RubyGems - ruby-sslyze - Versions diffs - 0.2.1 → 1.0.0 - Mend

ruby-sslyze 0.2.1 → 1.0.0

Files changed (146) hide show

checksums.yaml +4 -4
data/.gitignore +6 -4
data/.travis.yml +15 -7
data/ChangeLog.md +29 -12
data/Gemfile +3 -2
data/LICENSE.txt +1 -1
data/README.md +5 -5
data/Rakefile +1 -1
data/lib/sslyze/cipher_suites.rb +176 -0
data/lib/sslyze/program.rb +8 -8
data/lib/sslyze/task.rb +40 -33
data/lib/sslyze/version.rb +1 -1
data/lib/sslyze/{certificate/domain_name.rb → x509/domain.rb} +5 -3
data/lib/sslyze/x509/extension.rb +15 -0
data/lib/sslyze/x509/extension_set.rb +140 -0
data/lib/sslyze/x509/extensions.rb +6 -0
data/lib/sslyze/x509/extensions/basic_constraints.rb +41 -0
data/lib/sslyze/x509/extensions/certificate_policies.rb +108 -0
data/lib/sslyze/x509/extensions/crl_distribution_points.rb +47 -0
data/lib/sslyze/x509/extensions/extended_key_usage.rb +58 -0
data/lib/sslyze/x509/extensions/key_usage.rb +66 -0
data/lib/sslyze/x509/extensions/subject_alt_name.rb +144 -0
data/lib/sslyze/x509/name.rb +194 -0
data/lib/sslyze/x509/public_key.rb +53 -0
data/lib/sslyze/xml.rb +26 -37
data/lib/sslyze/xml/attributes.rb +5 -0
data/lib/sslyze/xml/attributes/error.rb +30 -0
data/lib/sslyze/xml/attributes/exception.rb +30 -0
data/lib/sslyze/xml/attributes/is_supported.rb +29 -0
data/lib/sslyze/xml/attributes/is_vulnerable.rb +29 -0
data/lib/sslyze/xml/attributes/title.rb +31 -0
data/lib/sslyze/xml/certinfo.rb +67 -0
data/lib/sslyze/xml/certinfo/certificate.rb +202 -0
data/lib/sslyze/xml/certinfo/certificate_validation.rb +69 -0
data/lib/sslyze/xml/certinfo/certificate_validation/hostname_validation.rb +54 -0
data/lib/sslyze/xml/certinfo/certificate_validation/path_validation.rb +84 -0
data/lib/sslyze/xml/certinfo/certificate_validation/verified_certificate_chain.rb +41 -0
data/lib/sslyze/xml/certinfo/has_certificates.rb +102 -0
data/lib/sslyze/xml/certinfo/ocsp_stapling.rb +45 -0
data/lib/sslyze/xml/certinfo/ocsp_stapling/ocsp_response.rb +87 -0
data/lib/sslyze/xml/certinfo/received_certificate_chain.rb +48 -0
data/lib/sslyze/xml/compression.rb +33 -0
data/lib/sslyze/xml/compression/compression_method.rb +38 -0
data/lib/sslyze/xml/fallback.rb +34 -0
data/lib/sslyze/xml/fallback/tls_fallback_scsv.rb +27 -0
data/lib/sslyze/xml/heartbleed.rb +38 -0
data/lib/sslyze/xml/heartbleed/openssl_heartbleed.rb +29 -0
data/lib/sslyze/xml/http_headers.rb +42 -0
data/lib/sslyze/xml/http_headers/http_public_key_pinning.rb +121 -0
data/lib/sslyze/xml/http_headers/http_strict_transport_security.rb +59 -0
data/lib/sslyze/xml/invalid_target.rb +33 -0
data/lib/sslyze/xml/openssl_ccs.rb +34 -0
data/lib/sslyze/xml/openssl_ccs/openssl_ccs_injection.rb +26 -0
data/lib/sslyze/xml/plugin.rb +27 -0
data/lib/sslyze/xml/protocol.rb +143 -0
data/lib/sslyze/xml/protocol/cipher_suite.rb +93 -0
data/lib/sslyze/xml/protocol/cipher_suite/key_exchange.rb +127 -0
data/lib/sslyze/xml/reneg.rb +28 -0
data/lib/sslyze/xml/reneg/session_renegotiation.rb +51 -0
data/lib/sslyze/xml/resum.rb +42 -0
data/lib/sslyze/xml/resum/session_resumption_with_session_ids.rb +94 -0
data/lib/sslyze/xml/resum/session_resumption_with_tls_tickets.rb +69 -0
data/lib/sslyze/xml/resum_rate.rb +30 -0
data/lib/sslyze/xml/target.rb +371 -0
data/lib/sslyze/xml/types.rb +19 -0
data/ruby-sslyze.gemspec +3 -3
data/spec/spec_helper.rb +2 -4
data/spec/sslyze.xml +2356 -2580
data/spec/x509/domain_spec.rb +125 -0
data/spec/x509/extension_set_spec.rb +208 -0
data/spec/x509/extension_spec.rb +58 -0
data/spec/x509/extensions/basic_constraints_spec.rb +41 -0
data/spec/x509/extensions/certificate_policies_spec.rb +38 -0
data/spec/x509/extensions/crl_distribution_points_spec.rb +38 -0
data/spec/x509/extensions/extended_key_usage_spec.rb +58 -0
data/spec/x509/extensions/key_usage_spec.rb +84 -0
data/spec/x509/extensions/subject_alt_name_spec.rb +146 -0
data/spec/x509/name_spec.rb +85 -0
data/spec/x509/public_key_spec.rb +113 -0
data/spec/xml/certinfo/certificate_spec.rb +166 -0
data/spec/xml/certinfo/certificate_validation/hostname_validation_spec.rb +23 -0
data/spec/xml/certinfo/certificate_validation/path_validation_spec.rb +107 -0
data/spec/xml/certinfo/certificate_validation/verified_certificate_chain_spec.rb +163 -0
data/spec/xml/certinfo/certificate_validation_spec.rb +40 -0
data/spec/xml/certinfo/ocsp_stapling/ocsp_response_spec.rb +61 -0
data/spec/xml/certinfo/ocsp_stapling_spec.rb +31 -0
data/spec/xml/certinfo/received_certificate_chain_spec.rb +165 -0
data/spec/xml/certinfo_spec.rb +45 -0
data/spec/xml/compression/compression_method_spec.rb +23 -0
data/spec/xml/compression_spec.rb +23 -0
data/spec/xml/heartbleed/openssl_heartbleed_spec.rb +17 -0
data/spec/xml/heartbleed_spec.rb +37 -0
data/spec/xml/http_headers/http_public_key_pinning_spec.rb +73 -0
data/spec/xml/http_headers/http_strict_transport_security_spec.rb +107 -0
data/spec/xml/http_headers_spec.rb +63 -0
data/spec/xml/invalid_target_spec.rb +23 -0
data/spec/xml/plugin_examples.rb +14 -0
data/spec/{key_exchange_spec.rb → xml/protocol/cipher_suite/key_exchange_spec.rb} +9 -3
data/spec/xml/protocol/cipher_suite_spec.rb +66 -0
data/spec/xml/protocol_spec.rb +115 -0
data/spec/xml/reneg/session_renegotiation_spec.rb +23 -0
data/spec/xml/reneg_spec.rb +35 -0
data/spec/xml/resum/session_resumption_with_session_ids_spec.rb +103 -0
data/spec/xml/resum/session_resumption_with_tls_tickets_spec.rb +121 -0
data/spec/xml/resum_rate_spec.rb +30 -0
data/spec/xml/resum_spec.rb +47 -0
data/spec/{target_spec.rb → xml/target_spec.rb} +73 -27
data/spec/xml_spec.rb +13 -21
metadata +138 -61
data/lib/sslyze/cert_info.rb +0 -57
data/lib/sslyze/certificate.rb +0 -139
data/lib/sslyze/certificate/extensions.rb +0 -127
data/lib/sslyze/certificate/extensions/authority_information_access.rb +0 -38
data/lib/sslyze/certificate/extensions/extension.rb +0 -26
data/lib/sslyze/certificate/extensions/x509v3_basic_constraints.rb +0 -60
data/lib/sslyze/certificate/extensions/x509v3_certificate_policies.rb +0 -50
data/lib/sslyze/certificate/extensions/x509v3_crl_distribution_points.rb +0 -32
data/lib/sslyze/certificate/extensions/x509v3_extended_key_usage.rb +0 -32
data/lib/sslyze/certificate/extensions/x509v3_key_usage.rb +0 -50
data/lib/sslyze/certificate/extensions/x509v3_subject_alternative_name.rb +0 -71
data/lib/sslyze/certificate/issuer.rb +0 -56
data/lib/sslyze/certificate/public_key.rb +0 -9
data/lib/sslyze/certificate/subject.rb +0 -117
data/lib/sslyze/certificate/subject_public_key_info.rb +0 -53
data/lib/sslyze/certificate/validity.rb +0 -9
data/lib/sslyze/certificate_chain.rb +0 -89
data/lib/sslyze/certificate_validation.rb +0 -70
data/lib/sslyze/cipher_suite.rb +0 -237
data/lib/sslyze/invalid_target.rb +0 -35
data/lib/sslyze/key_exchange.rb +0 -106
data/lib/sslyze/ocsp_response.rb +0 -87
data/lib/sslyze/protocol.rb +0 -133
data/lib/sslyze/target.rb +0 -312
data/lib/sslyze/types.rb +0 -17
data/spec/cert_info_spec.rb +0 -29
data/spec/certificate/subject_name_spec.rb +0 -72
data/spec/certificate_chain_spec.rb +0 -61
data/spec/certificate_spec.rb +0 -330
data/spec/certificate_validation_spec.rb +0 -39
data/spec/cipher_suite_spec.rb +0 -50
data/spec/invalid_target_spec.rb +0 -21
data/spec/issuer_spec.rb +0 -33
data/spec/ocsp_response_spec.rb +0 -59
data/spec/protocol_spec.rb +0 -99
data/spec/subject_public_key_info_spec.rb +0 -35
data/spec/subject_spec.rb +0 -69

@@ -0,0 +1,125 @@
+require 'spec_helper'
+require 'sslyze/x509/domain'
+describe SSLyze::X509::Domain do
+  let(:domain_name)   { 'example.com'      }
+  let(:wildcard_name) { "*.#{domain_name}" }
+  subject { described_class.new(domain_name) }
+  describe "#initialize" do
+    context "when given a fully qualified domain name" do
+      subject { described_class.new(domain_name) }
+      it "should set #name" do
+        expect(subject.name).to be == domain_name
+      end
+      it "should not set #suffix" do
+        expect(subject.suffix).to be nil
+      end
+      it "should not set #domain to #name" do
+        expect(subject.domain).to be == domain_name
+      end
+    end
+    context "when given a wildcard domain name" do
+      subject { described_class.new(wildcard_name) }
+      it "should set #name" do
+        expect(subject.name).to be == wildcard_name
+      end
+      it "should set #suffix" do
+        expect(subject.suffix).to be == ".#{domain_name}"
+      end
+      it "should set #domain" do
+        expect(subject.domain).to be == domain_name
+      end
+    end
+  end
+  describe "#==" do
+    context "when given another #{described_class}" do
+      subject { described_class.new(domain_name) }
+      context "and it matches the domain name" do
+        let(:other) { described_class.new(domain_name) }
+        it { expect(subject == other).to be true }
+      end
+      context "but it doesn't match" do
+        let(:other) { described_class.new('foo.com') }
+        it { expect(subject == other).to be false }
+      end
+    end
+    context "when given a non-#{described_class}" do
+      let(:other) { Object.new }
+      subject { described_class.new(domain_name) }
+      it "should return false" do
+        expect(subject == other).to be false
+      end
+    end
+  end
+  describe "#include?" do
+    context "when given another #{described_class}" do
+      context "when the other domain name is fully qualified" do
+        subject { described_class.new(domain_name) }
+        context "and it matches the domain name" do
+          it { expect(subject.include?(domain_name)).to be true }
+        end
+        context "but it doesn't match" do
+          it { expect(subject.include?('foo.com')).to be false }
+        end
+      end
+      context "when the other domain name is a wildcard" do
+        subject { described_class.new(wildcard_name) }
+        context "and it matches the wildcard domain name" do
+          it { expect(subject.include?(wildcard_name)).to be true }
+        end
+        context "and shares the same domain name" do
+          it { expect(subject.include?(domain_name)).to be true }
+        end
+        context "and it is a subdomain of the wildcard domain name" do
+          it { expect(subject.include?("foo.#{domain_name}")).to be true }
+        end
+        context "but it doesn't match" do
+          it { expect(subject.include?("foo.com")).to be false }
+        end
+      end
+    end
+  end
+  describe "#to_s" do
+    it "should return the #name" do
+      expect(subject.to_s).to be subject.name
+    end
+  end
+  describe "#to_str" do
+    it "should return the #name" do
+      expect(subject.to_str).to be subject.name
+    end
+  end
+  describe "#inspect" do
+    it "should include the class name and #name" do
+      expect(subject.inspect).to be == "#<#{described_class}: #{subject.name}>"
+    end
+  end
+end

data/spec/x509/extension_set_spec.rb ADDED

@@ -0,0 +1,208 @@
+require 'spec_helper'
+require 'openssl'
+require 'sslyze/x509/extension_set'
+describe SSLyze::X509::ExtensionSet do
+  let(:authority_key_identifier) do
+    OpenSSL::X509::Extension.new("authorityKeyIdentifier", "keyid:3D:D3:50:A5:D6:A0:AD:EE:F3:4A:60:0A:65:D3:21:D4:F8:F8:D6:0F\n")
+  end
+  let(:subject_key_identifier) do
+    OpenSSL::X509::Extension.new("subjectKeyIdentifier", "9F:62:7B:B2:88:0E:EE:1B:79:E0:69:24:E5:BA:3F:47:A6:0B:02:F0")
+  end
+  let(:subject_alt_name) do
+    OpenSSL::X509::Extension.new("subjectAltName", "DNS:twitter.com, DNS:www.twitter.com")
+  end
+  let(:key_usage) do
+    OpenSSL::X509::Extension.new("keyUsage", "Digital Signature, Key Encipherment", true)
+  end
+  let(:extended_key_usage) do
+    OpenSSL::X509::Extension.new("extendedKeyUsage", "TLS Web Server Authentication, TLS Web Client Authentication")
+  end
+  let(:crl_distribution_points) do
+    OpenSSL::X509::Extension.new("crlDistributionPoints", "\nFull Name:\n  URI:http://crl3.digicert.com/sha2-ev-server-g1.crl\n\nFull Name:\n  URI:http://crl4.digicert.com/sha2-ev-server-g1.crl\n")
+  end
+  let(:certificate_policies) do
+    OpenSSL::X509::Extension.new("certificatePolicies", "Policy: 2.16.840.1.114412.2.1\n  CPS: https://www.digicert.com/CPS\nPolicy: 2.23.140.1.1\n")
+  end
+  let(:authority_info_access) do
+    OpenSSL::X509::Extension.new("authorityInfoAccess", "OCSP - URI:http://ocsp.digicert.com\nCA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt\n")
+  end
+  let(:basic_constraints) do
+    OpenSSL::X509::Extension.new("basicConstraints", "CA:FALSE", true)
+  end
+  let(:openssl_x509_extensions) do
+    [
+      authority_key_identifier,
+      subject_key_identifier,
+      subject_alt_name,
+      key_usage,
+      extended_key_usage,
+      crl_distribution_points,
+      certificate_policies,
+      authority_info_access,
+      basic_constraints
+    ]
+  end
+  subject { described_class.new(openssl_x509_extensions) }
+  describe "#each" do
+    context "when given a block" do
+      it "must iterate over each wrapped Extension" do
+        expect { |b|
+          subject.each(&b)
+        }.to yield_successive_args(*openssl_x509_extensions)
+      end
+    end
+    context "when no block is given" do
+      it "should return an Enumerator object" do
+        expect(subject.each).to be_kind_of(Enumerator)
+      end
+    end
+  end
+  describe "#has?" do
+    context "when the given key matches an extension's OID" do
+      let(:key) { 'subjectAltName' }
+      it { expect(subject.has?(key)).to be true }
+    end
+    context "when the given key matches no extension's OID" do
+      it { expect(subject.has?("foo")).to be false }
+    end
+  end
+  describe "#[]" do
+    context "when the given key matches an extension's OID" do
+      let(:key) { 'subjectAltName' }
+      it "must return that extension" do
+        expect(subject[key].oid).to be == key
+      end
+    end
+    context "when the given key matches no extension's OID" do
+      it "must return nil" do
+        expect(subject["foo"]).to be nil
+      end
+    end
+  end
+  describe "#to_a" do
+    it "should return the Array of extensions" do
+      expect(subject.to_a).to be == openssl_x509_extensions
+    end
+  end
+  describe "#basic_constraints" do
+    context "when there is a 'basiConstraints' extension" do
+      it do
+        expect(subject.basic_constraints).to be_kind_of(SSLyze::X509::Extensions::BasicConstraints)
+      end
+      it "should find the extensions with the 'basicConstraints' OID" do
+        expect(subject.basic_constraints.oid).to be == 'basicConstraints'
+      end
+    end
+    context "when there is no 'basicConstraints' extension" do
+      let(:openssl_x509_extensions) { super() - [basic_constraints] }
+      it { expect(subject.basic_constraints).to be nil }
+    end
+  end
+  describe "#certificate_policies" do
+    context "when there is a 'certificatePolicies' extension" do
+      it do
+        expect(subject.certificate_policies).to be_kind_of(SSLyze::X509::Extensions::CertificatePolicies)
+      end
+      it "should find the extensions with the 'certificatePolicies' OID" do
+        expect(subject.certificate_policies.oid).to be == 'certificatePolicies'
+      end
+    end
+    context "when there is no 'certificatePolicies' extension" do
+      let(:openssl_x509_extensions) { super() - [certificate_policies] }
+      it { expect(subject.certificate_policies).to be nil }
+    end
+  end
+  describe "#crl_distribution_points" do
+    context "when there is a 'crlDistributionPoints' extension" do
+      it do
+        expect(subject.crl_distribution_points).to be_kind_of(SSLyze::X509::Extensions::CRLDistributionPoints)
+      end
+      it "should find the extensions with the 'crlDistributionPoints' OID" do
+        expect(subject.crl_distribution_points.oid).to be == 'crlDistributionPoints'
+      end
+    end
+    context "when there is no 'crlDistributionPoints' extension" do
+      let(:openssl_x509_extensions) { super() - [crl_distribution_points] }
+      it { expect(subject.crl_distribution_points).to be nil }
+    end
+  end
+  describe "#extended_key_usage" do
+    context "when there is a 'extendedKeyUsage' extension" do
+      it do
+        expect(subject.extended_key_usage).to be_kind_of(SSLyze::X509::Extensions::ExtendedKeyUsage)
+      end
+      it "should find the extensions with the 'extendedKeyUsage' OID" do
+        expect(subject.extended_key_usage.oid).to be == 'extendedKeyUsage'
+      end
+    end
+    context "when there is no 'extendedKeyUsage' extension" do
+      let(:openssl_x509_extensions) { super() - [extended_key_usage] }
+      it { expect(subject.extended_key_usage).to be nil }
+    end
+  end
+  describe "#key_usage" do
+    context "when there is a 'keyUsage' extension" do
+      it do
+        expect(subject.key_usage).to be_kind_of(SSLyze::X509::Extensions::KeyUsage)
+      end
+      it "should find the extensions with the 'keyUsage' OID" do
+        expect(subject.key_usage.oid).to be == 'keyUsage'
+      end
+    end
+    context "when there is no 'keyUsage' extension" do
+      let(:openssl_x509_extensions) { super() - [key_usage] }
+      it { expect(subject.key_usage).to be nil }
+    end
+  end
+  describe "#subject_alt_name" do
+    context "when there is a 'subjectAltName' extension" do
+      it do
+        expect(subject.subject_alt_name).to be_kind_of(SSLyze::X509::Extensions::SubjectAltName)
+      end
+      it "should find the extensions with the 'subjectAltName' OID" do
+        expect(subject.subject_alt_name.oid).to be == 'subjectAltName'
+      end
+    end
+    context "when there is no 'subjectAltName' extension" do
+      let(:openssl_x509_extensions) { super() - [subject_alt_name] }
+      it { expect(subject.subject_alt_name).to be nil }
+    end
+  end
+end

data/spec/x509/extension_spec.rb ADDED

@@ -0,0 +1,58 @@
+require 'spec_helper'
+require 'openssl'
+require 'sslyze/x509/extension'
+describe SSLyze::X509::Extension do
+  let(:oid) { 'basicConstraints' }
+  let(:value) { 'CA:FALSE' }
+  let(:critical) { true }
+  let(:openssl_x509_extension) do
+    OpenSSL::X509::Extension.new(oid,value,critical)
+  end
+  subject { described_class.new(openssl_x509_extension) }
+  describe "#critical?" do
+    it "should return the underlying #critical? value" do
+      expect(subject.critical?).to be == openssl_x509_extension.critical?
+    end
+  end
+  describe "#oid" do
+    it "should return the underlying #oid value" do
+      expect(subject.oid).to be == openssl_x509_extension.oid
+    end
+  end
+  describe "#value" do
+    it "should return the underlying #value value" do
+      expect(subject.value).to be == openssl_x509_extension.value
+    end
+  end
+  describe "#to_a" do
+    it "should return the underlying #to_a value" do
+      expect(subject.to_a).to be == openssl_x509_extension.to_a
+    end
+  end
+  describe "#to_der" do
+    it "should return the underlying #to_der value" do
+      expect(subject.to_der).to be == openssl_x509_extension.to_der
+    end
+  end
+  describe "#to_h" do
+    it "should return the underlying #to_h value" do
+      expect(subject.to_h).to be == openssl_x509_extension.to_h
+    end
+  end
+  describe "#to_s" do
+    it "should return the underlying #to_s value" do
+      expect(subject.to_s).to be == openssl_x509_extension.to_s
+    end
+  end
+end

data/spec/x509/extensions/basic_constraints_spec.rb ADDED

@@ -0,0 +1,41 @@
+require 'spec_helper'
+require 'openssl'
+require 'sslyze/x509/extensions/basic_constraints'
+describe SSLyze::X509::Extensions::BasicConstraints do
+  let(:ca)      { 'TRUE' }
+  let(:pathlen) { 1 }
+  let(:value)   { "CA:#{ca}, pathlen:#{pathlen}" }
+  let(:openssl_x509_extension) do
+    OpenSSL::X509::Extension.new('basicConstraints', value, true)
+  end
+  subject { described_class.new(openssl_x509_extension) }
+  describe "#ca?" do
+    context "when 'CA:TRUE' is present" do
+      let(:ca) { 'TRUE' }
+      it { expect(subject.ca?).to be true }
+    end
+    context "when 'CA:FALSE' is present" do
+      let(:ca) { 'FALSE' }
+      it { expect(subject.ca?).to be false }
+    end
+    context "when 'CA:' is omitted" do
+      let(:value) { 'pathlen:0' }
+      it { expect(subject.ca?).to be nil }
+    end
+  end
+  describe "#path_length" do
+    it "should parse the decimal following 'pathlen:'" do
+      expect(subject.path_length).to be == pathlen
+    end
+  end
+end

data/spec/x509/extensions/certificate_policies_spec.rb ADDED

@@ -0,0 +1,38 @@
+require 'spec_helper'
+require 'openssl'
+require 'sslyze/x509/extensions/certificate_policies'
+describe SSLyze::X509::Extensions::CertificatePolicies do
+  let(:policy) { 'X509v3 Any Policy' }
+  let(:cps)    { URI('https://www.digicert.com/CPS') }
+  let(:value)  { "Policy: #{policy}\n  CPS: #{cps}\n" }
+  let(:openssl_x509_extension) do
+    OpenSSL::X509::Extension.new('certificatePolicies', value)
+  end
+  subject { described_class.new(openssl_x509_extension) }
+  describe "#policies" do
+    it "must yield #{described_class::Policy} objects" do
+      expect(subject.policies).to all(be_kind_of(described_class::Policy))
+    end
+    it "should capture the text following 'Policy: '" do
+      expect(subject.policies.first.policy).to be == policy
+    end
+    it "should capture the URI following '  CPS: '" do
+      expect(subject.policies.first.cps).to be == cps
+    end
+  end
+  describe "#each" do
+    it "should yield #{described_class::Policy} objects" do
+      expect { |b|
+        subject.each(&b)
+      }.to yield_successive_args(*Array.new(subject.length,described_class::Policy))
+    end
+  end
+end