 +232,9 @@
+         is_leaf_certificate_ev (bool): True if the leaf certificate is Extended Validation according to Mozilla.
+         certificate_has_must_staple_extension (bool): True if the leaf certificate has the OCSP Must-Staple
+             extension as defined in RFC 6066.
+-        certificate_included_scts_count (int): The number of Signed Certificate Timestamps (SCTs) for Certificate
+-            Transparency embedded in the leaf certificate.
+        certificate_included_scts_count (Optional[int]): The number of Signed Certificate Timestamps (SCTs) for
+            Certificate Transparency embedded in the leaf certificate. None if the version of OpenSSL installed on the
+            system is too old to be able to parse the SCT extension.
+         ocsp_response (Optional[Dict[Text, Any]]): The OCSP response returned by the server. None if no response was
+             sent by the server.
+         ocsp_response_status (Optional[OcspResponseStatusEnum]): The status of the OCSP response returned by the server.
+@@ -469,7 +470,9 @@
+ 
+         # Look for SCT extension
+         scts_count = self.certificate_included_scts_count
+-        if scts_count == 0:
+        if scts_count is None:
+            sct_txt = 'OK - Extension present'
+        elif scts_count == 0:
+             sct_txt = 'NOT SUPPORTED - Extension not found'
+         elif scts_count < 3:
+             sct_txt = 'WARNING - Only {} SCTs included but Google recommends 3 or more'.format(str(scts_count))
+diff -urN sslyze-1.4.2.orig/sslyze/plugins/utils/certificate_utils.py sslyze-1.4.2/sslyze/plugins/utils/certificate_utils.py
+--- sslyze-1.4.2.orig/sslyze/plugins/utils/certificate_utils.py	2018-05-20 07:40:29.000000000 +0800
+++ sslyze-1.4.2/sslyze/plugins/utils/certificate_utils.py	2018-07-02 22:14:50.250935274 +0800
+@@ -3,18 +3,17 @@
+ from __future__ import unicode_literals
+ 
+ import ssl
+-from base64 import b64encode
+-from hashlib import sha256
+from typing import List, Optional
+
+ import cryptography
+-from cryptography.hazmat.primitives.asymmetric import rsa, dsa, ec
+-from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
+-from cryptography.x509 import DNSName
+-from cryptography.x509 import ExtensionNotFound
+-from cryptography.x509 import ExtensionOID
+-from cryptography.x509 import NameOID
+-from typing import List
+-from typing import Text
+from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
+from cryptography.hazmat.primitives.serialization import Encoding, \
+    PublicFormat
+from cryptography.x509 import DNSName, ExtensionNotFound, ExtensionOID, \
+    NameOID
+ 
+from base64 import b64encode
+from hashlib import sha256
+ 
+ class CertificateUtils(object):
+     """Various utility methods for handling X509 certificates as parsed by the cryptography module.
+@@ -132,6 +131,10 @@
+                 ExtensionOID.PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS
+             )
+ 
+            if isinstance(sct_ext.value, cryptography.x509.UnrecognizedExtension):
+                # The version of OpenSSL on the system is too old and can't parse the SCT extension
+                return None
+
+             # Count the number of entries in the extension
+             scts_count = len(sct_ext.value)
+         except ExtensionNotFound:
--- a/net-analyzer/sslyze/sslyze-1.4.2-r1.ebuild
+++ b/net-analyzer/sslyze/sslyze-1.4.2-r1.ebuild
@ -0,0 +1,25 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python{2_7,3_{4,5,6}} )
+inherit distutils-r1
+
+DESCRIPTION="Fast and full-featured SSL scanner"
+HOMEPAGE="https://github.com/nabla-c0d3/sslyze"
+SRC_URI="https://github.com/nabla-c0d3/sslyze/archive/${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE=""
+
+DEPEND=""
+RDEPEND="=dev-python/nassl-1.1*[${PYTHON_USEDEP}]
+	=dev-python/cryptography-2.2.2[${PYTHON_USEDEP}]
+	>=dev-python/tls_parser-1.2.0[${PYTHON_USEDEP}]
+	virtual/python-enum34[${PYTHON_USEDEP}]
+	virtual/python-typing[${PYTHON_USEDEP}]"
+
+PATCHES=( "${FILESDIR}/sslyze-certinfo.patch" )