def test_ca_file_bad_file(self): server_info = ServerConnectivityInfo(hostname='www.hotmail.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() with self.assertRaises(ValueError): plugin.process_task(server_info, CertificateInfoScanCommand(ca_file='doesntexist'))
def test_valid_chain(self): server_info = ServerConnectivityInfo(hostname='www.hotmail.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.ocsp_response) self.assertTrue(plugin_result.is_ocsp_response_trusted) self.assertTrue(plugin_result.is_leaf_certificate_ev) self.assertEquals(len(plugin_result.certificate_chain), 2) self.assertEquals(len(plugin_result.path_validation_result_list), 5) for path_validation_result in plugin_result.path_validation_result_list: self.assertTrue(path_validation_result.is_certificate_trusted) self.assertEquals(len(plugin_result.path_validation_error_list), 0) self.assertEquals(plugin_result.hostname_validation_result, X509_NAME_MATCHES_SAN) self.assertTrue(plugin_result.is_certificate_chain_order_valid) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Test the --ca_path option plugin_result = plugin.process_task(server_info, 'certinfo_basic', {'ca_file': os.path.join(os.path.dirname(__file__), 'utils', 'wildcard-self-signed.pem')}) self.assertEquals(len(plugin_result.path_validation_result_list), 6) for path_validation_result in plugin_result.path_validation_result_list: if path_validation_result.trust_store.name == 'Custom --ca_file': self.assertFalse(path_validation_result.is_certificate_trusted) else: self.assertTrue(path_validation_result.is_certificate_trusted)
def test_1000_sans_chain(self): # Ensure SSLyze can process a leaf cert with 1000 SANs server_info = ServerConnectivityInfo(hostname='1000-sans.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin.process_task(server_info, CertificateInfoScanCommand())
def test_https_tunneling(self): # Start a local proxy proxy_port = 8000 p = multiprocessing.Process(target=proxy_worker, args=(proxy_port, )) p.start() try: # Run a scan through the proxy tunnel_settings = HttpConnectTunnelingSettings('localhost', proxy_port) server_info = ServerConnectivityInfo(hostname=u'www.google.com', http_tunneling_settings=tunnel_settings) # Try to connect to the proxy - retry if the proxy subprocess wasn't ready proxy_connection_attempts = 0 while True: try: server_info.test_connectivity_to_server() break except ServerConnectivityError: if proxy_connection_attempts > 3: raise proxy_connection_attempts += 1 plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) finally: # Kill the local proxy - unclean p.terminate()
def test_valid_chain_with_ev_cert(self): server_info = ServerConnectivityInfo(hostname='www.comodo.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.is_leaf_certificate_ev) self.assertEqual(len(plugin_result.certificate_chain), 3) self.assertEqual(len(plugin_result.verified_certificate_chain), 3) self.assertFalse(plugin_result.has_anchor_in_certificate_chain) self.assertEqual(len(plugin_result.path_validation_result_list), 5) for path_validation_result in plugin_result.path_validation_result_list: self.assertTrue(path_validation_result.is_certificate_trusted) self.assertEqual(len(plugin_result.path_validation_error_list), 0) self.assertEqual(plugin_result.certificate_matches_hostname, True) self.assertTrue(plugin_result.is_certificate_chain_order_valid) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_invalid_chain(self): server_info = ServerConnectivityInfo(hostname='self-signed.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertIsNone(plugin_result.ocsp_response) self.assertEqual(len(plugin_result.certificate_chain), 1) self.assertEqual(len(plugin_result.path_validation_result_list), 5) for path_validation_result in plugin_result.path_validation_result_list: self.assertFalse(path_validation_result.is_certificate_trusted) self.assertEqual(plugin_result.certificate_included_scts_count, 0) self.assertEqual(len(plugin_result.path_validation_error_list), 0) self.assertEqual(plugin_result.certificate_matches_hostname, True) self.assertTrue(plugin_result.is_certificate_chain_order_valid) self.assertIsNone(plugin_result.has_anchor_in_certificate_chain) self.assertIsNone(plugin_result.has_sha1_in_certificate_chain) self.assertFalse(plugin_result.verified_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_1000_sans_chain(self): # Ensure SSLyze can process a leaf cert with 1000 SANs server_info = ServerConnectivityInfo(hostname='1000-sans.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') san_list = plugin_result.certificate_chain[0].as_dict['extensions']['X509v3 Subject Alternative Name']['DNS'] self.assertEquals(len(san_list), 1000)
def test_optional_client_authentication(self): server_test = ServerConnectivityTester(hostname='client.badssl.com') server_info = server_test.perform() self.assertEqual(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL) plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_sha256_chain(self): server_info = ServerConnectivityInfo(hostname='sha256.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertIn('OK - No SHA1-signed certificate in the chain', '\n'.join(plugin_result.as_text())) self.assertTrue(plugin_result.as_xml())
def test_optional_client_authentication(self): for hostname in ['auth.startssl.com', 'xnet-eu.intellij.net']: server_info = ServerConnectivityInfo(hostname=hostname) server_info.test_connectivity_to_server() self.assertEquals(server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL) plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_unicode_certificate(self): server_info = ServerConnectivityInfo(hostname=u'www.főgáz.hu') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_international_names(self): server_test = ServerConnectivityTester(hostname='www.sociétégénérale.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertGreaterEqual(len(plugin_result.certificate_chain), 1) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self): server_info = ServerConnectivityInfo(hostname='sha1-intermediate.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.has_sha1_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self): server_info = ServerConnectivityInfo(hostname=u'sha1-2017.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.has_sha1_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_chain_with_anchor(self): server_info = ServerConnectivityInfo(hostname=u'www.verizon.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.has_anchor_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_international_names(self): server_info = ServerConnectivityInfo(hostname=u'www.sociétégénérale.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, u'certinfo_basic') self.assertEquals(len(plugin_result.certificate_chain), 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_ipv6(self): server_test = ServerConnectivityTester(hostname='www.google.com', ip_address='2607:f8b0:4005:804::2004') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertGreaterEqual(len(plugin_result.certificate_chain), 1) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self): server_info = ServerConnectivityInfo(hostname='sha1-2017.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') # TODO: Expose has_sha1 as an attribute self.assertIn('INSECURE - SHA1-signed certificate in the chain', '\n'.join(plugin_result.as_text())) self.assertTrue(plugin_result.as_xml())
def test_smtp_custom_port(self): server_info = ServerConnectivityInfo(hostname='smtp.gmail.com', port=587, tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP) server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertEquals(len(plugin_result.certificate_chain), 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_ipv6(self): server_test = ServerConnectivityTester( hostname='www.google.com', ip_address='2607:f8b0:4005:804::2004') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertGreaterEqual(len(plugin_result.certificate_chain), 1) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_international_names(self): server_test = ServerConnectivityTester( hostname='www.sociétégénérale.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertGreaterEqual(len(plugin_result.certificate_chain), 1) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_sha1_chain(self): server_info = ServerConnectivityInfo( hostname='sha1-intermediate.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.has_sha1_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_xmpp_to(self): server_info = ServerConnectivityInfo(hostname='talk.google.com', tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_XMPP, xmpp_to_hostname='gmail.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertEquals(len(plugin_result.certificate_chain), 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_international_names(self): server_info = ServerConnectivityInfo( hostname='www.sociétégénérale.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertEqual(len(plugin_result.certificate_chain), 2) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_optional_client_authentication(self): for hostname in ['auth.startssl.com', 'xnet-eu.intellij.net']: server_info = ServerConnectivityInfo(hostname=hostname) server_info.test_connectivity_to_server() self.assertEquals( server_info.client_auth_requirement, ClientAuthenticationServerConfigurationEnum.OPTIONAL) plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_xmpp_to(self): server_info = ServerConnectivityInfo(hostname='talk.google.com', tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_XMPP, xmpp_to_hostname='gmail.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertEquals(len(plugin_result.certificate_chain), 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_certificate_with_no_subject(self): server_info = ServerConnectivityInfo(hostname='no-subject.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.verified_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_not_trusted_by_mozilla_but_trusted_by_microsoft(self): server_info = ServerConnectivityInfo(hostname='webmail.russia.nasa.gov') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertEqual(plugin_result.successful_trust_store.name, 'Windows') self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_chain_with_anchor(self): server_test = ServerConnectivityTester(hostname='www.verizon.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.has_anchor_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_ecdsa_certificate(self): server_info = ServerConnectivityInfo(hostname='www.cloudflare.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertGreaterEqual(len(plugin_result.certificate_chain), 1) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_certificate_with_scts(self): server_test = ServerConnectivityTester(hostname='www.apple.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) assert plugin_result.leaf_certificate_signed_certificate_timestamps_count > 1 assert plugin_result.as_text() assert plugin_result.as_xml() # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue assert pickle.dumps(plugin_result)
def test_unicode_certificate(self): server_test = ServerConnectivityTester(hostname='เพย์สบาย.th') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertGreaterEqual(len(plugin_result.certificate_chain), 1) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_ca_file(self): server_info = ServerConnectivityInfo(hostname='www.hotmail.com') server_info.test_connectivity_to_server() ca_file_path = os.path.join(os.path.dirname(__file__), '..', 'utils', 'wildcard-self-signed.pem') plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand(ca_file=ca_file_path)) self.assertEqual(len(plugin_result.path_validation_result_list), 6) for path_validation_result in plugin_result.path_validation_result_list: if path_validation_result.trust_store.name == 'Custom --ca_file': self.assertFalse(path_validation_result.is_certificate_trusted) else: self.assertTrue(path_validation_result.is_certificate_trusted)
def test_sha256_chain(self): server_test = ServerConnectivityTester(hostname='sha256.badssl.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) assert not plugin_result.verified_chain_has_sha1_signature assert plugin_result.as_text() assert plugin_result.as_xml() # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue assert pickle.dumps(plugin_result)
def test_unicode_certificate(self): server_test = ServerConnectivityTester(hostname='เพย์สบาย.th') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) assert len(plugin_result.received_certificate_chain) >= 1 assert plugin_result.as_text() assert plugin_result.as_xml() # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue assert pickle.dumps(plugin_result)
def test_starttls(self): for hostname, protocol in [('imap.comcast.net', TlsWrappedProtocolEnum.STARTTLS_IMAP), ('pop.comcast.net', TlsWrappedProtocolEnum.STARTTLS_POP3), ('ldap.virginia.edu', TlsWrappedProtocolEnum.STARTTLS_LDAP), ('jabber.org', TlsWrappedProtocolEnum.STARTTLS_XMPP_SERVER)]: server_info = ServerConnectivityInfo(hostname=hostname, tls_wrapped_protocol=protocol) server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_chain_with_anchor(self): server_test = ServerConnectivityTester(hostname='www.verizon.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) assert plugin_result.received_chain_contains_anchor_certificate assert plugin_result.as_text() assert plugin_result.as_xml() # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue assert pickle.dumps(plugin_result)
def test_ca_file(self): server_test = ServerConnectivityTester(hostname='www.hotmail.com') server_info = server_test.perform() ca_file_path = os.path.join(os.path.dirname(__file__), '..', 'utils', 'wildcard-self-signed.pem') plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand(ca_file=ca_file_path)) assert len(plugin_result.path_validation_result_list) >= 6 for path_validation_result in plugin_result.path_validation_result_list: if path_validation_result.trust_store.name == 'Custom --ca_file': assert not path_validation_result.was_validation_successful else: assert path_validation_result.was_validation_successful
def test_certificate_with_scts(self): server_info = ServerConnectivityInfo(hostname='www.apple.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertEqual(plugin_result.certificate_included_scts_count, 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_ecdsa_certificate(self): server_test = ServerConnectivityTester(hostname='www.cloudflare.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertGreaterEqual(len(plugin_result.certificate_chain), 1) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_smtp_custom_port(self): server_info = ServerConnectivityInfo( hostname='smtp.gmail.com', port=587, tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP) server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertEquals(len(plugin_result.certificate_chain), 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_certificate_with_no_subject(self): server_test = ServerConnectivityTester(hostname='no-subject.badssl.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.verified_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_certificate_with_scts(self): server_test = ServerConnectivityTester(hostname='www.apple.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertGreater(plugin_result.certificate_included_scts_count, 1) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_not_trusted_by_mozilla_but_trusted_by_microsoft(self): server_test = ServerConnectivityTester(hostname='webmail.russia.nasa.gov') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertEqual(plugin_result.successful_trust_store.name, 'Windows') self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_ca_file(self): server_info = ServerConnectivityInfo(hostname=u'www.hotmail.com') server_info.test_connectivity_to_server() ca_file_path = os.path.join(os.path.dirname(__file__), u'..', u'utils', u'wildcard-self-signed.pem') plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand(ca_file=ca_file_path)) self.assertEquals(len(plugin_result.path_validation_result_list), 6) for path_validation_result in plugin_result.path_validation_result_list: if path_validation_result.trust_store.name == u'Custom --ca_file': self.assertFalse(path_validation_result.is_certificate_trusted) else: self.assertTrue(path_validation_result.is_certificate_trusted)
def test_sha1_chain(self): # The test server no longer works return server_info = ServerConnectivityInfo(hostname='sha1-2017.badssl.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.has_sha1_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def concurrent_scan(site_info): # Setup the server to scan and ensure it is online/reachable server_info = server_connectivity_tester(site_info.name) if server_info: synchronous_scanner = SynchronousScanner() cert_info_plugin = CertificateInfoPlugin() plugin_result = cert_info_plugin.process_task( server_info, CertificateInfoScanCommand()) #not plugin_result.verified_certificate_chain or #not plugin_result.leaf_certificate_subject_matches_hostname some sites' certs CN is with "www." so the result here is false if plugin_result.verified_certificate_chain and site_info.name not in str( plugin_result.verified_certificate_chain[0].subject): site_info.cert_trusted = "False" print("not trusted: " + site_info.name) print(plugin_result.__dict__) # elif not plugin_result.verified_certificate_chain: # site_info.cert_trusted = "False" # print("not trusted: " + site_info.name) # print(plugin_result.__dict__) else: site_info.cert_trusted = "True" scan_result1 = synchronous_scanner.run_scan_command( server_info, Sslv20ScanCommand()) if len(scan_result1.accepted_cipher_list) > 0: site_info.sslv2 = "True" scan_result2 = synchronous_scanner.run_scan_command( server_info, Sslv30ScanCommand()) if len(scan_result2.accepted_cipher_list) > 0: site_info.sslv3 = "True" scan_result3 = synchronous_scanner.run_scan_command( server_info, Tlsv10ScanCommand()) if len(scan_result3.accepted_cipher_list) > 0: site_info.tlsv1 = "True" scan_result4 = synchronous_scanner.run_scan_command( server_info, Tlsv11ScanCommand()) if len(scan_result4.accepted_cipher_list) > 0: site_info.tlsv11 = "True" scan_result5 = synchronous_scanner.run_scan_command( server_info, Tlsv12ScanCommand()) if len(scan_result5.accepted_cipher_list) > 0: site_info.tlsv12 = "True" scan_result6 = synchronous_scanner.run_scan_command( server_info, Tlsv13ScanCommand()) if len(scan_result6.accepted_cipher_list) > 0: site_info.tlsv13 = "True" recheck_cert(site_info)
def test_ipv6(self): if not self._is_ipv6_available(): logging.warning('WARNING: IPv6 not available - skipping test') return server_info = ServerConnectivityInfo(hostname='www.google.com', ip_address='2607:f8b0:4005:804::2004') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertEquals(len(plugin_result.certificate_chain), 3) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_xmpp_to(self): server_test = ServerConnectivityTester( hostname='talk.google.com', tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_XMPP, xmpp_to_hostname='gmail.com' ) server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertGreaterEqual(len(plugin_result.certificate_chain), 1) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_smtp_custom_port(self): server_test = ServerConnectivityTester( hostname='smtp.gmail.com', port=587, tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP ) server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertGreaterEqual(len(plugin_result.certificate_chain), 1) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_xmpp_to(self): server_test = ServerConnectivityTester( hostname='talk.google.com', tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_XMPP, xmpp_to_hostname='gmail.com' ) server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) assert len(plugin_result.received_certificate_chain) >= 1 assert plugin_result.as_text() assert plugin_result.as_xml()
def test_smtp_custom_port(self): server_test = ServerConnectivityTester( hostname='smtp.gmail.com', port=587, tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP ) server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) assert len(plugin_result.received_certificate_chain) >= 1 assert plugin_result.as_text() assert plugin_result.as_xml()
def test_unicode_certificate(self): server_info = ServerConnectivityInfo(hostname='เพย์สบาย.th') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertGreaterEqual(len(plugin_result.certificate_chain), 1) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_chain_with_anchor(self): server_info = ServerConnectivityInfo(hostname='www.verizon.com') server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.has_anchor_in_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_only_trusted_by_custom_ca_file(self): server_test = ServerConnectivityTester(hostname='self-signed.badssl.com') server_info = server_test.perform() plugin = CertificateInfoPlugin() ca_file_path = os.path.join(os.path.dirname(__file__), '..', 'utils', 'self-signed.badssl.com.pem') plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand(ca_file=ca_file_path)) self.assertEqual(plugin_result.successful_trust_store.name, 'Custom --ca_file') self.assertTrue(plugin_result.verified_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_starttls(self): for hostname, protocol in [ ('imap.comcast.net', TlsWrappedProtocolEnum.STARTTLS_IMAP), ('pop.comcast.net', TlsWrappedProtocolEnum.STARTTLS_POP3), ('ldap.uchicago.edu', TlsWrappedProtocolEnum.STARTTLS_LDAP), ('jabber.org', TlsWrappedProtocolEnum.STARTTLS_XMPP_SERVER), # Some Heroku Postgres instance I created ('ec2-54-75-226-17.eu-west-1.compute.amazonaws.com', TlsWrappedProtocolEnum.STARTTLS_POSTGRES) ]: server_info = ServerConnectivityInfo(hostname=hostname, tls_wrapped_protocol=protocol) server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_valid_chain_with_ocsp_stapling_and_must_staple(self): server_test = ServerConnectivityTester(hostname='www.scotthelme.co.uk') server_info = server_test.perform() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) self.assertTrue(plugin_result.ocsp_response) self.assertEqual(plugin_result.ocsp_response_status, OcspResponseStatusEnum.SUCCESSFUL) self.assertTrue(plugin_result.is_ocsp_response_trusted) self.assertTrue(plugin_result.certificate_has_must_staple_extension) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_starttls(self): for hostname, protocol in [(u'imap.comcast.net', TlsWrappedProtocolEnum.STARTTLS_IMAP), (u'pop.comcast.net', TlsWrappedProtocolEnum.STARTTLS_POP3), (u'ldap.virginia.edu', TlsWrappedProtocolEnum.STARTTLS_LDAP), (u'jabber.org', TlsWrappedProtocolEnum.STARTTLS_XMPP_SERVER), # Some Heroku Postgres instance I created ('ec2-54-235-80-86.compute-1.amazonaws.com', TlsWrappedProtocolEnum.STARTTLS_POSTGRES)]: server_info = ServerConnectivityInfo(hostname=hostname, tls_wrapped_protocol=protocol) server_info.test_connectivity_to_server() plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, 'certinfo_basic') self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_succeeds_when_client_auth_failed(self): # Given a server that requires client authentication with ModernOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And the client does NOT provide a client certificate server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port ) server_info = server_test.perform() # CertificateInfoPlugin works even when a client cert was not supplied plugin = CertificateInfoPlugin() plugin_result = plugin.process_task(server_info, CertificateInfoScanCommand()) assert plugin_result.received_certificate_chain assert plugin_result.as_text() assert plugin_result.as_xml()