testssl.sh/t/31_badssl.com.t

143 lines
4.9 KiB
Perl
Raw Normal View History

#!/usr/bin/env perl
use strict;
use Test::More;
use Data::Dumper;
use JSON;
2016-06-28 23:59:36 +02:00
my $tests = 0;
my (
$out,
$json,
$found,
);
# OK
2016-08-09 10:35:58 +02:00
pass("Running testssl.sh against badssl.com to create a baseline (may take 2~3 minutes)"); $tests++;
my $okout = `./testssl.sh -S -e --freak --logjam --drown --rc4 --sweet32 --breach --crime --jsonfile tmp.json --color 0 badssl.com`;
my $okjson = json('tmp.json');
unlink 'tmp.json';
2016-06-29 00:38:51 +02:00
cmp_ok(@$okjson,'>',10,"We have more then 10 findings"); $tests++;
# Expiration
2016-06-29 00:35:52 +02:00
pass("Running testssl against expired.badssl.com"); $tests++;
$out = `./testssl.sh -S --jsonfile tmp.json --color 0 expired.badssl.com`;
2018-01-31 21:44:33 +01:00
like($out, qr/Certificate Validity \(UTC\)\s+expired/,"The certificate should be expired"); $tests++;
$json = json('tmp.json');
unlink 'tmp.json';
$found = 0;
foreach my $f ( @$json ) {
2019-04-09 12:47:12 +02:00
if ( $f->{id} eq "cert_expirationStatus" ) {
$found = 1;
like($f->{finding},qr/^expired/,"Finding reads expired."); $tests++;
is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;
last;
}
}
2016-06-29 00:35:52 +02:00
is($found,1,"We had a finding for this in the JSON output"); $tests++;
# Self signed and not-expired
2016-06-29 00:35:52 +02:00
pass("Running testssl against self-signed.badssl.com"); $tests++;
$out = `./testssl.sh -S --jsonfile tmp.json --color 0 self-signed.badssl.com`;
unlike($out, qr/Certificate Validity \(UTC\)s+expired/,"The certificate should not be expired"); $tests++;
$json = json('tmp.json');
unlink 'tmp.json';
$found = 0;
foreach my $f ( @$json ) {
2019-04-09 12:47:12 +02:00
if ( $f->{id} eq "cert_expirationStatus" ) {
$found = 1;
like($f->{finding},qr/days/,"Finding doesn't read expired."); $tests++;
isnt($f->{severity}, "CRITICAL", "Severity should be OK, MEDIUM or HIGH"); $tests++;
last;
}
}
2016-06-29 00:35:52 +02:00
is($found,1,"We had a finding for this in the JSON output"); $tests++;
2016-08-09 10:35:58 +02:00
like($out, qr/Chain of trust.*?NOT ok.*\(self signed\)/,"Chain of trust should fail because of self signed"); $tests++;
$found = 0;
foreach my $f ( @$json ) {
if ( $f->{id} eq "cert_chain_of_trust" ) {
2016-08-09 10:35:58 +02:00
$found = 1;
like($f->{finding},qr/^.*self signed/,"Finding says certificate cannot be trusted."); $tests++;
is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;
2016-08-09 10:35:58 +02:00
last;
}
}
2016-06-29 00:35:52 +02:00
is($found,1,"We had a finding for this in the JSON output"); $tests++;
2016-06-29 00:35:52 +02:00
like($okout, qr/Chain of trust[^\n]*?Ok/,"Chain of trust should be ok"); $tests++;
$found = 0;
foreach my $f ( @$okjson ) {
if ( $f->{id} eq "cert_chain_of_trust" ) {
$found = 1;
like($f->{finding},qr/passed/,"Finding says certificate can be trusted."); $tests++;
# is($f->{finding},"^.*passed.*","Finding says certificate can be trusted."); $tests++;
2016-06-29 00:35:52 +02:00
is($f->{severity}, "OK", "Severity should be OK"); $tests++;
last;
}
}
2016-06-29 00:35:52 +02:00
is($found,1,"We had a finding for this in the JSON output"); $tests++;
# Wrong host
2016-06-29 00:35:52 +02:00
#pass("Running testssl against wrong.host.badssl.com"); $tests++;
#$out = `./testssl.sh -S --jsonfile tmp.json --color 0 wrong.host.badssl.com`;
2016-06-29 00:35:52 +02:00
#unlike($out, qr/Certificate Expiration\s+expired\!/,"The certificate should not be expired"); $tests++;
#$json = json('tmp.json');
#unlink 'tmp.json';
#$found = 0;
#foreach my $f ( @$json ) {
# if ( $f->{id} eq "expiration" ) {
# $found = 1;
2016-06-29 00:35:52 +02:00
# unlike($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding should not read expired."); $tests++;
# is($f->{severity}, "ok", "Severity should be ok"); $tests++;
# last;
# }
#}
2016-06-29 00:35:52 +02:00
#is($found,1,"We had a finding for this in the JSON output"); $tests++;
# Incomplete chain
2016-06-29 00:35:52 +02:00
pass("Running testssl against incomplete-chain.badssl.com"); $tests++;
$out = `./testssl.sh -S --jsonfile tmp.json --color 0 incomplete-chain.badssl.com`;
2016-06-29 00:35:52 +02:00
like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++;
$json = json('tmp.json');
unlink 'tmp.json';
$found = 0;
foreach my $f ( @$json ) {
if ( $f->{id} eq "cert_chain_of_trust" ) {
$found = 1;
like($f->{finding},qr/^.*chain incomplete/,"Finding says certificate cannot be trusted."); $tests++;
is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;
last;
}
}
2016-06-29 00:35:52 +02:00
is($found,1,"We had a finding for this in the JSON output"); $tests++;
# TODO: RSA 8192
# TODO: CBC
2016-06-29 00:35:52 +02:00
#pass("Running testssl against cbc.badssl.com"); $tests++;
#$out = `./testssl.sh -e -U --jsonfile tmp.json --color 0 cbc.badssl.com`;
2016-06-29 00:35:52 +02:00
#like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++;
#$json = json('tmp.json');
#unlink 'tmp.json';
#$found = 0;
#foreach my $f ( @$json ) {
# if ( $f->{id} eq "cert_chain_of_trust" ) {
# $found = 1;
2016-06-29 00:35:52 +02:00
# like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++;
# is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;
# last;
# }
#}
2016-06-29 00:35:52 +02:00
#is($found,1,"We had a finding for this in the JSON output"); $tests++;
done_testing($tests);
sub json($) {
my $file = shift;
$file = `cat $file`;
unlink $file;
return from_json($file);
}