You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

cert_spec.rb 2.6KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394
  1. module CryptCheck::Tls
  2. describe Cert do
  3. around :each do |example|
  4. FakeTime.freeze(Time.utc 2000, 6, 1) { example.run }
  5. end
  6. describe '::trusted?' do
  7. it 'must accept valid certificate' do
  8. cert, *chain, ca = chain(%w(ecdsa-prime256v1 intermediate ca))
  9. trust = Cert.trusted? cert, chain, roots: ca
  10. expect(trust).to eq :trusted
  11. end
  12. it 'must reject self signed certificate' do
  13. cert, ca = chain(%w(self-signed ca))
  14. trust = Cert.trusted? cert, [], roots: ca
  15. expect(trust).to eq 'self signed certificate'
  16. # Case for SSLv2
  17. cert, ca = chain(%w(self-signed ca))
  18. trust = Cert.trusted? cert, nil, roots: ca
  19. expect(trust).to eq 'self signed certificate'
  20. end
  21. it 'must reject unknown CA' do
  22. cert, *chain = chain(%w(ecdsa-prime256v1 intermediate ca))
  23. trust = Cert.trusted? cert, chain, roots: []
  24. expect(trust).to eq 'unable to get issuer certificate'
  25. end
  26. it 'must reject missing intermediate chain' do
  27. cert, ca = chain(%w(ecdsa-prime256v1 ca))
  28. chain = []
  29. trust = Cert.trusted? cert, chain, roots: ca
  30. expect(trust).to eq 'unable to get local issuer certificate'
  31. end
  32. it 'must reject expired certificate' do
  33. FakeTime.freeze Time.utc(2002, 1, 1) do
  34. cert, *chain, ca = chain(%w(ecdsa-prime256v1 intermediate ca))
  35. trust = Cert.trusted? cert, chain, roots: ca
  36. expect(trust).to eq 'certificate has expired'
  37. end
  38. end
  39. it 'must reject not yet valid certificate' do
  40. FakeTime.freeze Time.utc(1999, 1, 1) do
  41. cert, *chain, ca = chain(%w(ecdsa-prime256v1 intermediate ca))
  42. trust = Cert.trusted? cert, chain, roots: ca
  43. expect(trust).to eq 'certificate is not yet valid'
  44. end
  45. end
  46. end
  47. describe '#md5?' do
  48. it 'must detect md5 certificate' do
  49. cert = Cert.new cert(:md5)
  50. expect(cert.md5?).to be true
  51. cert = Cert.new cert(:sha1)
  52. expect(cert.md5?).to be false
  53. cert = Cert.new cert(:ecdsa, :prime256v1)
  54. expect(cert.md5?).to be false
  55. end
  56. end
  57. describe '#sha1?' do
  58. it 'must detect sha1 certificate' do
  59. cert = Cert.new cert(:md5)
  60. expect(cert.sha1?).to be false
  61. cert = Cert.new cert(:sha1)
  62. expect(cert.sha1?).to be true
  63. cert = Cert.new cert(:ecdsa, :prime256v1)
  64. expect(cert.sha1?).to be false
  65. end
  66. end
  67. describe '#sha2?' do
  68. it 'must detect sha2 certificate' do
  69. cert = Cert.new cert(:md5)
  70. expect(cert.sha2?).to be false
  71. cert = Cert.new cert(:sha1)
  72. expect(cert.sha2?).to be false
  73. cert = Cert.new cert(:ecdsa, :prime256v1)
  74. expect(cert.sha2?).to be true
  75. end
  76. end
  77. end
  78. end