1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
#!/usr/bin/env perl
use strict;
use Test::More;
use Data::Dumper;
use JSON;
my $tests = 0;
my (
$out,
$json,
$found,
);
# OK
pass("Running testssl.sh against badssl.com to create a baseline (may take 2~3 minutes)"); $tests++;
my $okout = `./testssl.sh -S -e -U --jsonfile tmp.json --color 0 badssl.com`;
my $okjson = json('tmp.json');
cmp_ok(@$okjson,'>',10,"We have more then 10 findings"); $tests++;
# Expiration
pass("Running testssl against expired.badssl.com"); $tests++;
$out = `./testssl.sh -S --jsonfile tmp.json --color 0 expired.badssl.com`;
like($out, qr/Certificate Expiration\s+expired\!/,"The certificate should be expired"); $tests++;
$json = json('tmp.json');
$found = 0;
foreach my $f ( @$json ) {
if ( $f->{id} eq "expiration" ) {
$found = 1;
like($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding reads expired."); $tests++;
is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++;
last;
}
}
is($found,1,"We had a finding for this in the JSON output"); $tests++;
# Self signed and not-expired
pass("Running testssl against self-signed.badssl.com"); $tests++;
$out = `./testssl.sh -S --jsonfile tmp.json --color 0 self-signed.badssl.com`;
like($out, qr/Certificate Expiration\s+\d+/,"The certificate should not be expired"); $tests++;
$json = json('tmp.json');
$found = 0;
foreach my $f ( @$json ) {
if ( $f->{id} eq "expiration" ) {
$found = 1;
like($f->{finding},qr/^Certificate Expiration \: \d+/,"Finding doesn't read expired."); $tests++;
is($f->{severity}, "OK", "Severity should be ok"); $tests++;
last;
}
}
is($found,1,"We had a finding for this in the JSON output"); $tests++;
like($out, qr/Chain of trust.*?NOT ok.*\(self signed\)/,"Chain of trust should fail because of self signed"); $tests++;
$found = 0;
foreach my $f ( @$json ) {
if ( $f->{id} eq "chain_of_trust" ) {
$found = 1;
like($f->{finding},qr/^All certificate trust checks failed/,"Finding says certificate cannot be trusted."); $tests++;
is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++;
last;
}
}
is($found,1,"We had a finding for this in the JSON output"); $tests++;
like($okout, qr/Chain of trust[^\n]*?Ok/,"Chain of trust should be ok"); $tests++;
$found = 0;
foreach my $f ( @$okjson ) {
if ( $f->{id} eq "chain_of_trust" ) {
$found = 1;
is($f->{finding},"All certificate trust checks passed.","Finding says certificate can be trusted."); $tests++;
is($f->{severity}, "OK", "Severity should be OK"); $tests++;
last;
}
}
is($found,1,"We had a finding for this in the JSON output"); $tests++;
# Wrong host
#pass("Running testssl against wrong.host.badssl.com"); $tests++;
#$out = `./testssl.sh -S --jsonfile tmp.json --color 0 wrong.host.badssl.com`;
#unlike($out, qr/Certificate Expiration\s+expired\!/,"The certificate should not be expired"); $tests++;
#$json = json('tmp.json');
#$found = 0;
#foreach my $f ( @$json ) {
# if ( $f->{id} eq "expiration" ) {
# $found = 1;
# unlike($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding should not read expired."); $tests++;
# is($f->{severity}, "ok", "Severity should be ok"); $tests++;
# last;
# }
#}
#is($found,1,"We had a finding for this in the JSON output"); $tests++;
# Incomplete chain
pass("Running testssl against incomplete-chain.badssl.com"); $tests++;
$out = `./testssl.sh -S --jsonfile tmp.json --color 0 incomplete-chain.badssl.com`;
like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++;
$json = json('tmp.json');
$found = 0;
foreach my $f ( @$json ) {
if ( $f->{id} eq "chain_of_trust" ) {
$found = 1;
like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++;
is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++;
last;
}
}
is($found,1,"We had a finding for this in the JSON output"); $tests++;
# TODO: RSA 8192
# TODO: CBC
#pass("Running testssl against cbc.badssl.com"); $tests++;
#$out = `./testssl.sh -e -U --jsonfile tmp.json --color 0 cbc.badssl.com`;
#like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++;
#$json = json('tmp.json');
#$found = 0;
#foreach my $f ( @$json ) {
# if ( $f->{id} eq "chain_of_trust" ) {
# $found = 1;
# like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++;
# is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++;
# last;
# }
#}
#is($found,1,"We had a finding for this in the JSON output"); $tests++;
done_testing($tests);
sub json($) {
my $file = shift;
$file = `cat $file`;
unlink $file;
return from_json($file);
}
|
