ruby-sslyze 0.2.1 → 1.0.0

data/spec/x509/domain_spec.rb

@@ -0,0 +1,125 @@
+require 'spec_helper'
+require 'sslyze/x509/domain'
+
+describe SSLyze::X509::Domain do
+  let(:domain_name)   { 'example.com'      }
+  let(:wildcard_name) { "*.#{domain_name}" }
+
+  subject { described_class.new(domain_name) }
+
+  describe "#initialize" do
+    context "when given a fully qualified domain name" do
+      subject { described_class.new(domain_name) }
+
+      it "should set #name" do
+        expect(subject.name).to be == domain_name
+      end
+
+      it "should not set #suffix" do
+        expect(subject.suffix).to be nil
+      end
+
+      it "should not set #domain to #name" do
+        expect(subject.domain).to be == domain_name
+      end
+    end
+
+    context "when given a wildcard domain name" do
+      subject { described_class.new(wildcard_name) }
+
+      it "should set #name" do
+        expect(subject.name).to be == wildcard_name
+      end
+
+      it "should set #suffix" do
+        expect(subject.suffix).to be == ".#{domain_name}"
+      end
+
+      it "should set #domain" do
+        expect(subject.domain).to be == domain_name
+      end
+    end
+  end
+
+  describe "#==" do
+    context "when given another #{described_class}" do
+      subject { described_class.new(domain_name) }
+
+      context "and it matches the domain name" do
+        let(:other) { described_class.new(domain_name) }
+
+        it { expect(subject == other).to be true }
+      end
+
+      context "but it doesn't match" do
+        let(:other) { described_class.new('foo.com') }
+
+        it { expect(subject == other).to be false }
+      end
+    end
+
+    context "when given a non-#{described_class}" do
+      let(:other) { Object.new }
+
+      subject { described_class.new(domain_name) }
+
+      it "should return false" do
+        expect(subject == other).to be false
+      end
+    end
+  end
+
+  describe "#include?" do
+    context "when given another #{described_class}" do
+      context "when the other domain name is fully qualified" do
+        subject { described_class.new(domain_name) }
+
+        context "and it matches the domain name" do
+          it { expect(subject.include?(domain_name)).to be true }
+        end
+
+        context "but it doesn't match" do
+          it { expect(subject.include?('foo.com')).to be false }
+        end
+      end
+
+      context "when the other domain name is a wildcard" do
+        subject { described_class.new(wildcard_name) }
+
+        context "and it matches the wildcard domain name" do
+          it { expect(subject.include?(wildcard_name)).to be true }
+        end
+
+        context "and shares the same domain name" do
+          it { expect(subject.include?(domain_name)).to be true }
+        end
+
+        context "and it is a subdomain of the wildcard domain name" do
+          it { expect(subject.include?("foo.#{domain_name}")).to be true }
+        end
+
+        context "but it doesn't match" do
+          it { expect(subject.include?("foo.com")).to be false }
+        end
+      end
+    end
+  end
+
+  describe "#to_s" do
+    it "should return the #name" do
+      expect(subject.to_s).to be subject.name
+    end
+  end
+
+  describe "#to_str" do
+    it "should return the #name" do
+      expect(subject.to_str).to be subject.name
+    end
+  end
+
+  describe "#inspect" do
+    it "should include the class name and #name" do
+      expect(subject.inspect).to be == "#<#{described_class}: #{subject.name}>"
+    end
+  end
+end

data/spec/x509/extension_set_spec.rb

@@ -0,0 +1,208 @@
+require 'spec_helper'
+require 'openssl'
+
+require 'sslyze/x509/extension_set'
+
+describe SSLyze::X509::ExtensionSet do
+  let(:authority_key_identifier) do
+    OpenSSL::X509::Extension.new("authorityKeyIdentifier", "keyid:3D:D3:50:A5:D6:A0:AD:EE:F3:4A:60:0A:65:D3:21:D4:F8:F8:D6:0F\n")
+  end
+  let(:subject_key_identifier) do
+    OpenSSL::X509::Extension.new("subjectKeyIdentifier", "9F:62:7B:B2:88:0E:EE:1B:79:E0:69:24:E5:BA:3F:47:A6:0B:02:F0")
+  end
+  let(:subject_alt_name) do
+    OpenSSL::X509::Extension.new("subjectAltName", "DNS:twitter.com, DNS:www.twitter.com")
+  end
+  let(:key_usage) do
+    OpenSSL::X509::Extension.new("keyUsage", "Digital Signature, Key Encipherment", true)
+  end
+  let(:extended_key_usage) do
+    OpenSSL::X509::Extension.new("extendedKeyUsage", "TLS Web Server Authentication, TLS Web Client Authentication")
+  end
+  let(:crl_distribution_points) do
+    OpenSSL::X509::Extension.new("crlDistributionPoints", "\nFull Name:\n  URI:http://crl3.digicert.com/sha2-ev-server-g1.crl\n\nFull Name:\n  URI:http://crl4.digicert.com/sha2-ev-server-g1.crl\n")
+  end
+  let(:certificate_policies) do
+    OpenSSL::X509::Extension.new("certificatePolicies", "Policy: 2.16.840.1.114412.2.1\n  CPS: https://www.digicert.com/CPS\nPolicy: 2.23.140.1.1\n")
+  end
+  let(:authority_info_access) do
+    OpenSSL::X509::Extension.new("authorityInfoAccess", "OCSP - URI:http://ocsp.digicert.com\nCA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt\n")
+  end
+  let(:basic_constraints) do
+    OpenSSL::X509::Extension.new("basicConstraints", "CA:FALSE", true)
+  end
+
+  let(:openssl_x509_extensions) do
+    [
+      authority_key_identifier,
+      subject_key_identifier,
+      subject_alt_name,
+      key_usage,
+      extended_key_usage,
+      crl_distribution_points,
+      certificate_policies,
+      authority_info_access,
+      basic_constraints
+    ]
+  end
+
+  subject { described_class.new(openssl_x509_extensions) }
+
+  describe "#each" do
+    context "when given a block" do
+      it "must iterate over each wrapped Extension" do
+        expect { |b|
+          subject.each(&b)
+        }.to yield_successive_args(*openssl_x509_extensions)
+      end
+    end
+
+    context "when no block is given" do
+      it "should return an Enumerator object" do
+        expect(subject.each).to be_kind_of(Enumerator)
+      end
+    end
+  end
+
+  describe "#has?" do
+    context "when the given key matches an extension's OID" do
+      let(:key) { 'subjectAltName' }
+
+      it { expect(subject.has?(key)).to be true }
+    end
+
+    context "when the given key matches no extension's OID" do
+      it { expect(subject.has?("foo")).to be false }
+    end
+  end
+
+  describe "#[]" do
+    context "when the given key matches an extension's OID" do
+      let(:key) { 'subjectAltName' }
+
+      it "must return that extension" do
+        expect(subject[key].oid).to be == key
+      end
+    end
+
+    context "when the given key matches no extension's OID" do
+      it "must return nil" do
+        expect(subject["foo"]).to be nil
+      end
+    end
+  end
+
+  describe "#to_a" do
+    it "should return the Array of extensions" do
+      expect(subject.to_a).to be == openssl_x509_extensions
+    end
+  end
+
+  describe "#basic_constraints" do
+    context "when there is a 'basiConstraints' extension" do
+      it do
+        expect(subject.basic_constraints).to be_kind_of(SSLyze::X509::Extensions::BasicConstraints)
+      end
+
+      it "should find the extensions with the 'basicConstraints' OID" do
+        expect(subject.basic_constraints.oid).to be == 'basicConstraints'
+      end
+    end
+
+    context "when there is no 'basicConstraints' extension" do
+      let(:openssl_x509_extensions) { super() - [basic_constraints] }
+
+      it { expect(subject.basic_constraints).to be nil }
+    end
+  end
+
+  describe "#certificate_policies" do
+    context "when there is a 'certificatePolicies' extension" do
+      it do
+        expect(subject.certificate_policies).to be_kind_of(SSLyze::X509::Extensions::CertificatePolicies)
+      end
+
+      it "should find the extensions with the 'certificatePolicies' OID" do
+        expect(subject.certificate_policies.oid).to be == 'certificatePolicies'
+      end
+    end
+
+    context "when there is no 'certificatePolicies' extension" do
+      let(:openssl_x509_extensions) { super() - [certificate_policies] }
+
+      it { expect(subject.certificate_policies).to be nil }
+    end
+  end
+
+  describe "#crl_distribution_points" do
+    context "when there is a 'crlDistributionPoints' extension" do
+      it do
+        expect(subject.crl_distribution_points).to be_kind_of(SSLyze::X509::Extensions::CRLDistributionPoints)
+      end
+
+      it "should find the extensions with the 'crlDistributionPoints' OID" do
+        expect(subject.crl_distribution_points.oid).to be == 'crlDistributionPoints'
+      end
+    end
+
+    context "when there is no 'crlDistributionPoints' extension" do
+      let(:openssl_x509_extensions) { super() - [crl_distribution_points] }
+
+      it { expect(subject.crl_distribution_points).to be nil }
+    end
+  end
+
+  describe "#extended_key_usage" do
+    context "when there is a 'extendedKeyUsage' extension" do
+      it do
+        expect(subject.extended_key_usage).to be_kind_of(SSLyze::X509::Extensions::ExtendedKeyUsage)
+      end
+
+      it "should find the extensions with the 'extendedKeyUsage' OID" do
+        expect(subject.extended_key_usage.oid).to be == 'extendedKeyUsage'
+      end
+    end
+
+    context "when there is no 'extendedKeyUsage' extension" do
+      let(:openssl_x509_extensions) { super() - [extended_key_usage] }
+
+      it { expect(subject.extended_key_usage).to be nil }
+    end
+  end
+
+  describe "#key_usage" do
+    context "when there is a 'keyUsage' extension" do
+      it do
+        expect(subject.key_usage).to be_kind_of(SSLyze::X509::Extensions::KeyUsage)
+      end
+
+      it "should find the extensions with the 'keyUsage' OID" do
+        expect(subject.key_usage.oid).to be == 'keyUsage'
+      end
+    end
+
+    context "when there is no 'keyUsage' extension" do
+      let(:openssl_x509_extensions) { super() - [key_usage] }
+
+      it { expect(subject.key_usage).to be nil }
+    end
+  end
+
+  describe "#subject_alt_name" do
+    context "when there is a 'subjectAltName' extension" do
+      it do
+        expect(subject.subject_alt_name).to be_kind_of(SSLyze::X509::Extensions::SubjectAltName)
+      end
+
+      it "should find the extensions with the 'subjectAltName' OID" do
+        expect(subject.subject_alt_name.oid).to be == 'subjectAltName'
+      end
+    end
+
+    context "when there is no 'subjectAltName' extension" do
+      let(:openssl_x509_extensions) { super() - [subject_alt_name] }
+
+      it { expect(subject.subject_alt_name).to be nil }
+    end
+  end
+end

data/spec/x509/extension_spec.rb

@@ -0,0 +1,58 @@
+require 'spec_helper'
+require 'openssl'
+
+require 'sslyze/x509/extension'
+
+describe SSLyze::X509::Extension do
+  let(:oid) { 'basicConstraints' }
+  let(:value) { 'CA:FALSE' }
+  let(:critical) { true }
+
+  let(:openssl_x509_extension) do
+    OpenSSL::X509::Extension.new(oid,value,critical)
+  end
+
+  subject { described_class.new(openssl_x509_extension) }
+
+  describe "#critical?" do
+    it "should return the underlying #critical? value" do
+      expect(subject.critical?).to be == openssl_x509_extension.critical?
+    end
+  end
+
+  describe "#oid" do
+    it "should return the underlying #oid value" do
+      expect(subject.oid).to be == openssl_x509_extension.oid
+    end
+  end
+
+  describe "#value" do
+    it "should return the underlying #value value" do
+      expect(subject.value).to be == openssl_x509_extension.value
+    end
+  end
+
+  describe "#to_a" do
+    it "should return the underlying #to_a value" do
+      expect(subject.to_a).to be == openssl_x509_extension.to_a
+    end
+  end
+
+  describe "#to_der" do
+    it "should return the underlying #to_der value" do
+      expect(subject.to_der).to be == openssl_x509_extension.to_der
+    end
+  end
+
+  describe "#to_h" do
+    it "should return the underlying #to_h value" do
+      expect(subject.to_h).to be == openssl_x509_extension.to_h
+    end
+  end
+
+  describe "#to_s" do
+    it "should return the underlying #to_s value" do
+      expect(subject.to_s).to be == openssl_x509_extension.to_s
+    end
+  end
+end

data/spec/x509/extensions/basic_constraints_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+require 'openssl'
+
+require 'sslyze/x509/extensions/basic_constraints'
+
+describe SSLyze::X509::Extensions::BasicConstraints do
+  let(:ca)      { 'TRUE' }
+  let(:pathlen) { 1 }
+  let(:value)   { "CA:#{ca}, pathlen:#{pathlen}" }
+  let(:openssl_x509_extension) do
+    OpenSSL::X509::Extension.new('basicConstraints', value, true)
+  end
+
+  subject { described_class.new(openssl_x509_extension) }
+
+  describe "#ca?" do
+    context "when 'CA:TRUE' is present" do
+      let(:ca) { 'TRUE' }
+
+      it { expect(subject.ca?).to be true }
+    end
+
+    context "when 'CA:FALSE' is present" do
+      let(:ca) { 'FALSE' }
+
+      it { expect(subject.ca?).to be false }
+    end
+
+    context "when 'CA:' is omitted" do
+      let(:value) { 'pathlen:0' }
+
+      it { expect(subject.ca?).to be nil }
+    end
+  end
+
+  describe "#path_length" do
+    it "should parse the decimal following 'pathlen:'" do
+      expect(subject.path_length).to be == pathlen
+    end
+  end
+end

data/spec/x509/extensions/certificate_policies_spec.rb

@@ -0,0 +1,38 @@
+require 'spec_helper'
+require 'openssl'
+
+require 'sslyze/x509/extensions/certificate_policies'
+
+describe SSLyze::X509::Extensions::CertificatePolicies do
+  let(:policy) { 'X509v3 Any Policy' }
+  let(:cps)    { URI('https://www.digicert.com/CPS') }
+  let(:value)  { "Policy: #{policy}\n  CPS: #{cps}\n" }
+
+  let(:openssl_x509_extension) do
+    OpenSSL::X509::Extension.new('certificatePolicies', value)
+  end
+
+  subject { described_class.new(openssl_x509_extension) }
+
+  describe "#policies" do
+    it "must yield #{described_class::Policy} objects" do
+      expect(subject.policies).to all(be_kind_of(described_class::Policy))
+    end
+
+    it "should capture the text following 'Policy: '" do
+      expect(subject.policies.first.policy).to be == policy
+    end
+
+    it "should capture the URI following '  CPS: '" do
+      expect(subject.policies.first.cps).to be == cps
+    end
+  end
+
+  describe "#each" do
+    it "should yield #{described_class::Policy} objects" do
+      expect { |b|
+        subject.each(&b)
+      }.to yield_successive_args(*Array.new(subject.length,described_class::Policy))
+    end
+  end
+end