You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

server_spec.rb 7.2KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226
  1. require 'faketime'
  2. describe CryptCheck::Tls::Server do
  3. before :all do
  4. FakeTime.freeze Time.utc(2000, 1, 1)
  5. end
  6. after :all do
  7. FakeTime.unfreeze
  8. end
  9. def server
  10. CryptCheck::Tls::TcpServer.new 'localhost', ::Socket::PF_INET, '127.0.0.1', 5000
  11. end
  12. describe '#certs' do
  13. it 'must detect RSA certificate' do
  14. tls_serv material: [[:rsa, 1024]] do
  15. certs = server.certs.collect &:fingerprint
  16. expect(certs).to contain_exactly 'a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71'
  17. end
  18. end
  19. it 'must detect ECDSA certificate' do
  20. tls_serv material: [[:ecdsa, :prime256v1]] do
  21. certs = server.certs.collect &:fingerprint
  22. expect(certs).to contain_exactly '531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06'
  23. end
  24. end
  25. it 'must detect RSA and ECDSA certificates' do
  26. tls_serv material: [[:ecdsa, :prime256v1], [:rsa, 1024]] do
  27. certs = server.certs.collect &:fingerprint
  28. expect(certs).to contain_exactly '531ab9545f052818ff0559f648a147b104223834cc8f780516b3aacf1fdc8c06',
  29. 'a11802a4407aaeb93ccd0bd8c8a61be17eaba6b378433af5ad45ecbb1d633f71'
  30. end
  31. end
  32. end
  33. describe '#supported_curves' do
  34. it 'must detect no supported curves' do
  35. tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256) do
  36. curves = server.supported_curves.collect &:name
  37. expect(curves).to be_empty
  38. end
  39. end
  40. it 'must detect supported curves for RSA' do
  41. tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
  42. curves: %i(prime256v1 sect571r1) do
  43. curves = server.supported_curves.collect &:name
  44. expect(curves).to contain_exactly :prime256v1, :sect571r1
  45. end
  46. end
  47. it 'must detect supported curves from ECDSA' do
  48. tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
  49. curves: %i(prime256v1), server_preference: false do
  50. curves = server.supported_curves.collect &:name
  51. expect(curves).to contain_exactly :prime256v1
  52. end
  53. end
  54. it 'must detect supported curves from ECDSA and ECDHE' do
  55. tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
  56. curves: %i(prime256v1 sect571r1), server_preference: false do
  57. curves = server.supported_curves.collect &:name
  58. expect(curves).to contain_exactly :prime256v1, :sect571r1
  59. end
  60. end
  61. # No luck here :'(
  62. it 'can\'t detect supported curves from ECDHE if server preference enforced' do
  63. tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
  64. curves: %i(prime256v1 sect571r1), server_preference: true do
  65. curves = server.supported_curves.collect &:name
  66. expect(curves).to contain_exactly :prime256v1
  67. end
  68. tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
  69. curves: %i(sect571r1 prime256v1), server_preference: true do
  70. curves = server.supported_curves.collect &:name
  71. expect(curves).to contain_exactly :prime256v1, :sect571r1
  72. end
  73. end
  74. end
  75. describe '#curves_preference' do
  76. it 'must report N/A if no curve on RSA' do
  77. tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256),
  78. server_preference: true do
  79. curves = server.curves_preference
  80. expect(curves).to be_nil
  81. end
  82. tls_serv material: [[:rsa, 1024]], ciphers: %w(AES128-GCM-SHA256),
  83. server_preference: false do
  84. curves = server.curves_preference
  85. expect(curves).to be_nil
  86. end
  87. end
  88. it 'must report N/A if a single curve on RSA' do
  89. tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
  90. curves: %i(prime256v1), server_preference: true do
  91. curves = server.curves_preference
  92. expect(curves).to be_nil
  93. end
  94. tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
  95. curves: %i(prime256v1), server_preference: false do
  96. curves = server.curves_preference
  97. expect(curves).to be_nil
  98. end
  99. end
  100. it 'must report server preference if server preference enforced on RSA' do
  101. tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
  102. curves: %i(prime256v1 sect571r1), server_preference: true do
  103. curves = server.curves_preference.collect &:name
  104. expect(curves).to eq %i(prime256v1 sect571r1)
  105. end
  106. tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
  107. curves: %i(sect571r1 prime256v1), server_preference: true do
  108. curves = server.curves_preference.collect &:name
  109. expect(curves).to eq %i(sect571r1 prime256v1)
  110. end
  111. end
  112. it 'must report client preference if server preference not enforced on RSA' do
  113. tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
  114. curves: %i(prime256v1 sect571r1), server_preference: false do
  115. curves = server.curves_preference
  116. expect(curves).to be :client
  117. end
  118. tls_serv material: [[:rsa, 1024]], ciphers: %w(ECDHE+AES),
  119. curves: %i(sect571r1 prime256v1), server_preference: false do
  120. curves = server.curves_preference
  121. expect(curves).to be :client
  122. end
  123. end
  124. it 'must report N/A if a single curve on ECDSA' do
  125. tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
  126. curves: %i(prime256v1), server_preference: true do
  127. curves = server.curves_preference
  128. expect(curves).to be_nil
  129. end
  130. tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
  131. curves: %i(prime256v1), server_preference: false do
  132. curves = server.curves_preference
  133. expect(curves).to be_nil
  134. end
  135. end
  136. # No luck here :'(
  137. it 'can\'t detect server preference if server preference enforced on ECDSA with preference on ECDSA curve' do
  138. tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
  139. curves: %i(prime256v1 sect571r1), server_preference: true do
  140. curves = server.curves_preference
  141. expect(curves).to be_nil
  142. end
  143. end
  144. it 'must report server preference if server preference enforced on ECDSA with preference not on ECDSA curve' do
  145. tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
  146. curves: %i(sect571r1 prime256v1), server_preference: true do
  147. curves = server.curves_preference.collect &:name
  148. expect(curves).to eq %i(sect571r1 prime256v1)
  149. end
  150. end
  151. it 'must report client preference if server preference not enforced on ECDSA' do
  152. tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
  153. curves: %i(prime256v1 sect571r1), server_preference: false do
  154. curves = server.curves_preference
  155. expect(curves).to be :client
  156. end
  157. tls_serv material: [[:ecdsa, :prime256v1]], ciphers: %w(ECDHE+AES),
  158. curves: %i(sect571r1 prime256v1), server_preference: false do
  159. curves = server.curves_preference
  160. expect(curves).to be :client
  161. end
  162. end
  163. end
  164. describe '#md5_sign?' do
  165. it 'must detect server using MD5 certificate' do
  166. tls_serv do
  167. expect(server.md5_sign?).to be false
  168. end
  169. tls_serv material: [:md5, [:rsa, 1024]] do
  170. expect(server.md5_sign?).to be true
  171. end
  172. end
  173. end
  174. describe '#sha1_sign?' do
  175. it 'must detect server using SHA1 certificate' do
  176. tls_serv do
  177. expect(server.sha1_sign?).to be false
  178. end
  179. tls_serv material: [:sha1, [:rsa, 1024]] do
  180. expect(server.sha1_sign?).to be true
  181. end
  182. end
  183. end
  184. describe '#sha2_sign?' do
  185. it 'must detect server using SHA2 certificate' do
  186. tls_serv do
  187. expect(server.sha2_sign?).to be true
  188. end
  189. tls_serv material: [:md5, :sha1] do
  190. expect(server.sha2_sign?).to be false
  191. end
  192. end
  193. end
  194. end