1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
#!/usr/bin/env perl
use strict;
use Test::More;
use Data::Dumper;
use JSON;
my $tests = 0;
my $prg="./testssl.sh";
my (
$out,
$json,
$found,
);
# OK
pass("Running testssl.sh against badssl.com to create a baseline (may take 2~3 minutes)"); $tests++;
my $okout = `$prg -S -e --freak --logjam --drown --rc4 --sweet32 --breach --winshock --crime --jsonfile tmp.json --color 0 badssl.com`;
my $okjson = json('tmp.json');
unlink 'tmp.json';
cmp_ok(@$okjson,'>',10,"We should have more then 10 findings"); $tests++;
# Expiration
pass("Running testssl against expired.badssl.com"); $tests++;
$out = `$prg -S --jsonfile tmp.json --color 0 expired.badssl.com`;
like($out, qr/Chain of trust\s+NOT ok \(expired\)/,"The chain of trust should be expired"); $tests++;
like($out, qr/Certificate Validity \(UTC\)\s+expired/,"The certificate should be expired"); $tests++;
$json = json('tmp.json');
unlink 'tmp.json';
$found = 0;
foreach my $f ( @$json ) {
if ( $f->{id} eq "cert_expirationStatus" ) {
$found = 1;
like($f->{finding},qr/^expired/,"Finding reads expired."); $tests++;
is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;
last;
}
}
is($found,1,"We should have a finding for this in the JSON output"); $tests++;
# Self signed and not-expired
pass("Running testssl against self-signed.badssl.com"); $tests++;
$out = `$prg -S --jsonfile tmp.json --color 0 self-signed.badssl.com`;
unlike($out, qr/Certificate Validity \(UTC\)s+expired/,"The certificate should not be expired"); $tests++;
$json = json('tmp.json');
unlink 'tmp.json';
$found = 0;
foreach my $f ( @$json ) {
if ( $f->{id} eq "cert_expirationStatus" ) {
$found = 1;
like($f->{finding},qr/days/,"Finding doesn't read expired."); $tests++;
isnt($f->{severity}, "CRITICAL", "Severity should be OK, MEDIUM or HIGH"); $tests++;
last;
}
}
is($found,1,"We should a finding for this in the JSON output"); $tests++;
like($out, qr/Chain of trust.*?NOT ok.*\(self signed\)/,"Chain of trust should fail because of self signed"); $tests++;
$found = 0;
foreach my $f ( @$json ) {
if ( $f->{id} eq "cert_chain_of_trust" ) {
$found = 1;
like($f->{finding},qr/^.*self signed/,"Finding says certificate cannot be trusted."); $tests++;
is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;
last;
}
}
is($found,1,"We should have a finding for this in the JSON output"); $tests++;
like($okout, qr/Chain of trust[^\n]*?Ok/,"Chain of trust should be ok"); $tests++;
$found = 0;
foreach my $f ( @$okjson ) {
if ( $f->{id} eq "cert_chain_of_trust" ) {
$found = 1;
like($f->{finding},qr/passed/,"Finding says certificate can be trusted."); $tests++;
# is($f->{finding},"^.*passed.*","Finding says certificate can be trusted."); $tests++;
is($f->{severity}, "OK", "Severity should be OK"); $tests++;
last;
}
}
is($found,1,"We should have a finding for this in the JSON output"); $tests++;
# Wrong host
#pass("Running testssl against wrong.host.badssl.com"); $tests++;
#$out = `./testssl.sh -S --jsonfile tmp.json --color 0 wrong.host.badssl.com`;
#unlike($out, qr/Certificate Expiration\s+expired\!/,"The certificate should not be expired"); $tests++;
#$json = json('tmp.json');
#unlink 'tmp.json';
#$found = 0;
#foreach my $f ( @$json ) {
# if ( $f->{id} eq "expiration" ) {
# $found = 1;
# unlike($f->{finding},qr/^Certificate Expiration.*expired\!/,"Finding should not read expired."); $tests++;
# is($f->{severity}, "ok", "Severity should be ok"); $tests++;
# last;
# }
#}
#is($found,1,"We had a finding for this in the JSON output"); $tests++;
# Incomplete chain
pass("Running testssl against incomplete-chain.badssl.com"); $tests++;
$out = `$prg -S --jsonfile tmp.json --color 0 incomplete-chain.badssl.com`;
like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++;
$json = json('tmp.json');
unlink 'tmp.json';
$found = 0;
foreach my $f ( @$json ) {
if ( $f->{id} eq "cert_chain_of_trust" ) {
$found = 1;
like($f->{finding},qr/^.*chain incomplete/,"Finding says certificate cannot be trusted."); $tests++;
is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;
last;
}
}
is($found,1,"We should have a finding for this in the JSON output"); $tests++;
# TODO: RSA 8192
# TODO: CBC
#pass("Running testssl against cbc.badssl.com"); $tests++;
#$out = `./testssl.sh -e -U --jsonfile tmp.json --color 0 cbc.badssl.com`;
#like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust should fail because of incomplete"); $tests++;
#$json = json('tmp.json');
#unlink 'tmp.json';
#$found = 0;
#foreach my $f ( @$json ) {
# if ( $f->{id} eq "cert_chain_of_trust" ) {
# $found = 1;
# like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++;
# is($f->{severity}, "CRITICAL", "Severity should be CRITICAL"); $tests++;
# last;
# }
#}
#is($found,1,"We had a finding for this in the JSON output"); $tests++;
done_testing($tests);
sub json($) {
my $file = shift;
$file = `cat $file`;
unlink $file;
return from_json($file);
}
# vim:ts=5:sw=5:expandtab
|
