def test_valid_chain(self): server_info = ServerConnectivityInfo(hostname='www.hotmail.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.ocsp_response) self.assertTrue(plugin_result.is_ocsp_response_trusted) self.assertTrue(plugin_result.is_leaf_certificate_ev) self.assertEquals(len(plugin_result.certificate_chain), 2) self.assertEquals(len(plugin_result.path_validation_result_list), 5) for path_validation_result in plugin_result.path_validation_result_list: self.assertTrue(path_validation_result.is_certificate_trusted) self.assertEquals(len(plugin_result.path_validation_error_list), 0) self.assertEquals(plugin_result.hostname_validation_result, X509_NAME_MATCHES_SAN) self.assertTrue(plugin_result.is_certificate_chain_order_valid) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Test the --ca_path option plugin_result = plugin.process_task(server_info, 'certinfo_basic', {'ca_file': os.path.join(os.path.dirname(__file__), 'utils', 'wildcard-self-signed.pem')}) self.assertEquals(len(plugin_result.path_validation_result_list), 6) for path_validation_result in plugin_result.path_validation_result_list: if path_validation_result.trust_store.name == 'Custom --ca_file': self.assertFalse(path_validation_result.is_certificate_trusted) else: self.assertTrue(path_validation_result.is_certificate_trusted)
def test_invalid_chain(self): server_info = ServerConnectivityInfo( hostname=u'self-signed.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertIsNone(plugin_result.ocsp_response) self.assertEquals(len(plugin_result.certificate_chain), 1) self.assertEquals(len(plugin_result.path_validation_result_list), 5) for path_validation_result in plugin_result.path_validation_result_list: self.assertFalse(path_validation_result.is_certificate_trusted) self.assertEquals(len(plugin_result.path_validation_error_list), 0) self.assertEquals(plugin_result.hostname_validation_result, X509_NAME_MATCHES_SAN) self.assertTrue(plugin_result.is_certificate_chain_order_valid) self.assertIsNone(plugin_result.has_anchor_in_certificate_chain) self.assertIsNone(plugin_result.has_sha1_in_certificate_chain) self.assertFalse(plugin_result.verified_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_https_tunneling(self): # Start a local proxy proxy_port = 8000 p = multiprocessing.Process(target=proxy_worker, args=(proxy_port, )) p.start() try: # Run a scan through the proxy tunnel_settings = HttpConnectTunnelingSettings('localhost', proxy_port) server_info = ServerConnectivityInfo(hostname=u'www.google.com', http_tunneling_settings=tunnel_settings) # Try to connect to the proxy - retry if the proxy subprocess wasn't ready proxy_connection_attempts = 0 while True: try: server_info.test_connectivity_to_server() break except ServerConnectivityError: if proxy_connection_attempts > 3: raise proxy_connection_attempts += 1 plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) finally: # Kill the local proxy - unclean p.terminate()
def test_1000_sans_chain(self): # Ensure SSLyze can process a leaf cert with 1000 SANs server_test = ServerConnectivityTester(hostname='1000-sans.badssl.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin.process_task(server_info, CertificateInfoScanCommand())
def test_ca_file_bad_file(self): server_info = ServerConnectivityInfo(hostname='www.hotmail.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() with self.assertRaises(ValueError): plugin.process_task(server_info, CertificateInfoScanCommand(ca_file='doesntexist'))
def test_ca_file_bad_file(self): server_test = ServerConnectivityTester(hostname='www.hotmail.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() with self.assertRaises(ValueError): plugin.process_task(server_info, CertificateInfoScanCommand(ca_file='doesntexist'))
def test_succeeds_when_client_auth_failed(self): # Given a server that requires client authentication try: with VulnerableOpenSslServer( client_auth_config= ClientAuthenticationServerConfigurationEnum.REQUIRED ) as server: # And the client does NOT provide a client certificate server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() # CertificateInfoPlugin works even when a client cert was not supplied plugin = CertificateInfoPlugin() plugin_result = plugin.process_task( server_info, CertificateInfoScanCommand()) except NotOnLinux64Error: logging.warning('WARNING: Not on Linux - skipping test') return self.assertTrue(plugin_result.certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_1000_sans_chain(self): # Ensure SSLyze can process a leaf cert with 1000 SANs server_info = ServerConnectivityInfo(hostname='1000-sans.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin.process_task(server_info, CertificateInfoScanCommand())
def test_valid_chain_with_ev_cert(self): server_test = ServerConnectivityTester(hostname='www.comodo.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.is_leaf_certificate_ev) self.assertEqual(len(plugin_result.certificate_chain), 4) self.assertEqual(len(plugin_result.verified_certificate_chain), 3) self.assertFalse(plugin_result.has_anchor_in_certificate_chain) self.assertEqual(len(plugin_result.path_validation_result_list), 5) for path_validation_result in plugin_result.path_validation_result_list: self.assertTrue(path_validation_result.is_certificate_trusted) self.assertEqual(len(plugin_result.path_validation_error_list), 0) self.assertEqual(plugin_result.certificate_matches_hostname, True) self.assertTrue(plugin_result.is_certificate_chain_order_valid) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_valid_chain_with_ocsp_stapling(self): server_info = ServerConnectivityInfo(hostname='login.live.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.ocsp_response) self.assertTrue(plugin_result.is_ocsp_response_trusted) self.assertEqual(len(plugin_result.certificate_chain), 2) self.assertEqual(len(plugin_result.verified_certificate_chain), 3) self.assertFalse(plugin_result.has_anchor_in_certificate_chain) self.assertEqual(len(plugin_result.path_validation_result_list), 5) for path_validation_result in plugin_result.path_validation_result_list: self.assertTrue(path_validation_result.is_certificate_trusted) self.assertEqual(len(plugin_result.path_validation_error_list), 0) self.assertEqual(plugin_result.certificate_matches_hostname, True) self.assertTrue(plugin_result.is_certificate_chain_order_valid) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_invalid_chain(self): server_test = ServerConnectivityTester( hostname='self-signed.badssl.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertIsNone(plugin_result.ocsp_response) self.assertEqual(len(plugin_result.certificate_chain), 1) self.assertEqual(len(plugin_result.path_validation_result_list), 5) for path_validation_result in plugin_result.path_validation_result_list: self.assertFalse(path_validation_result.is_certificate_trusted) self.assertEqual(plugin_result.certificate_included_scts_count, 0) self.assertEqual(len(plugin_result.path_validation_error_list), 0) self.assertEqual(plugin_result.certificate_matches_hostname, True) self.assertTrue(plugin_result.is_certificate_chain_order_valid) self.assertIsNone(plugin_result.has_anchor_in_certificate_chain) self.assertIsNone(plugin_result.has_sha1_in_certificate_chain) self.assertFalse(plugin_result.verified_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_ca_file_bad_file(self): server_info = ServerConnectivityInfo(hostname=u'www.hotmail.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() with self.assertRaises(ValueError): plugin.process_task(server_info, CertificateInfoScanCommand(ca_file=u'doesntexist'))
def test_valid_chain(self): server_info = ServerConnectivityInfo(hostname=u'www.hotmail.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.ocsp_response) self.assertTrue(plugin_result.is_ocsp_response_trusted) self.assertTrue(plugin_result.is_leaf_certificate_ev) self.assertEquals(len(plugin_result.certificate_chain), 2) self.assertEquals(len(plugin_result.verified_certificate_chain), 3) self.assertFalse(plugin_result.has_anchor_in_certificate_chain) self.assertEquals(len(plugin_result.path_validation_result_list), 5) for path_validation_result in plugin_result.path_validation_result_list: self.assertTrue(path_validation_result.is_certificate_trusted) self.assertEquals(len(plugin_result.path_validation_error_list), 0) self.assertEquals(plugin_result.hostname_validation_result, HostnameValidationResultEnum.NAME_MATCHES_SAN) self.assertTrue(plugin_result.is_certificate_chain_order_valid) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def https_check(endpoint): logging.debug("sslyzing %s..." % endpoint.url) # remove the https:// from prefix for sslyze hostname = endpoint.url[8:] server_info = ServerConnectivityInfo(hostname=hostname, port=443) try: server_info.test_connectivity_to_server() except sslyze.server_connectivity.ServerConnectivityError: logging.warn("Error in sslyze server connectivity check") return cert_plugin = CertificateInfoPlugin() try: cert_plugin_result = cert_plugin.process_task(server_info, 'certinfo_basic') except nassl._nassl.OpenSSLError: logging.warn("Error in sslyze cert info plugin") return except nassl.x509_certificate.X509HostnameValidationError: logging.warn("Error parsing x.509 certificate.") return try: cert_response = cert_plugin_result.as_text() except TypeError: logging.warn("sslyze exception parsing issuer, see https://github.com/nabla-c0d3/sslyze/issues/167") return # Debugging # for msg in cert_response: # print(msg) # A certificate can have multiple issues. for msg in cert_response: # Check for certificate expiration. if ( (("Mozilla NSS CA Store") in msg) and (("FAILED") in msg) and (("certificate has expired") in msg) ): endpoint.https_expired_cert = True # Check for whether there's a valid chain to Mozilla. # Note: this will also catch expired certs, but this is okay. if ( (("Mozilla NSS CA Store") in msg) and (("FAILED") in msg) and (("Certificate is NOT Trusted") in msg) ): endpoint.https_bad_chain = True # Check for whether the hostname validates. if ( (("Hostname Validation") in msg) and (("FAILED") in msg) and (("Certificate does NOT match") in msg) ): endpoint.https_bad_hostname = True
def test_valid_chain_with_ev_cert(self): server_test = ServerConnectivityTester(hostname='www.comodo.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) assert plugin_result.leaf_certificate_is_ev assert len(plugin_result.received_certificate_chain) >= 3 assert len(plugin_result.verified_certificate_chain) >= 3 assert not plugin_result.received_chain_contains_anchor_certificate assert len(plugin_result.path_validation_result_list) == 5 for path_validation_result in plugin_result.path_validation_result_list: assert path_validation_result.was_validation_successful assert len(plugin_result.path_validation_error_list) == 0 assert plugin_result.leaf_certificate_subject_matches_hostname assert plugin_result.received_chain_has_valid_order assert plugin_result.as_text() assert plugin_result.as_xml() # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue assert pickle.dumps(plugin_result)
def test_invalid_chain(self): server_info = ServerConnectivityInfo(hostname='self-signed.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertIsNone(plugin_result.ocsp_response) self.assertEqual(len(plugin_result.certificate_chain), 1) self.assertEqual(len(plugin_result.path_validation_result_list), 5) for path_validation_result in plugin_result.path_validation_result_list: self.assertFalse(path_validation_result.is_certificate_trusted) self.assertEqual(plugin_result.certificate_included_scts_count, 0) self.assertEqual(len(plugin_result.path_validation_error_list), 0) self.assertEqual(plugin_result.certificate_matches_hostname, True) self.assertTrue(plugin_result.is_certificate_chain_order_valid) self.assertIsNone(plugin_result.has_anchor_in_certificate_chain) self.assertIsNone(plugin_result.has_sha1_in_certificate_chain) self.assertFalse(plugin_result.verified_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_invalid_chain(self): server_test = ServerConnectivityTester(hostname='self-signed.badssl.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) assert plugin_result.ocsp_response is None assert len(plugin_result.received_certificate_chain) == 1 assert len(plugin_result.path_validation_result_list) >= 5 for path_validation_result in plugin_result.path_validation_result_list: assert not path_validation_result.was_validation_successful assert plugin_result.leaf_certificate_signed_certificate_timestamps_count == 0 assert len(plugin_result.path_validation_error_list) == 0 assert plugin_result.leaf_certificate_subject_matches_hostname assert plugin_result.received_chain_has_valid_order assert plugin_result.received_chain_contains_anchor_certificate is None assert plugin_result.verified_chain_has_sha1_signature is None assert not plugin_result.verified_certificate_chain assert plugin_result.as_text() assert plugin_result.as_xml() # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue assert pickle.dumps(plugin_result)
def test_valid_chain_with_ev_cert(self): server_info = ServerConnectivityInfo(hostname='www.comodo.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.is_leaf_certificate_ev) self.assertEqual(len(plugin_result.certificate_chain), 3) self.assertEqual(len(plugin_result.verified_certificate_chain), 3) self.assertFalse(plugin_result.has_anchor_in_certificate_chain) self.assertEqual(len(plugin_result.path_validation_result_list), 5) for path_validation_result in plugin_result.path_validation_result_list: self.assertTrue(path_validation_result.is_certificate_trusted) self.assertEqual(len(plugin_result.path_validation_error_list), 0) self.assertEqual(plugin_result.certificate_matches_hostname, True) self.assertTrue(plugin_result.is_certificate_chain_order_valid) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_https_tunneling(self): # Start a local proxy proxy_port = 8000 p = multiprocessing.Process(target=proxy_worker, args=(proxy_port, )) p.start() try: # Run a scan through the proxy tunnel_settings = HttpConnectTunnelingSettings( 'localhost', proxy_port) server_info = ServerConnectivityInfo( hostname='www.google.com', http_tunneling_settings=tunnel_settings) # Try to connect to the proxy - retry if the proxy subprocess wasn't ready proxy_connection_attempts = 0 while True: try: server_info.test_connectivity_to_server() break except ServerConnectivityError: if proxy_connection_attempts > 3: raise proxy_connection_attempts += 1 plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) finally: # Kill the local proxy - unclean p.terminate()
def attack(results, host_name): print("Running 10.16 attack.py host name: {}".format(host_name)) report = {} try: server_tester = ServerConnectivityTester( hostname=host_name, port=443, tls_wrapped_protocol=TlsWrappedProtocolEnum.HTTPS) server_info = server_tester.perform() except ServerConnectivityError as e: results.append(AttackResult('10.16', host_name, False, e)) return plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) # Valid host name certificate_matches_hostname = plugin_result.certificate_matches_hostname # Chain order is valid is_certificate_chain_order_valid = plugin_result.is_certificate_chain_order_valid # All certificates are trusted certificates_are_trusted = True for path_validation_result in plugin_result.path_validation_result_list: if not path_validation_result.is_certificate_trusted: certificates_are_trusted = False result = certificate_matches_hostname and is_certificate_chain_order_valid and certificates_are_trusted details = '' if not certificate_matches_hostname: details += ' Certificate does not match hostname' if not is_certificate_chain_order_valid: details += ' Certificate chain order is invalid' if not certificates_are_trusted: details += ' Certificates are not trusted.' attackResult = None if not result: attackResult = AttackResult('hostname', host_name, result, details) else: attackResult = AttackResult( 'hostname', host_name, result, 'TLS certificates match hostname, are trusted and the chain order is valid' ) results.append(attackResult) #results = [] #attack(results, 'https://www.google.co.uk')
def test_valid_chain_print_full_certificate(self): server_info = ServerConnectivityInfo(hostname=u'www.hotmail.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand(print_full_certificate=True)) # The only difference with the previous test is the text output self.assertTrue(plugin_result.as_text())
def test_optional_client_authentication(self): server_test = ServerConnectivityTester(hostname='client.badssl.com') server_info = server_test.perform() assert server_info.client_auth_requirement == ClientAuthenticationServerConfigurationEnum.OPTIONAL plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) assert plugin_result.as_text() assert plugin_result.as_xml()
def test_optional_client_authentication(self): server_test = ServerConnectivityTester(hostname='client.badssl.com') server_info = server_test.perform() self.assertEqual(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL) plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_1000_sans_chain(self): # Ensure SSLyze can process a leaf cert with 1000 SANs server_info = ServerConnectivityInfo(hostname='1000-sans.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') san_list = plugin_result.certificate_chain[0].as_dict['extensions']['X509v3 Subject Alternative Name']['DNS'] self.assertEquals(len(san_list), 1000)
def test_sha256_chain(self): server_info = ServerConnectivityInfo(hostname='sha256.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertIn('OK - No SHA1-signed certificate in the chain', '\n'.join(plugin_result.as_text())) self.assertTrue(plugin_result.as_xml())
def test_optional_client_authentication(self): server_info = ServerConnectivityInfo(hostname='xnet-eu.intellij.net') server_info.test_connectivity_to_server() self.assertEquals(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL) plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_1000_sans_chain(self): # Ensure SSLyze can process a leaf cert with 1000 SANs server_info = ServerConnectivityInfo(hostname=u'1000-sans.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) san_list = plugin_result.certificate_chain[0].as_dict[u'extensions'][u'X509v3 Subject Alternative Name'][u'DNS'] self.assertEquals(len(san_list), 1000)
def test_sha1_chain(self): server_info = ServerConnectivityInfo(hostname='sha1-2017.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') # TODO: Expose has_sha1 as an attribute self.assertIn('INSECURE - SHA1-signed certificate in the chain', '\n'.join(plugin_result.as_text())) self.assertTrue(plugin_result.as_xml())
def test_optional_client_authentication(self): for hostname in [u'auth.startssl.com', u'xnet-eu.intellij.net']: server_info = ServerConnectivityInfo(hostname=hostname) server_info.test_connectivity_to_server() self.assertEquals(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL) plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self): server_info = ServerConnectivityInfo(hostname='sha1-intermediate.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.has_sha1_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_optional_client_authentication(self): for hostname in ['auth.startssl.com', 'xnet-eu.intellij.net']: server_info = ServerConnectivityInfo(hostname=hostname) server_info.test_connectivity_to_server() self.assertEquals(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL) plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_ipv6(self): server_test = ServerConnectivityTester(hostname='www.google.com', ip_address='2607:f8b0:4005:804::2004') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertGreaterEqual(len(plugin_result.certificate_chain), 1) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_international_names(self): server_info = ServerConnectivityInfo(hostname=u'www.sociétégénérale.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, u'certinfo_basic') self.assertEquals(len(plugin_result.certificate_chain), 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_international_names(self): server_test = ServerConnectivityTester(hostname='www.sociétégénérale.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) assert len(plugin_result.received_certificate_chain) >= 1 assert plugin_result.as_text() assert plugin_result.as_xml()
def test_sha1_chain(self): server_info = ServerConnectivityInfo(hostname=u'sha1-2017.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.has_sha1_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_unicode_certificate(self): server_info = ServerConnectivityInfo(hostname=u'www.főgáz.hu') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self): server_info = ServerConnectivityInfo(hostname=u'sha1-2017.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.has_sha1_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_sha256_chain(self): server_info = ServerConnectivityInfo(hostname=u'sha256.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertFalse(plugin_result.has_sha1_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_international_names(self): server_info = ServerConnectivityInfo(hostname='www.sociétégénérale.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertEquals(len(plugin_result.certificate_chain), 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_ipv6(self): server_test = ServerConnectivityTester(hostname='www.google.com', ip_address='2607:f8b0:4005:804::2004') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) assert len(plugin_result.received_certificate_chain) >= 1 assert plugin_result.as_text() assert plugin_result.as_xml()
def test_unicode_certificate(self): server_info = ServerConnectivityInfo(hostname=u'www.főgáz.hu') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_not_trusted_by_mozilla_but_trusted_by_microsoft(self): server_info = ServerConnectivityInfo(hostname=u'webmail.russia.nasa.gov') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertEqual(plugin_result.successful_trust_store.name, u'Microsoft') self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_chain_with_anchor(self): server_info = ServerConnectivityInfo(hostname=u'www.verizon.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.has_anchor_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_international_names(self): server_test = ServerConnectivityTester(hostname='www.sociétégénérale.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertGreaterEqual(len(plugin_result.certificate_chain), 1) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_chain_with_anchor(self): server_info = ServerConnectivityInfo(hostname=u'www.verizon.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.has_anchor_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_smtp_custom_port(self): server_info = ServerConnectivityInfo(hostname='smtp.gmail.com', port=587, tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP) server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertEquals(len(plugin_result.certificate_chain), 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_xmpp_to(self): server_info = ServerConnectivityInfo(hostname='talk.google.com', tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_XMPP, xmpp_to_hostname='gmail.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertEquals(len(plugin_result.certificate_chain), 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_chain_with_anchor(self): server_test = ServerConnectivityTester(hostname='www.verizon.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.has_anchor_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_ca_file(self): server_info = ServerConnectivityInfo(hostname='www.hotmail.com') server_info.test_connectivity_to_server() ca_file_path = os.path.join(os.path.dirname(__file__), '..', 'utils', 'wildcard-self-signed.pem') plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand(ca_file=ca_file_path)) self.assertEqual(len(plugin_result.path_validation_result_list), 6) for path_validation_result in plugin_result.path_validation_result_list: if path_validation_result.trust_store.name == 'Custom --ca_file': self.assertFalse(path_validation_result.is_certificate_trusted) else: self.assertTrue(path_validation_result.is_certificate_trusted)
def test_unicode_certificate(self): server_test = ServerConnectivityTester(hostname='เพย์สบาย.th') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertGreaterEqual(len(plugin_result.certificate_chain), 1) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_certificate_with_scts(self): server_info = ServerConnectivityInfo(hostname='www.apple.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertEqual(plugin_result.certificate_included_scts_count, 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_not_trusted_by_mozilla_but_trusted_by_microsoft(self): server_info = ServerConnectivityInfo(hostname='webmail.russia.nasa.gov') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertEqual(plugin_result.successful_trust_store.name, 'Windows') self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_ecdsa_certificate(self): server_info = ServerConnectivityInfo(hostname='www.cloudflare.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertGreaterEqual(len(plugin_result.certificate_chain), 1) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_starttls(self): for hostname, protocol in [('imap.comcast.net', TlsWrappedProtocolEnum.STARTTLS_IMAP), ('pop.comcast.net', TlsWrappedProtocolEnum.STARTTLS_POP3), ('ldap.virginia.edu', TlsWrappedProtocolEnum.STARTTLS_LDAP), ('jabber.org', TlsWrappedProtocolEnum.STARTTLS_XMPP_SERVER)]: server_info = ServerConnectivityInfo(hostname=hostname, tls_wrapped_protocol=protocol) server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_certificate_with_no_subject(self): server_info = ServerConnectivityInfo(hostname='no-subject.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.verified_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_smtp_custom_port(self): server_test = ServerConnectivityTester( hostname='smtp.gmail.com', port=587, tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP ) server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertGreaterEqual(len(plugin_result.certificate_chain), 1) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_xmpp_to(self): server_test = ServerConnectivityTester( hostname='talk.google.com', tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_XMPP, xmpp_to_hostname='gmail.com' ) server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertGreaterEqual(len(plugin_result.certificate_chain), 1) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())