testssl.sh/t/51_badssl.com.t

#!/usr/bin/env perl

use strict;
use Test::More;
use Data::Dumper;
use JSON;

my $tests = 0;

my (
	$out,
	$json,
	$found,
);
# OK
pass("Running testssl.sh against badssl.com to create a baseline (may take 2~3 minutes)"); $tests++;
my $okout = `./testssl.sh -S -e --freak --logjam --drown --rc4 --sweet32 --breach --winshock --crime --jsonfile tmp.json --color 0 badssl.com`;
my $okjson = json('tmp.json');
unlink 'tmp.json';
cmp_ok(@$okjson,'>',10,"We have more then 10 findings"); $tests++;

# Expiration
pass("Running testssl against expired.badssl.com"); $tests++;
$out = `./testssl.sh -S --jsonfile tmp.json --color 0 expired.badssl.com`;
like($out, qr/Chain of trust\s+NOT ok \(expired\)/,"The chain of trust should be expired"); $tests++;
like($out, qr/Certificate Validity \(UTC\)\s+expired/,"The certificate should be expired"); $tests++;
$json = json('tmp.json');
unlink 'tmp.json';
$found = 0;
foreach my $f ( @$json ) {
	if ( $f->{id} eq "cert_expirationStatus" ) {
		$found = 1;
		like($f->{finding},qr/^expired/,"Finding reads expired."); $tests++;
		is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;
		last;
    }
}
is($found,1,"We had a finding for this in the JSON output"); $tests++;

# Self signed and not-expired
pass("Running testssl against self-signed.badssl.com"); $tests++;
$out = `./testssl.sh -S --jsonfile tmp.json --color 0 self-signed.badssl.com`;
unlike($out, qr/Certificate Validity \(UTC\)s+expired/,"The certificate should not be expired"); $tests++;
$json = json('tmp.json');
unlink 'tmp.json';
$found = 0;
foreach my $f ( @$json ) {
	if ( $f->{id} eq "cert_expirationStatus" ) {
		$found = 1;
		like($f->{finding},qr/days/,"Finding doesn't read expired."); $tests++;
		isnt($f->{severity}, "CRITICAL", "Severity should be OK, MEDIUM or HIGH"); $tests++;
		last;
    }
}
is($found,1,"We had a finding for this in the JSON output"); $tests++;

like($out, qr/Chain of trust.*?NOT ok.*\(self signed\)/,"Chain of trust should fail because of self signed"); $tests++;
$found = 0;
foreach my $f ( @$json ) {
	if ( $f->{id} eq "cert_chain_of_trust" ) {
	$found = 1;
		like($f->{finding},qr/^.*self signed/,"Finding says certificate cannot be trusted."); $tests++;
		is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;
		last;
    }
}
is($found,1,"We had a finding for this in the JSON output"); $tests++;

like($okout, qr/Chain of trust[^\n]*?Ok/,"Chain of trust should be ok"); $tests++;
$found = 0;
foreach my $f ( @$okjson ) {
	if ( $f->{id} eq "cert_chain_of_trust" ) {
		$found = 1;
		like($f->{finding},qr/passed/,"Finding says certificate can be trusted."); $tests++;
		# is($f->{finding},"^.*passed.*","Finding says certificate can be trusted."); $tests++;
		is($f->{severity}, "OK", "Severity should be OK"); $tests++;
		last;
    }
}
is($found,1,"We had a finding for this in the JSON output"); $tests++;

# Wrong host
#pass("Running testssl against wrong.host.badssl.com"); $tests++;
#$out = `./testssl.sh -S --jsonfile tmp.json --color 0 wrong.host.badssl.com`;
#unlike($out, qr/Certificate Expiration\s+expired\!/,"The certificate should not be expired"); $tests++;
#$json = json('tmp.json');
#unlink 'tmp.json';
#$found = 0;
#foreach my $f ( @$json ) {
#	if ( $f->{id} eq "expiration" ) {
#		$found = 1;
#		unlike($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding should not read expired."); $tests++;
#		is($f->{severity}, "ok", "Severity should be ok"); $tests++;
#		last;
#    }
#}
#is($found,1,"We had a finding for this in the JSON output"); $tests++;

# Incomplete chain
pass("Running testssl against incomplete-chain.badssl.com"); $tests++;
$out = `./testssl.sh -S --jsonfile tmp.json --color 0 incomplete-chain.badssl.com`;
like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++;
$json = json('tmp.json');
unlink 'tmp.json';
$found = 0;
foreach my $f ( @$json ) {
	if ( $f->{id} eq "cert_chain_of_trust" ) {
		$found = 1;
		like($f->{finding},qr/^.*chain incomplete/,"Finding says certificate cannot be trusted."); $tests++;
		is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;
		last;
    }
}
is($found,1,"We had a finding for this in the JSON output"); $tests++;

# TODO: RSA 8192

# TODO: CBC
#pass("Running testssl against cbc.badssl.com"); $tests++;
#$out = `./testssl.sh -e -U --jsonfile tmp.json --color 0 cbc.badssl.com`;
#like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++;
#$json = json('tmp.json');
#unlink 'tmp.json';
#$found = 0;
#foreach my $f ( @$json ) {
#	if ( $f->{id} eq "cert_chain_of_trust" ) {
#		$found = 1;
#		like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++;
#		is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;
#		last;
#    }
#}
#is($found,1,"We had a finding for this in the JSON output"); $tests++;


done_testing($tests);

sub json($) {
	my $file = shift;
	$file = `cat $file`;
	unlink $file;
	return from_json($file);
}


#  vim:ts=5:sw=5:expandtab
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`#!/usr/bin/env perl`

			`use strict;`
			`use Test::More;`
			`use Data::Dumper;`
			`use JSON;`

Additional tests 2016-06-28 23:59:36 +02:00			`my $tests = 0;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00
			`my (`
			`$out,`
			`$json,`
			`$found,`
			`);`
			`# OK`
FIX #431 2016-08-09 10:35:58 +02:00			`pass("Running testssl.sh against badssl.com to create a baseline (may take 2~3 minutes)"); $tests++;`
Trying to reduced the runtime of travis Often in the past travis was hitting a limit (50min?). This is a try to make reasonable cuts to the unit tests: - For STARTTLS some checks with OPenSSL are skipped - For JSON and HTML outputs --ids-friendly was added assumming we don't change the output of ticketbleed, CCSI, HeartBleed and ROBOT any more. - There's also not point to run those checks against badssl - for the diff check we switch to 'or diag' to display a dfifference 2020-11-27 13:19:52 +01:00			my $okout = `./testssl.sh -S -e --freak --logjam --drown --rc4 --sweet32 --breach --winshock --crime --jsonfile tmp.json --color 0 badssl.com`;
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`my $okjson = json('tmp.json');`
Remove tmp.json files after use Remove tmp.json files are use so that testssl.sh doesn't complain that they already exist. 2017-03-29 17:41:23 +02:00			`unlink 'tmp.json';`
Serach and replace failure, fixed now 2016-06-29 00:38:51 +02:00			`cmp_ok(@$okjson,'>',10,"We have more then 10 findings"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00
			`# Expiration`
Making tests work correctly 2016-06-29 00:35:52 +02:00			`pass("Running testssl against expired.badssl.com"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			$out = `./testssl.sh -S --jsonfile tmp.json --color 0 expired.badssl.com`;
Add a test to verify that expired.badssl.com's chain of trust is expired. 2021-10-05 19:53:58 +02:00			`like($out, qr/Chain of trust\s+NOT ok \(expired\)/,"The chain of trust should be expired"); $tests++;`
fix Travis CI 2018-01-31 21:44:33 +01:00			`like($out, qr/Certificate Validity \(UTC\)\s+expired/,"The certificate should be expired"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`$json = json('tmp.json');`
Remove tmp.json files after use Remove tmp.json files are use so that testssl.sh doesn't complain that they already exist. 2017-03-29 17:41:23 +02:00			`unlink 'tmp.json';`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`$found = 0;`
			`foreach my $f ( @$json ) {`
Fix travis .. see previous commit 2019-04-09 12:47:12 +02:00			`if ( $f->{id} eq "cert_expirationStatus" ) {`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`$found = 1;`
simplify few cert checks messages + hopefullt make Travis work again 2018-01-23 11:46:24 +01:00			`like($f->{finding},qr/^expired/,"Finding reads expired."); $tests++;`
pretty json format + severity levels filter 2016-10-28 15:30:07 +02:00			`is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`last;`
			`}`
			`}`
Making tests work correctly 2016-06-29 00:35:52 +02:00			`is($found,1,"We had a finding for this in the JSON output"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00
			`# Self signed and not-expired`
Making tests work correctly 2016-06-29 00:35:52 +02:00			`pass("Running testssl against self-signed.badssl.com"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			$out = `./testssl.sh -S --jsonfile tmp.json --color 0 self-signed.badssl.com`;
Fix to-be-expired-soon certificate The certificate from self-signed.badssl.com was about to expire which raises a MEDIUM type issue in testssl. This commit does a workaround for this, so that those certificates will be ok in Travis CI. (Same problem exists in 2.9.5) 2018-06-13 14:30:35 +02:00			`unlike($out, qr/Certificate Validity \(UTC\)s+expired/,"The certificate should not be expired"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`$json = json('tmp.json');`
Remove tmp.json files after use Remove tmp.json files are use so that testssl.sh doesn't complain that they already exist. 2017-03-29 17:41:23 +02:00			`unlink 'tmp.json';`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`$found = 0;`
			`foreach my $f ( @$json ) {`
Fix travis .. see previous commit 2019-04-09 12:47:12 +02:00			`if ( $f->{id} eq "cert_expirationStatus" ) {`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`$found = 1;`
simplify few cert checks messages + hopefullt make Travis work again 2018-01-23 11:46:24 +01:00			`like($f->{finding},qr/days/,"Finding doesn't read expired."); $tests++;`
Make Travis CI shut up. A soon-to-be-expired cert can be also HIGH, thus a test for critical is appropriate. 2018-07-11 17:14:29 +02:00			`isnt($f->{severity}, "CRITICAL", "Severity should be OK, MEDIUM or HIGH"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`last;`
			`}`
			`}`
Making tests work correctly 2016-06-29 00:35:52 +02:00			`is($found,1,"We had a finding for this in the JSON output"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00
FIX #431 2016-08-09 10:35:58 +02:00			`like($out, qr/Chain of trust.?NOT ok.\(self signed\)/,"Chain of trust should fail because of self signed"); $tests++;`
			`$found = 0;`
			`foreach my $f ( @$json ) {`
simplify few cert checks messages + hopefullt make Travis work again 2018-01-23 11:46:24 +01:00			`if ( $f->{id} eq "cert_chain_of_trust" ) {`
FIX #431 2016-08-09 10:35:58 +02:00			`$found = 1;`
simplify few cert checks messages + hopefullt make Travis work again 2018-01-23 11:46:24 +01:00			`like($f->{finding},qr/^.*self signed/,"Finding says certificate cannot be trusted."); $tests++;`
pretty json format + severity levels filter 2016-10-28 15:30:07 +02:00			`is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;`
FIX #431 2016-08-09 10:35:58 +02:00			`last;`
			`}`
			`}`
Making tests work correctly 2016-06-29 00:35:52 +02:00			`is($found,1,"We had a finding for this in the JSON output"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00
Making tests work correctly 2016-06-29 00:35:52 +02:00			`like($okout, qr/Chain of trust[^\n]*?Ok/,"Chain of trust should be ok"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`$found = 0;`
			`foreach my $f ( @$okjson ) {`
simplify few cert checks messages + hopefullt make Travis work again 2018-01-23 11:46:24 +01:00			`if ( $f->{id} eq "cert_chain_of_trust" ) {`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`$found = 1;`
simplify few cert checks messages + hopefullt make Travis work again 2018-01-23 11:46:24 +01:00			`like($f->{finding},qr/passed/,"Finding says certificate can be trusted."); $tests++;`
			`# is($f->{finding},"^.passed.","Finding says certificate can be trusted."); $tests++;`
Making tests work correctly 2016-06-29 00:35:52 +02:00			`is($f->{severity}, "OK", "Severity should be OK"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`last;`
			`}`
			`}`
Making tests work correctly 2016-06-29 00:35:52 +02:00			`is($found,1,"We had a finding for this in the JSON output"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00
			`# Wrong host`
Making tests work correctly 2016-06-29 00:35:52 +02:00			`#pass("Running testssl against wrong.host.badssl.com"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			#$out = `./testssl.sh -S --jsonfile tmp.json --color 0 wrong.host.badssl.com`;
Making tests work correctly 2016-06-29 00:35:52 +02:00			`#unlike($out, qr/Certificate Expiration\s+expired\!/,"The certificate should not be expired"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`#$json = json('tmp.json');`
Remove tmp.json files after use Remove tmp.json files are use so that testssl.sh doesn't complain that they already exist. 2017-03-29 17:41:23 +02:00			`#unlink 'tmp.json';`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`#$found = 0;`
			`#foreach my $f ( @$json ) {`
			`# if ( $f->{id} eq "expiration" ) {`
			`# $found = 1;`
Making tests work correctly 2016-06-29 00:35:52 +02:00			`# unlike($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding should not read expired."); $tests++;`
			`# is($f->{severity}, "ok", "Severity should be ok"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`# last;`
			`# }`
			`#}`
Making tests work correctly 2016-06-29 00:35:52 +02:00			`#is($found,1,"We had a finding for this in the JSON output"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00
			`# Incomplete chain`
Making tests work correctly 2016-06-29 00:35:52 +02:00			`pass("Running testssl against incomplete-chain.badssl.com"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			$out = `./testssl.sh -S --jsonfile tmp.json --color 0 incomplete-chain.badssl.com`;
Making tests work correctly 2016-06-29 00:35:52 +02:00			`like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`$json = json('tmp.json');`
Remove tmp.json files after use Remove tmp.json files are use so that testssl.sh doesn't complain that they already exist. 2017-03-29 17:41:23 +02:00			`unlink 'tmp.json';`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`$found = 0;`
			`foreach my $f ( @$json ) {`
simplify few cert checks messages + hopefullt make Travis work again 2018-01-23 11:46:24 +01:00			`if ( $f->{id} eq "cert_chain_of_trust" ) {`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`$found = 1;`
simplify few cert checks messages + hopefullt make Travis work again 2018-01-23 11:46:24 +01:00			`like($f->{finding},qr/^.*chain incomplete/,"Finding says certificate cannot be trusted."); $tests++;`
pretty json format + severity levels filter 2016-10-28 15:30:07 +02:00			`is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00			`last;`
			`}`
			`}`
Making tests work correctly 2016-06-29 00:35:52 +02:00			`is($found,1,"We had a finding for this in the JSON output"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00
			`# TODO: RSA 8192`

CBC isn't done yet. Unit tests count themselves now 2016-06-29 00:24:57 +02:00			`# TODO: CBC`
Making tests work correctly 2016-06-29 00:35:52 +02:00			`#pass("Running testssl against cbc.badssl.com"); $tests++;`
CBC isn't done yet. Unit tests count themselves now 2016-06-29 00:24:57 +02:00			#$out = `./testssl.sh -e -U --jsonfile tmp.json --color 0 cbc.badssl.com`;
Making tests work correctly 2016-06-29 00:35:52 +02:00			`#like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++;`
CBC isn't done yet. Unit tests count themselves now 2016-06-29 00:24:57 +02:00			`#$json = json('tmp.json');`
Remove tmp.json files after use Remove tmp.json files are use so that testssl.sh doesn't complain that they already exist. 2017-03-29 17:41:23 +02:00			`#unlink 'tmp.json';`
CBC isn't done yet. Unit tests count themselves now 2016-06-29 00:24:57 +02:00			`#$found = 0;`
			`#foreach my $f ( @$json ) {`
simplify few cert checks messages + hopefullt make Travis work again 2018-01-23 11:46:24 +01:00			`# if ( $f->{id} eq "cert_chain_of_trust" ) {`
CBC isn't done yet. Unit tests count themselves now 2016-06-29 00:24:57 +02:00			`# $found = 1;`
Making tests work correctly 2016-06-29 00:35:52 +02:00			`# like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++;`
pretty json format + severity levels filter 2016-10-28 15:30:07 +02:00			`# is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;`
CBC isn't done yet. Unit tests count themselves now 2016-06-29 00:24:57 +02:00			`# last;`
			`# }`
			`#}`
Making tests work correctly 2016-06-29 00:35:52 +02:00			`#is($found,1,"We had a finding for this in the JSON output"); $tests++;`
Lets add some unit tests to testssl.sh - Using abdsll.com work 2016-06-27 16:49:54 +02:00

			`done_testing($tests);`

			`sub json($) {`
			`my $file = shift;`
			$file = `cat $file`;
			`unlink $file;`
			`return from_json($file);`
Remove tmp.json files after use Remove tmp.json files are use so that testssl.sh doesn't complain that they already exist. 2017-03-29 17:41:23 +02:00			`}`
Add missing vim modeline config in sh & perl files, cc #1901 2021-05-31 22:39:22 +02:00

			`# vim:ts=5:sw=5:expandtab`