You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 
cryptcheck/spec/cryptcheck/tls/cert_spec.rb

90 lines
2.8 KiB

describe CryptCheck::Tls::Cert do
describe '::trusted?' do
it 'must accept valid certificate' do
FakeTime.freeze Time.utc(2000, 1, 1) do
cert, *chain, ca = chain(%w(ecdsa-prime256v1 intermediate ca))
trust = ::CryptCheck::Tls::Cert.trusted? cert, chain, roots: ca
expect(trust).to eq :trusted
end
end
it 'must reject self signed certificate' do
cert, ca = chain(%w(self-signed ca))
trust = ::CryptCheck::Tls::Cert.trusted? cert, [], roots: ca
expect(trust).to eq 'self signed certificate'
# Case for SSLv2
cert, ca = chain(%w(self-signed ca))
trust = ::CryptCheck::Tls::Cert.trusted? cert, nil, roots: ca
expect(trust).to eq 'self signed certificate'
end
it 'must reject unknown CA' do
cert, *chain = chain(%w(ecdsa-prime256v1 intermediate ca))
trust = ::CryptCheck::Tls::Cert.trusted? cert, chain, roots: []
expect(trust).to eq 'unable to get issuer certificate'
end
it 'must reject missing intermediate chain' do
cert, ca = chain(%w(ecdsa-prime256v1 ca))
chain = []
trust = ::CryptCheck::Tls::Cert.trusted? cert, chain, roots: ca
expect(trust).to eq 'unable to get local issuer certificate'
end
it 'must reject expired certificate' do
FakeTime.freeze Time.utc(2002, 1, 1) do
cert, *chain, ca = chain(%w(ecdsa-prime256v1 intermediate ca))
trust = ::CryptCheck::Tls::Cert.trusted? cert, chain, roots: ca
expect(trust).to eq 'certificate has expired'
end
end
it 'must reject not yet valid certificate' do
FakeTime.freeze Time.utc(1999, 1, 1) do
cert, *chain, ca = chain(%w(ecdsa-prime256v1 intermediate ca))
trust = ::CryptCheck::Tls::Cert.trusted? cert, chain, roots: ca
expect(trust).to eq 'certificate is not yet valid'
end
end
end
describe '#md5?' do
it 'must detect md5 certificate' do
cert = ::CryptCheck::Tls::Cert.new cert(:md5)
expect(cert.md5?).to be true
cert = ::CryptCheck::Tls::Cert.new cert(:sha1)
expect(cert.md5?).to be false
cert = ::CryptCheck::Tls::Cert.new cert(:ecdsa, :prime256v1)
expect(cert.md5?).to be false
end
end
describe '#sha1?' do
it 'must detect sha1 certificate' do
cert = ::CryptCheck::Tls::Cert.new cert(:md5)
expect(cert.sha1?).to be false
cert = ::CryptCheck::Tls::Cert.new cert(:sha1)
expect(cert.sha1?).to be true
cert = ::CryptCheck::Tls::Cert.new cert(:ecdsa, :prime256v1)
expect(cert.sha1?).to be false
end
end
describe '#sha2?' do
it 'must detect sha2 certificate' do
cert = ::CryptCheck::Tls::Cert.new cert(:md5)
expect(cert.sha2?).to be false
cert = ::CryptCheck::Tls::Cert.new cert(:sha1)
expect(cert.sha2?).to be false
cert = ::CryptCheck::Tls::Cert.new cert(:ecdsa, :prime256v1)
expect(cert.sha2?).to be true
end
end
end