Working unit tests again
This commit is contained in:
parent
5d7367a68d
commit
9133eddb9a
|
@ -18,45 +18,45 @@ $out = `./testssl.sh -H --jsonfile tmp.json --color 0 ssl.sectionzero.org`;
|
||||||
$json = json('tmp.json');
|
$json = json('tmp.json');
|
||||||
|
|
||||||
# It is better to have findings in a hash
|
# It is better to have findings in a hash
|
||||||
# Look for a leaf cert match in the process.
|
# Look for a host cert match in the process.
|
||||||
my $found = 0;
|
my $found = 0;
|
||||||
my %findings;
|
my %findings;
|
||||||
foreach my $f ( @$json ) {
|
foreach my $f ( @$json ) {
|
||||||
$findings{$f->{id}} = $f;
|
$findings{$f->{id}} = $f;
|
||||||
if ( $f->{finding} =~ /matches the leaf certificate/ ) {
|
if ( $f->{finding} =~ /matches the host certificate/ ) {
|
||||||
$found++;
|
$found++;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
is($found,1,"We found 1 'matches the leaf certificate' finding"); $tests++;
|
is($found,1,"We found 1 'matches the host certificate' finding"); $tests++;
|
||||||
like($out,'/Leaf cert match/',"There is a 'Leaf cert match' in the text output"); $tests++;
|
like($out,'/Host cert match/',"There is a 'Leaf cert match' in the text output"); $tests++;
|
||||||
|
|
||||||
# Sub CA match
|
# Sub CA match
|
||||||
ok( exists $findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"},"We have a finding for key YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"); $tests++;
|
ok( exists $findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"},"We have a finding for key YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"); $tests++;
|
||||||
like($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{finding},'/Intermediate CA key matches a key pinned in the HPKP header/',"We have our Sub CA finding"); $tests++;
|
like($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{finding},'/Intermediate CA key matches a key pinned in the HPKP header/',"We have our Sub CA finding"); $tests++;
|
||||||
is($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{severity}, "OK", "The finding is ok"); $tests++;
|
is($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{severity}, "OK", "The finding is ok"); $tests++;
|
||||||
like($out,'/Sub CA match \: YLh1dUR9y6Kja30RrAn7JKnbQG\/uEtLMkBgFF2Fuihg/',"There is a 'Sub CA match' in the text output"); $tests++;
|
like($out,'/Sub CA match\: YLh1dUR9y6Kja30RrAn7JKnbQG\/uEtLMkBgFF2Fuihg/',"There is a 'Sub CA match' in the text output"); $tests++;
|
||||||
|
|
||||||
# Root CA match Lets encrypt
|
# Root CA match Lets encrypt
|
||||||
ok( exists $findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"},"We have a finding for key Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"); $tests++;
|
ok( exists $findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"},"We have a finding for key Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"); $tests++;
|
||||||
like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/Root CA key matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++;
|
like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/Root CA key matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++;
|
||||||
like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/DST Root CA X3/',"Correct Root CA"); $tests++;
|
like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/DST Root CA X3/',"Correct Root CA"); $tests++;
|
||||||
like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/The CA is part of the chain/',"CA is indeed part of chain"); $tests++;
|
like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/The CA is part of the chain/',"CA is indeed part of chain"); $tests++;
|
||||||
is($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{severity}, "OK", "The finding is ok"); $tests++;
|
is($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{severity}, "INFO", "The finding is informational"); $tests++;
|
||||||
like($out,'/Root CA match \: Vjs8r4z\+80wjNcr1YKepWQboSIRi63WsWXhIMN\+eWys/',"There is a 'Root CA match' in the text output"); $tests++;
|
like($out,'/Root CA match\: Vjs8r4z\+80wjNcr1YKepWQboSIRi63WsWXhIMN\+eWys/',"There is a 'Root CA match' in the text output"); $tests++;
|
||||||
|
|
||||||
# Root CA StartCom
|
# Root CA StartCom
|
||||||
ok( exists $findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"},"We have a finding for key 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"); $tests++;
|
ok( exists $findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"},"We have a finding for key 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"); $tests++;
|
||||||
like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/Root CA key matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++;
|
like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/Root CA key matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++;
|
||||||
like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/StartCom Certification Authority/',"Correct Root CA"); $tests++;
|
like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/StartCom Certification Authority/',"Correct Root CA"); $tests++;
|
||||||
like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/The CA is not part of the chain/',"CA is indeed NOT part of chain"); $tests++;
|
like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/The CA is not part of the chain/',"CA is indeed NOT part of chain"); $tests++;
|
||||||
is($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{severity}, "OK", "The finding is ok"); $tests++;
|
is($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{severity}, "INFO", "The finding is informational"); $tests++;
|
||||||
like($out,'/Root CA match \: 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU/',"There is a 'Root CA match' in the text output"); $tests++;
|
like($out,'/Root CA match\: 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU/',"There is a 'Root CA match' in the text output"); $tests++;
|
||||||
|
|
||||||
# Bad PIN
|
# Bad PIN
|
||||||
ok( exists $findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"},"We have a finding for key 123bad123bad123bad123bad123bad123bd123bad12"); $tests++;
|
ok( exists $findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"},"We have a finding for key 123bad123bad123bad123bad123bad123bd123bad12"); $tests++;
|
||||||
like($findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"}->{finding},'/doesn\'t match anything/',"It doesn't match indeed"); $tests++;
|
like($findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"}->{finding},'/doesn\'t match anything/',"It doesn't match indeed"); $tests++;
|
||||||
is($findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"}->{severity}, "WARN", "The finding is ok"); $tests++;
|
is($findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"}->{severity}, "INFO", "The finding is informational"); $tests++;
|
||||||
like($out,'/Unmatched key : 123bad123bad123bad123bad123bad123bd123bad12/',"There is an 'unmatched key' in the text output"); $tests++;
|
like($out,'/Unmatched key\: 123bad123bad123bad123bad123bad123bd123bad12/',"There is an 'unmatched key' in the text output"); $tests++;
|
||||||
|
|
||||||
like($findings{hpkp_keys}->{finding},'/5 keys pinned/',"5 keys pinned in json"); $tests++;
|
like($findings{hpkp_keys}->{finding},'/5 keys pinned/',"5 keys pinned in json"); $tests++;
|
||||||
like($out,'/\# of keys: 5/',"5 keys pinned in text output"); $tests++;
|
like($out,'/\# of keys: 5/',"5 keys pinned in text output"); $tests++;
|
29
testssl.sh
29
testssl.sh
|
@ -1076,22 +1076,23 @@ run_hpkp() {
|
||||||
for hpkp_key in $(echo $pins); do
|
for hpkp_key in $(echo $pins); do
|
||||||
# exho needed here? ^^^^
|
# exho needed here? ^^^^
|
||||||
key_found=false
|
key_found=false
|
||||||
# compare pin against the leaf certificate
|
# compare pin against the host certificate
|
||||||
if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then
|
if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then
|
||||||
out "\n$spaces Host cert match: "
|
# We have a match
|
||||||
pr_done_good "$hpkp_key"
|
|
||||||
fileout "hpkp_$hpkp_key" "OK" "PIN $hpkp_key matches the leaf certificate"
|
|
||||||
key_found=true
|
key_found=true
|
||||||
pins_match=true
|
pins_match=true
|
||||||
|
out "\n$spaces Host cert match: "
|
||||||
|
pr_done_good "$hpkp_key"
|
||||||
|
fileout "hpkp_$hpkp_key" "OK" "PIN $hpkp_key matches the host certificate"
|
||||||
fi
|
fi
|
||||||
debugme out "\n $hpkp_key | $hpkp_key_hostcert"
|
debugme out "\n $hpkp_key | $hpkp_key_hostcert"
|
||||||
|
|
||||||
# Check for intermediate match
|
# Check for intermediate match
|
||||||
if ! "$key_found"; then
|
if ! $key_found; then
|
||||||
# doesn't work, "grep: /tmp/ssltester.Dp2ovS/intermediate.hashes: No such file or directory" if teested against testss.sh
|
# doesn't work, "grep: /tmp/ssltester.Dp2ovS/intermediate.hashes: No such file or directory" if teested against testss.sh
|
||||||
hpkp_matches=$(grep "$hpkp_key" $TEMPDIR/intermediate.hashes 2>/dev/null)
|
hpkp_matches=$(grep "$hpkp_key" $TEMPDIR/intermediate.hashes 2>/dev/null)
|
||||||
if [[ -n $hpkp_matches ]]; then
|
if [[ -n $hpkp_matches ]]; then
|
||||||
# We have a winner!
|
# We have a match
|
||||||
key_found=true
|
key_found=true
|
||||||
pins_match=true
|
pins_match=true
|
||||||
out "\n$spaces Sub CA match: "
|
out "\n$spaces Sub CA match: "
|
||||||
|
@ -1101,10 +1102,10 @@ run_hpkp() {
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! "$key_found"; then
|
if ! $key_found; then
|
||||||
hpkp_matches=$(grep -h "$hpkp_key" $ca_hashes | sort -u)
|
hpkp_matches=$(grep -h "$hpkp_key" $ca_hashes | sort -u)
|
||||||
if [[ -n $hpkp_matches ]]; then
|
if [[ -n $hpkp_matches ]]; then
|
||||||
# We have a winner!
|
# We have a match
|
||||||
key_found=true
|
key_found=true
|
||||||
pins_match=true
|
pins_match=true
|
||||||
if [[ $(count_lines "$hpkp_matches") -eq 1 ]]; then
|
if [[ $(count_lines "$hpkp_matches") -eq 1 ]]; then
|
||||||
|
@ -1128,19 +1129,19 @@ run_hpkp() {
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! "$key_found" && [[ $DEBUG -eq 1 ]]; then
|
if ! $key_found; then
|
||||||
# Houston we may have a problem
|
# Most likely a backup pin
|
||||||
out "\n\n$spaces Unmatched key: "
|
out "\n\n$spaces Unmatched key: "
|
||||||
out "$hpkp_key"
|
out "$hpkp_key"
|
||||||
out "\n$spaces (This is OK for a backup pin of a leaf cert)"
|
out "\n$spaces (This is OK for a backup pin of a host cert)"
|
||||||
fileout "hpkp_$hpkp_key" "INFO" "PIN $hpkp_key doesn't match anything. This could be ok if it is a backup pin for a leaf certificate"
|
fileout "hpkp_$hpkp_key" "INFO" "PIN $hpkp_key doesn't match anything. This could be ok if it is a backup pin for a host certificate"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
# If all else fails...
|
# If all else fails...
|
||||||
if ! "$pins_match"; then
|
if ! $pins_match; then
|
||||||
pr_svrty_high " No matching key for pins found "
|
pr_svrty_high " No matching key for pins found "
|
||||||
fileout "hpkp_keymatch" "NOT ok" "None of the HPKP PINS match your leaf certificate, intermediate CA or known root CAs. You may have bricked this site"
|
fileout "hpkp_keymatch" "NOT ok" "None of the HPKP PINS match your host certificate, intermediate CA or known root CAs. You may have bricked this site"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
out "--"
|
out "--"
|
||||||
|
|
Loading…
Reference in New Issue