RubyGems - ruby-sslyze - Versions diffs - 0.2.1 → 1.0.0 - Mend

ruby-sslyze 0.2.1 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (146) hide show

checksums.yaml +4 -4
data/.gitignore +6 -4
data/.travis.yml +15 -7
data/ChangeLog.md +29 -12
data/Gemfile +3 -2
data/LICENSE.txt +1 -1
data/README.md +5 -5
data/Rakefile +1 -1
data/lib/sslyze/cipher_suites.rb +176 -0
data/lib/sslyze/program.rb +8 -8
data/lib/sslyze/task.rb +40 -33
data/lib/sslyze/version.rb +1 -1
data/lib/sslyze/{certificate/domain_name.rb → x509/domain.rb} +5 -3
data/lib/sslyze/x509/extension.rb +15 -0
data/lib/sslyze/x509/extension_set.rb +140 -0
data/lib/sslyze/x509/extensions.rb +6 -0
data/lib/sslyze/x509/extensions/basic_constraints.rb +41 -0
data/lib/sslyze/x509/extensions/certificate_policies.rb +108 -0
data/lib/sslyze/x509/extensions/crl_distribution_points.rb +47 -0
data/lib/sslyze/x509/extensions/extended_key_usage.rb +58 -0
data/lib/sslyze/x509/extensions/key_usage.rb +66 -0
data/lib/sslyze/x509/extensions/subject_alt_name.rb +144 -0
data/lib/sslyze/x509/name.rb +194 -0
data/lib/sslyze/x509/public_key.rb +53 -0
data/lib/sslyze/xml.rb +26 -37
data/lib/sslyze/xml/attributes.rb +5 -0
data/lib/sslyze/xml/attributes/error.rb +30 -0
data/lib/sslyze/xml/attributes/exception.rb +30 -0
data/lib/sslyze/xml/attributes/is_supported.rb +29 -0
data/lib/sslyze/xml/attributes/is_vulnerable.rb +29 -0
data/lib/sslyze/xml/attributes/title.rb +31 -0
data/lib/sslyze/xml/certinfo.rb +67 -0
data/lib/sslyze/xml/certinfo/certificate.rb +202 -0
data/lib/sslyze/xml/certinfo/certificate_validation.rb +69 -0
data/lib/sslyze/xml/certinfo/certificate_validation/hostname_validation.rb +54 -0
data/lib/sslyze/xml/certinfo/certificate_validation/path_validation.rb +84 -0
data/lib/sslyze/xml/certinfo/certificate_validation/verified_certificate_chain.rb +41 -0
data/lib/sslyze/xml/certinfo/has_certificates.rb +102 -0
data/lib/sslyze/xml/certinfo/ocsp_stapling.rb +45 -0
data/lib/sslyze/xml/certinfo/ocsp_stapling/ocsp_response.rb +87 -0
data/lib/sslyze/xml/certinfo/received_certificate_chain.rb +48 -0
data/lib/sslyze/xml/compression.rb +33 -0
data/lib/sslyze/xml/compression/compression_method.rb +38 -0
data/lib/sslyze/xml/fallback.rb +34 -0
data/lib/sslyze/xml/fallback/tls_fallback_scsv.rb +27 -0
data/lib/sslyze/xml/heartbleed.rb +38 -0
data/lib/sslyze/xml/heartbleed/openssl_heartbleed.rb +29 -0
data/lib/sslyze/xml/http_headers.rb +42 -0
data/lib/sslyze/xml/http_headers/http_public_key_pinning.rb +121 -0
data/lib/sslyze/xml/http_headers/http_strict_transport_security.rb +59 -0
data/lib/sslyze/xml/invalid_target.rb +33 -0
data/lib/sslyze/xml/openssl_ccs.rb +34 -0
data/lib/sslyze/xml/openssl_ccs/openssl_ccs_injection.rb +26 -0
data/lib/sslyze/xml/plugin.rb +27 -0
data/lib/sslyze/xml/protocol.rb +143 -0
data/lib/sslyze/xml/protocol/cipher_suite.rb +93 -0
data/lib/sslyze/xml/protocol/cipher_suite/key_exchange.rb +127 -0
data/lib/sslyze/xml/reneg.rb +28 -0
data/lib/sslyze/xml/reneg/session_renegotiation.rb +51 -0
data/lib/sslyze/xml/resum.rb +42 -0
data/lib/sslyze/xml/resum/session_resumption_with_session_ids.rb +94 -0
data/lib/sslyze/xml/resum/session_resumption_with_tls_tickets.rb +69 -0
data/lib/sslyze/xml/resum_rate.rb +30 -0
data/lib/sslyze/xml/target.rb +371 -0
data/lib/sslyze/xml/types.rb +19 -0
data/ruby-sslyze.gemspec +3 -3
data/spec/spec_helper.rb +2 -4
data/spec/sslyze.xml +2356 -2580
data/spec/x509/domain_spec.rb +125 -0
data/spec/x509/extension_set_spec.rb +208 -0
data/spec/x509/extension_spec.rb +58 -0
data/spec/x509/extensions/basic_constraints_spec.rb +41 -0
data/spec/x509/extensions/certificate_policies_spec.rb +38 -0
data/spec/x509/extensions/crl_distribution_points_spec.rb +38 -0
data/spec/x509/extensions/extended_key_usage_spec.rb +58 -0
data/spec/x509/extensions/key_usage_spec.rb +84 -0
data/spec/x509/extensions/subject_alt_name_spec.rb +146 -0
data/spec/x509/name_spec.rb +85 -0
data/spec/x509/public_key_spec.rb +113 -0
data/spec/xml/certinfo/certificate_spec.rb +166 -0
data/spec/xml/certinfo/certificate_validation/hostname_validation_spec.rb +23 -0
data/spec/xml/certinfo/certificate_validation/path_validation_spec.rb +107 -0
data/spec/xml/certinfo/certificate_validation/verified_certificate_chain_spec.rb +163 -0
data/spec/xml/certinfo/certificate_validation_spec.rb +40 -0
data/spec/xml/certinfo/ocsp_stapling/ocsp_response_spec.rb +61 -0
data/spec/xml/certinfo/ocsp_stapling_spec.rb +31 -0
data/spec/xml/certinfo/received_certificate_chain_spec.rb +165 -0
data/spec/xml/certinfo_spec.rb +45 -0
data/spec/xml/compression/compression_method_spec.rb +23 -0
data/spec/xml/compression_spec.rb +23 -0
data/spec/xml/heartbleed/openssl_heartbleed_spec.rb +17 -0
data/spec/xml/heartbleed_spec.rb +37 -0
data/spec/xml/http_headers/http_public_key_pinning_spec.rb +73 -0
data/spec/xml/http_headers/http_strict_transport_security_spec.rb +107 -0
data/spec/xml/http_headers_spec.rb +63 -0
data/spec/xml/invalid_target_spec.rb +23 -0
data/spec/xml/plugin_examples.rb +14 -0
data/spec/{key_exchange_spec.rb → xml/protocol/cipher_suite/key_exchange_spec.rb} +9 -3
data/spec/xml/protocol/cipher_suite_spec.rb +66 -0
data/spec/xml/protocol_spec.rb +115 -0
data/spec/xml/reneg/session_renegotiation_spec.rb +23 -0
data/spec/xml/reneg_spec.rb +35 -0
data/spec/xml/resum/session_resumption_with_session_ids_spec.rb +103 -0
data/spec/xml/resum/session_resumption_with_tls_tickets_spec.rb +121 -0
data/spec/xml/resum_rate_spec.rb +30 -0
data/spec/xml/resum_spec.rb +47 -0
data/spec/{target_spec.rb → xml/target_spec.rb} +73 -27
data/spec/xml_spec.rb +13 -21
metadata +138 -61
data/lib/sslyze/cert_info.rb +0 -57
data/lib/sslyze/certificate.rb +0 -139
data/lib/sslyze/certificate/extensions.rb +0 -127
data/lib/sslyze/certificate/extensions/authority_information_access.rb +0 -38
data/lib/sslyze/certificate/extensions/extension.rb +0 -26
data/lib/sslyze/certificate/extensions/x509v3_basic_constraints.rb +0 -60
data/lib/sslyze/certificate/extensions/x509v3_certificate_policies.rb +0 -50
data/lib/sslyze/certificate/extensions/x509v3_crl_distribution_points.rb +0 -32
data/lib/sslyze/certificate/extensions/x509v3_extended_key_usage.rb +0 -32
data/lib/sslyze/certificate/extensions/x509v3_key_usage.rb +0 -50
data/lib/sslyze/certificate/extensions/x509v3_subject_alternative_name.rb +0 -71
data/lib/sslyze/certificate/issuer.rb +0 -56
data/lib/sslyze/certificate/public_key.rb +0 -9
data/lib/sslyze/certificate/subject.rb +0 -117
data/lib/sslyze/certificate/subject_public_key_info.rb +0 -53
data/lib/sslyze/certificate/validity.rb +0 -9
data/lib/sslyze/certificate_chain.rb +0 -89
data/lib/sslyze/certificate_validation.rb +0 -70
data/lib/sslyze/cipher_suite.rb +0 -237
data/lib/sslyze/invalid_target.rb +0 -35
data/lib/sslyze/key_exchange.rb +0 -106
data/lib/sslyze/ocsp_response.rb +0 -87
data/lib/sslyze/protocol.rb +0 -133
data/lib/sslyze/target.rb +0 -312
data/lib/sslyze/types.rb +0 -17
data/spec/cert_info_spec.rb +0 -29
data/spec/certificate/subject_name_spec.rb +0 -72
data/spec/certificate_chain_spec.rb +0 -61
data/spec/certificate_spec.rb +0 -330
data/spec/certificate_validation_spec.rb +0 -39
data/spec/cipher_suite_spec.rb +0 -50
data/spec/invalid_target_spec.rb +0 -21
data/spec/issuer_spec.rb +0 -33
data/spec/ocsp_response_spec.rb +0 -59
data/spec/protocol_spec.rb +0 -99
data/spec/subject_public_key_info_spec.rb +0 -35
data/spec/subject_spec.rb +0 -69

data/spec/x509/extensions/crl_distribution_points_spec.rb ADDED

@@ -0,0 +1,38 @@
+require 'spec_helper'
+require 'openssl'
+require 'sslyze/x509/extensions/crl_distribution_points'
+describe SSLyze::X509::Extensions::CRLDistributionPoints do
+  let(:uri1) { URI('http://crl3.digicert.com/sha2-ha-server-g5.crl') }
+  let(:uri2) { URI('http://crl4.digicert.com/sha2-ha-server-g5.crl') }
+  let(:value) do
+    %{
+Full Name:
+  URI:#{uri1}
+Full Name:
+  URI:#{uri2}
+}
+  end
+  let(:openssl_x509_extension) do
+    OpenSSL::X509::Extension.new('crlDistributionPoints',value)
+  end
+  subject { described_class.new(openssl_x509_extension) }
+  describe "#uris" do
+    it "should parse each 'URI:' value" do
+      expect(subject.uris).to be == [uri1, uri2]
+    end
+  end
+  describe "#each" do
+    it "should yield each parsed 'URI:' value" do
+      expect { |b|
+        subject.each(&b)
+      }.to yield_successive_args(uri1, uri2)
+    end
+  end
+end

data/spec/x509/extensions/extended_key_usage_spec.rb ADDED

@@ -0,0 +1,58 @@
+require 'spec_helper'
+require 'openssl'
+require 'sslyze/x509/extensions/extended_key_usage'
+describe SSLyze::X509::Extensions::ExtendedKeyUsage do
+  let(:uses) do
+    [
+      'TLS Web Server Authentication',
+      'TLS Web Client Authentication'
+    ]
+  end
+  let(:value) { uses.join(', ') }
+  let(:openssl_x509_extension) do
+    OpenSSL::X509::Extension.new('extendedKeyUsage', value)
+  end
+  subject { described_class.new(openssl_x509_extension) }
+  describe "#uses" do
+    it "should parse the comma deliminated value" do
+      expect(subject.uses).to be == uses
+    end
+  end
+  describe "#each" do
+    it "should yield each parsed use" do
+      expect { |b|
+        subject.each(&b)
+      }.to yield_successive_args(*uses)
+    end
+  end
+  describe "#tls_web_server_authentication?" do
+    context "when 'TLS Web Server Authentication' is present" do
+      it { expect(subject.tls_web_server_authentication?).to be true }
+    end
+    context "when 'TLS Web Server Authentication' is not present" do
+      let(:uses) { super() - ['TLS Web Server Authentication'] }
+      it { expect(subject.tls_web_server_authentication?).to be false }
+    end
+  end
+  describe "#tls_web_client_authentication?" do
+    context "when 'TLS Web Client Authentication' is present" do
+      it { expect(subject.tls_web_client_authentication?).to be true }
+    end
+    context "when 'TLS Web Client Authentication' is not present" do
+      let(:uses) { super() - ['TLS Web Client Authentication'] }
+      it { expect(subject.tls_web_client_authentication?).to be false }
+    end
+  end
+end

data/spec/x509/extensions/key_usage_spec.rb ADDED

@@ -0,0 +1,84 @@
+require 'spec_helper'
+require 'openssl'
+require 'sslyze/x509/extensions/key_usage'
+describe SSLyze::X509::Extensions::KeyUsage do
+  let(:uses) do
+    [
+      'Key Encipherment',
+      'Digital Signature',
+      'CRL Sign',
+      'Certificate Sign'
+    ]
+  end
+  let(:value) { uses.join(', ') }
+  let(:openssl_x509_extension) do
+    OpenSSL::X509::Extension.new('keyUsage', value)
+  end
+  subject { described_class.new(openssl_x509_extension) }
+  describe "#uses" do
+    it "should parse the comma deliminated value" do
+      expect(subject.uses).to be == uses
+    end
+  end
+  describe "#each" do
+    it "should yield each parsed use" do
+      expect { |b|
+        subject.each(&b)
+      }.to yield_successive_args(*uses)
+    end
+  end
+  describe "#key_encipherment?" do
+    context "when 'Key Encipherment' is present" do
+      it { expect(subject.key_encipherment?).to be true }
+    end
+    context "when 'Key Encipherment' is not present" do
+      let(:uses) { super() - ['Key Encipherment'] }
+      it { expect(subject.key_encipherment?).to be false }
+    end
+  end
+  describe "#digital_signature?" do
+    context "when 'Digital Signature' is present" do
+      it { expect(subject.digital_signature?).to be true }
+    end
+    context "when 'Digital Signature' is not present" do
+      let(:uses) { super() - ['Digital Signature'] }
+      it { expect(subject.digital_signature?).to be false }
+    end
+  end
+  describe "#crl_sign?" do
+    context "when 'CRL Sign' is present" do
+      it { expect(subject.crl_sign?).to be true }
+    end
+    context "when 'CRL Sign' is not present" do
+      let(:uses) { super() - ['CRL Sign'] }
+      it { expect(subject.crl_sign?).to be false }
+    end
+  end
+  describe "#certificate_sign?" do
+    context "when 'Certificate Sign' is present" do
+      it { expect(subject.certificate_sign?).to be true }
+    end
+    context "when 'Certificate Sign' is not present" do
+      let(:uses) { super() - ['Certificate Sign'] }
+      it { expect(subject.certificate_sign?).to be false }
+    end
+  end
+end

data/spec/x509/extensions/subject_alt_name_spec.rb ADDED

@@ -0,0 +1,146 @@
+require 'spec_helper'
+require 'openssl'
+require 'sslyze/x509/extensions/subject_alt_name'
+describe SSLyze::X509::Extensions::SubjectAltName do
+  let(:domains) do
+    %w[
+      example.com
+      foo.example.com
+      bar.example.com
+    ]
+  end
+  let(:dns_names) do
+    domains.map { |name| "DNS:#{name}" }
+  end
+  let(:ips) do
+    %w[
+      127.0.0.1
+      10.0.0.1
+    ]
+  end
+  let(:ip_names) do
+    ips.map { |name| "IP:#{name}" }
+  end
+  let(:uris) do
+    %w[
+      https://foo.com/
+      https://bar.com/
+    ]
+  end
+  let(:uri_names) do
+    uris.map { |name| "URI:#{name}" }
+  end
+  let(:email_addresses) do
+    %w[
+      foo@example.com
+      bar@example.com
+    ]
+  end
+  let(:email_names) do
+    email_addresses.map { |name| "email:#{name}" }
+  end
+  let(:names) { dns_names + ip_names + uri_names + email_names }
+  let(:value) { names.join(', ') }
+  let(:openssl_x509_extension) do
+    OpenSSL::X509::Extension.new('subjectAltName', value)
+  end
+  subject { described_class.new(openssl_x509_extension) }
+  describe "#each" do
+    context "when a block is given" do
+      context "when value contains 'DNS:' names" do
+        let(:names) { dns_names }
+        it "should yield (:dns, name) tuples" do
+          expect { |b|
+            subject.each(&b)
+          }.to yield_successive_args(*domains.map { |domain| [:dns, domain] })
+        end
+      end
+      context "when value contains 'IP:' names" do
+        let(:names) { ip_names }
+        it "should yield (:ip, name) tuples" do
+          expect { |b|
+            subject.each(&b)
+          }.to yield_successive_args(*ips.map { |ip| [:ip, ip] })
+        end
+      end
+      context "when value contains 'URI:' names" do
+        let(:names) { uri_names }
+        it "should yield (:uri, name) tuples" do
+          expect { |b|
+            subject.each(&b)
+          }.to yield_successive_args(*uris.map { |uri| [:uri, uri] })
+        end
+      end
+      context "when value contains 'email:' names" do
+        let(:names) { email_names }
+        it "should yield (:email, name) tuples" do
+          expect { |b|
+            subject.each(&b)
+          }.to yield_successive_args(*email_addresses.map { |email| [:email, email] })
+        end
+      end
+      context "when value contains 'RID:' names"
+      context "when value contains 'dirName:' names"
+      context "when value contains 'otherName:' names"
+    end
+    context "when no block is given" do
+      it "should return return an Enumerator" do
+        expect(subject.each).to be_kind_of(Enumerator)
+      end
+    end
+  end
+  describe "#dns" do
+    it "should return only the 'DNS:' names" do
+      expect(subject.dns).to be == domains
+    end
+  end
+  describe "#ip" do
+    it "should return only the 'IP:' names" do
+      expect(subject.ip.map(&:to_s)).to be == ips
+    end
+    it "should parse each 'IP:' name as an IPAddr" do
+      expect(subject.ip).to all(be_kind_of(IPAddr))
+    end
+  end
+  describe "#uri" do
+    it "should return only the 'URI:' names" do
+      expect(subject.uri.map(&:to_s)).to be == uris
+    end
+    it "should parse each 'URI:' name as an URI" do
+      expect(subject.uri).to all(be_kind_of(URI::Generic))
+    end
+  end
+  describe "#email" do
+    it "should return only the 'email:' names" do
+      expect(subject.email).to be == email_addresses
+    end
+  end
+  describe "#rid"
+  describe "#dir_name"
+  describe "#other_name"
+end

data/spec/x509/name_spec.rb ADDED

@@ -0,0 +1,85 @@
+require 'rspec'
+require 'openssl'
+require 'sslyze/x509/name'
+describe SSLyze::X509::Name do
+  let(:country_name)             { 'US'               }
+  let(:state_name)               { 'California'       }
+  let(:location_name)            { 'San Francisco'    }
+  let(:organization_name)        { 'Twitter, Inc.'    }
+  let(:organizational_unit_name) { 'Twitter Security' }
+  let(:common_name)              { 'twitter.com'      }
+  let(:entries) do
+    [
+      ["C", country_name, 19],
+      ["ST", state_name, 19],
+      ["L", location_name, 19],
+      ["O", organization_name, 19],
+      ["OU", organizational_unit_name, 19],
+      ["CN", common_name, 19]
+    ]
+  end
+  let(:openssl_x509_name) { OpenSSL::X509::Name.new(entries) }
+  subject { described_class.new(openssl_x509_name) }
+  describe "#each" do
+    it "should iterate over the entries" do
+      expect { |b|
+        subject.each(&b)
+      }.to yield_successive_args(*entries)
+    end
+  end
+  describe "#[]" do
+    it "should return the value for the given OID key" do
+      expect(subject['C']).to be == country_name
+    end
+    context "when the OID key cannot be found" do
+      it { expect(subject['foo']).to be nil }
+    end
+  end
+  describe "#country_name" do
+    it "should return the 'C' entry" do
+      expect(subject.country_name).to be == country_name
+    end
+  end
+  describe "#state_name" do
+    it "should return the 'ST' entry" do
+      expect(subject.state_name).to be == state_name
+    end
+  end
+  describe "#location_name" do
+    it "should return the 'L' entry" do
+      expect(subject.location_name).to be == location_name
+    end
+  end
+  describe "#organization_name" do
+    it "should return the 'O' entry" do
+      expect(subject.organization_name).to be == organization_name
+    end
+  end
+  describe "#organizational_unit_name" do
+    it "should return the 'OU' entry" do
+      expect(subject.organizational_unit_name).to be == organizational_unit_name
+    end
+  end
+  describe "#common_name" do
+    it do
+      expect(subject.common_name).to be_kind_of(SSLyze::X509::Domain)
+    end
+    it "should be equal to the 'CN' entry" do
+      expect(subject.common_name.name).to be == common_name
+    end
+  end
+end

data/spec/x509/public_key_spec.rb ADDED

@@ -0,0 +1,113 @@
+require 'spec_helper'
+require 'openssl'
+require 'sslyze/x509/public_key'
+describe SSLyze::X509::PublicKey do
+  let(:key_size) { 1024 }
+  let(:rsa_key) { OpenSSL::PKey::RSA.new(key_size) }
+  let(:dsa_key) { OpenSSL::PKey::DSA.new(key_size) }
+  let(:dh_key)  { OpenSSL::PKey::DH.new(key_size)  }
+  let(:ec_key)  { OpenSSL::PKey::EC.new }
+  describe "#algorithm" do
+    context "when the pkey is an OpenSSL::PKey::RSA key" do
+      let(:pkey) { rsa_key }
+      subject { described_class.new(pkey) }
+      it { expect(subject.algorithm).to be :rsa }
+    end
+    context "when the pkey is an OpenSSL::PKey::DSA key" do
+      let(:pkey) { dsa_key }
+      subject { described_class.new(pkey) }
+      it { expect(subject.algorithm).to be :dsa }
+    end
+    context "when the pkey is an OpenSSL::PKey::DH key" do
+      let(:pkey) { dh_key }
+      subject { described_class.new(pkey) }
+      it { expect(subject.algorithm).to be :dh }
+    end
+    context "when the pkey is an OpenSSL::PKey::EC key" do
+      let(:pkey) { ec_key }
+      subject { described_class.new(pkey) }
+      it { expect(subject.algorithm).to be :ec }
+    end
+  end
+  describe "#size" do
+    context "when the pkey is an OpenSSL::PKey::RSA key" do
+      let(:pkey) { rsa_key }
+      subject { described_class.new(pkey) }
+      it "to infer the key size from pkey.n.num_bits" do
+        expect(subject.size).to (be == pkey.n.num_bits).and(be == key_size)
+      end
+    end
+    context "when the pkey is an OpenSSL::PKey::DSA key" do
+      let(:pkey) { dsa_key }
+      subject { described_class.new(pkey) }
+      it "to infer the key size from pkey.p.num_bits" do
+        expect(subject.size).to (be == pkey.p.num_bits).and(be == key_size)
+      end
+    end
+    context "when the pkey is an OpenSSL::PKey::DH key" do
+      let(:pkey) { dh_key }
+      subject { described_class.new(pkey) }
+      it "to infer the key size from pkey.p.num_bits" do
+        expect(subject.size).to (be == pkey.p.num_bits).and(be == key_size)
+      end
+    end
+    context "when the pkey is an OpenSSL::PKey::EC key" do
+      let(:pkey) { ec_key }
+      subject { described_class.new(pkey) }
+      it do
+        expect { subject.size }.to raise_error(NotImplementedError)
+      end
+    end
+  end
+  describe "#to_der" do
+    let(:pkey) { rsa_key }
+    subject { described_class.new(pkey) }
+    it "should call the public key's #to_der method" do
+      expect(pkey).to receive(:to_der)
+      subject.to_der
+    end
+  end
+  describe "#to_text" do
+    let(:pkey) { rsa_key }
+    subject { described_class.new(pkey) }
+    it "should call the public key's #to_text method" do
+      expect(pkey).to receive(:to_text)
+      subject.to_text
+    end
+  end
+end