Ejemplo n.º 1
0
        public async Task AllSignaturesValidNoError()
        {
            HostCertificates       hostCertificates = Create(Create("Certificate1", true), Create("Certificate2", true));
            List <EvaluationError> errors           = await _allSignaturesShouldBeValid.Evaluate(hostCertificates);

            Assert.That(errors, Is.Empty);
        }
Ejemplo n.º 2
0
        public async Task NoCertificatesNoChangesToChain()
        {
            HostCertificates originalHostCertificates = new HostCertificates("host", false, new List <X509Certificate>(), new List <SelectedCipherSuite>());
            HostCertificates updatedHostCertificates  = await _ensureRootCertificatePreprocessor.Preprocess(originalHostCertificates);

            Assert.That(updatedHostCertificates.Certificates.SequenceEqual(originalHostCertificates.Certificates));
        }
Ejemplo n.º 3
0
        public async Task CrlAndOcspErrorErrorReturnedOnlyFirstErrorReported()
        {
            HostCertificates hostCertificate = Create(
                Create("Leaf"),
                Create("Inter"),
                Create("Root"));

            A.CallTo(() => _ocspValidator.CheckOcspRevocation(null, null, null))
            .WithAnyArguments()
            .ReturnsNextFromSequence(
                new RevocationResult("Errored Ocsp"),
                new RevocationResult("Errored Ocsp"));

            A.CallTo(() => _crlValidator.CheckCrlRevocation(null, null))
            .WithAnyArguments()
            .ReturnsNextFromSequence(
                new RevocationResult("Errored Crl"),
                new RevocationResult("Errored Crl"));

            List <EvaluationError> evaluationErrors = await _rule.Evaluate(hostCertificate);

            A.CallTo(() => _ocspValidator.CheckOcspRevocation(null, null, null)).WithAnyArguments().MustHaveHappenedOnceExactly();
            A.CallTo(() => _crlValidator.CheckCrlRevocation(null, null)).WithAnyArguments().MustHaveHappenedOnceExactly();

            Assert.That(evaluationErrors.Count, Is.EqualTo(1));
            Assert.That(evaluationErrors.First().ErrorType, Is.EqualTo(EvaluationErrorType.Inconclusive));
            Assert.That(evaluationErrors.First().Message.StartsWith("The certificate Inter has unknown revocation status."), Is.True);
            Assert.That(evaluationErrors.First().Message.Contains("Errored Ocsp"), Is.True);
            Assert.That(evaluationErrors.First().Message.Contains("Errored Crl"), Is.True);
        }
Ejemplo n.º 4
0
        public async Task CrlRevocationMultipleCertificatesOnRevocationOnlyFirstOneProcessed()
        {
            HostCertificates hostCertificate = Create(
                Create("Leaf"),
                Create("Inter"),
                Create("Root"));

            A.CallTo(() => _ocspValidator.CheckOcspRevocation(null, null, null))
            .WithAnyArguments()
            .ReturnsNextFromSequence(
                new RevocationResult("Errored"),
                new RevocationResult("Errored"));

            A.CallTo(() => _crlValidator.CheckCrlRevocation(null, null))
            .WithAnyArguments()
            .ReturnsNextFromSequence(
                new RevocationResult(true, new List <RevocationInfo>()),
                new RevocationResult(true, new List <RevocationInfo>()));

            List <EvaluationError> evaluationErrors = await _rule.Evaluate(hostCertificate);

            A.CallTo(() => _ocspValidator.CheckOcspRevocation(null, null, null)).WithAnyArguments().MustHaveHappenedOnceExactly();
            A.CallTo(() => _crlValidator.CheckCrlRevocation(null, null)).WithAnyArguments().MustHaveHappenedOnceExactly();

            Assert.That(evaluationErrors.Count, Is.EqualTo(1));
            Assert.That(evaluationErrors.First().ErrorType, Is.EqualTo(EvaluationErrorType.Error));
            Assert.That(evaluationErrors.First().Message.StartsWith("The certificate Inter is revoked:"), Is.True);
        }
Ejemplo n.º 5
0
        public async Task InvalidSignaturesRaiseErrors()
        {
            HostCertificates       hostCertificates = Create(Create("Certificate1", false), Create("Certificate2", true), Create("Certificate3", true));
            List <EvaluationError> errors           = await _allSignaturesShouldBeValid.Evaluate(hostCertificates);

            Assert.That(errors.Count, Is.EqualTo(1));
            Assert.That(errors[0].ErrorType, Is.EqualTo(EvaluationErrorType.Error));
            Assert.That(errors[0].Message, Is.EqualTo("The certificate Certificate1 does not have a valid signature."));
        }
Ejemplo n.º 6
0
        public async Task AllRulePassNoErrors()
        {
            HostCertificates hostCertificates = A.Fake <HostCertificates>();

            A.CallTo(() => _rule1.Evaluate(hostCertificates)).Returns(new List <EvaluationError>());
            A.CallTo(() => _rule2.Evaluate(hostCertificates)).Returns(new List <EvaluationError>());

            EvaluationResult <HostCertificates> evaluationResult = await _evaluator.Evaluate(hostCertificates);

            Assert.That(evaluationResult.Errors, Is.Empty);
        }
Ejemplo n.º 7
0
        private async Task <EvaluationResult <HostCertificates> > Evaluate(HostCertificates hostCertificates)
        {
            if (hostCertificates != null && hostCertificates.Host == ".")
            {
                return(new EvaluationResult <HostCertificates>(hostCertificates, new List <EvaluationError>()));
            }

            return(hostCertificates != null && hostCertificates.HostNotFound
                    ? await GetHostNotFoundResult(hostCertificates)
                    : await _evaluator.Evaluate(hostCertificates));
        }
Ejemplo n.º 8
0
        public async Task RootCertificateInLookUpRootIsTrusted()
        {
            string issuer = "CN=ABC, O=ABC, S=LONDON, C=uk";

            HostCertificates hostCertificates = Create("Certificate1", issuer);

            A.CallTo(() => _rootCertificateLookUp.GetCertificate(issuer)).Returns(hostCertificates.Certificates.First());

            List <EvaluationError> evaluationError = await _tlsRootCertificateShouldBeTrusted.Evaluate(hostCertificates);

            Assert.That(evaluationError, Is.Empty);
        }
Ejemplo n.º 9
0
        public async Task ItShouldFailWhenNoRootIssuerIsPresent()
        {
            HostCertificates hostCertificates = Create(
                Create(
                    "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2",
                    "C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., CN=*.wikipedia.org"));

            List <EvaluationError> errors = await _allCertificatesShouldBeInOrder.Evaluate(hostCertificates);

            Assert.That(errors.Count, Is.EqualTo(1));
            Assert.That(errors.First().ErrorType, Is.EqualTo(EvaluationErrorType.Error));
            Assert.That(errors.First().Message, Is.EqualTo("The certificate chain is not in the correct order. Certificates must be ordered from the mailserver's certificate to the root certificate, with each certificate's issuer directly following it."));
        }
Ejemplo n.º 10
0
        public async Task ItShouldPassWhenTheOrderIsCorrect()
        {
            HostCertificates hostCertificates = Create(
                Create(
                    "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2",
                    "C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., CN=*.wikipedia.org"),
                Create(
                    "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2",
                    "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2"));

            List <EvaluationError> errors = await _allCertificatesShouldBeInOrder.Evaluate(hostCertificates);

            Assert.That(errors, Is.Empty);
        }
Ejemplo n.º 11
0
        public async Task AllCertificateValidNoErrorsReturn()
        {
            HostCertificates hostCertificate = Create(
                Create("Leaf"),
                Create("Inter"),
                Create("Root"));

            List <EvaluationError> evaluationErrors = await _rule.Evaluate(hostCertificate);

            A.CallTo(() => _ocspValidator.CheckOcspRevocation(null, null, null)).WithAnyArguments().MustHaveHappenedTwiceExactly();
            A.CallTo(() => _crlValidator.CheckCrlRevocation(null, null)).WithAnyArguments().MustNotHaveHappened();

            Assert.That(evaluationErrors, Is.Empty);
        }
Ejemplo n.º 12
0
        public async Task WhiteSpaceShouldntMatter()
        {
            HostCertificates hostCertificates = Create(
                Create(
                    "  C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2  ",
                    "C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., CN=*.wikipedia.org"),
                Create(
                    "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2",
                    "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2"));

            List <EvaluationError> errors = await _allCertificatesShouldBePresent.Evaluate(hostCertificates);

            Assert.That(errors, Is.Empty);
        }
Ejemplo n.º 13
0
        public async Task ItShouldBeCaseInsensitiveAndIgnorePreceedingAndTrailingWhiteSpace()
        {
            HostCertificates hostCertificates = Create(
                Create(
                    "    C=BE, O=GlobalSign nv-sa, CN=gLoBaLsIgn OrGaNiZaTion VaLiDaTiOn ca - SHA256 - G2    ",
                    "C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., CN=*.wikipedia.org"),
                Create(
                    "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2",
                    "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2"));

            List <EvaluationError> errors = await _allCertificatesShouldBeInOrder.Evaluate(hostCertificates);

            Assert.That(errors, Is.Empty);
        }
Ejemplo n.º 14
0
        public static IEnumerable <TestCaseData> TestData()
        {
            HostCertificates expiredDate                = Create(Create("Certificate1", DateTime.UtcNow.AddDays(-1)));
            HostCertificates sevenDaysFromToday         = Create(Create("Certificate2", DateTime.UtcNow.AddDays(7)));
            HostCertificates fourteenDaysFromToday      = Create(Create("Certificate3", DateTime.UtcNow.AddDays(14)));
            HostCertificates fifteenDaysFromToday       = Create(Create("Certificate3", DateTime.UtcNow.AddDays(15)));
            HostCertificates thirtyDaysFromToday        = Create(Create("Certificate4", DateTime.UtcNow.AddDays(30)));
            HostCertificates multipleExpiredDate        = Create(Create("Certificate1", DateTime.UtcNow.AddDays(-1)), Create("Certificate2", DateTime.UtcNow.AddDays(-1)));
            HostCertificates multipleSevenDaysFromToday = Create(Create("Certificate1", DateTime.UtcNow.AddDays(7)), Create("Certificate2", DateTime.UtcNow.AddDays(7)));
            HostCertificates mixOfExpiredAndExpiring    = Create(Create("Certificate1", DateTime.UtcNow.AddDays(-1)), Create("Certificate2", DateTime.UtcNow.AddDays(7)));

            yield return(new TestCaseData(expiredDate).Returns(new List <EvaluationError> {
                new EvaluationError(EvaluationErrorType.Error, $"The certificate Certificate1 expired on {expiredDate.Certificates.First().ValidTo:dd/MM/yyyy HH:mm} and should be replaced.")
            })
Ejemplo n.º 15
0
        public async Task NoRootCertifcateAndRootCertificateDoenstExistsNoChangeToChain()
        {
            HostCertificates originalHostCertificates = Create(
                Create(
                    "CN=DigiCert Global CA G2, O=DigiCert Inc, C=US",
                    "CN=*.mimecast.com, OU=Technical Operations, O=Mimecast Services Limited, L=London, C=GB"),
                Create(
                    "CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US",
                    "CN=DigiCert Global CA G2, O=DigiCert Inc, C=US"));

            HostCertificates updatedHostCertificates = await _ensureRootCertificatePreprocessor.Preprocess(originalHostCertificates);

            Assert.That(updatedHostCertificates.Certificates.SequenceEqual(originalHostCertificates.Certificates));
        }
Ejemplo n.º 16
0
        public async Task RootCertificateInChainNoChangesToChain()
        {
            HostCertificates originalHostCertificates = Create(
                Create(
                    "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2",
                    "C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., CN=*.wikipedia.org"),
                Create(
                    "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2",
                    "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2"));

            HostCertificates updatedHostCertificates = await _ensureRootCertificatePreprocessor.Preprocess(originalHostCertificates);

            Assert.That(updatedHostCertificates.Certificates.SequenceEqual(originalHostCertificates.Certificates));
        }
Ejemplo n.º 17
0
        public async Task MixedRuleFailuresErrorsAsExpected()
        {
            HostCertificates hostCertificates = A.Fake <HostCertificates>();

            var evaluationError1 = new EvaluationError(EvaluationErrorType.Error, "Rule 1 Failed");

            A.CallTo(() => _rule1.Evaluate(hostCertificates)).Returns(new List <EvaluationError> {
                evaluationError1
            });
            A.CallTo(() => _rule2.Evaluate(hostCertificates)).Returns(new List <EvaluationError>());

            EvaluationResult <HostCertificates> evaluationResult = await _evaluator.Evaluate(hostCertificates);

            Assert.That(evaluationResult.Errors.Count, Is.EqualTo(1));
            Assert.That(evaluationResult.Errors[0], Is.EqualTo(evaluationError1));
        }
Ejemplo n.º 18
0
        public async Task ItShouldFailWhenAllIssuersAreNotPresent()
        {
            HostCertificates hostCertificates = Create(
                Create(
                    "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2",
                    "C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., CN=*.wikipedia.org"),
                Create(
                    "CN = ABC, O = ABC, S = LONDON, C = uk",
                    "CN = DEF, O = DEF, S = LONDON, C = uk"));

            List <EvaluationError> errors = await _allCertificatesShouldBePresent.Evaluate(hostCertificates);

            Assert.That(errors.Count, Is.EqualTo(2));
            Assert.That(errors[0].ErrorType, Is.EqualTo(EvaluationErrorType.Error));
            Assert.That(errors[0].Message, Is.EqualTo("The certificate chain is missing the certificate with issuer C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2."));
            Assert.That(errors[1].ErrorType, Is.EqualTo(EvaluationErrorType.Error));
            Assert.That(errors[1].Message, Is.EqualTo("The certificate chain is missing the certificate with issuer CN = ABC, O = ABC, S = LONDON, C = uk."));
        }
Ejemplo n.º 19
0
        public async Task AllRulesFailErrors()
        {
            HostCertificates hostCertificates = A.Fake <HostCertificates>();

            var evaluationError1 = new EvaluationError(EvaluationErrorType.Error, "Rule 1 Failed");
            var evaluationError2 = new EvaluationError(EvaluationErrorType.Warning, "Rule 2 Failed");

            A.CallTo(() => _rule1.Evaluate(hostCertificates)).Returns(new List <EvaluationError> {
                evaluationError1
            });
            A.CallTo(() => _rule2.Evaluate(hostCertificates)).Returns(new List <EvaluationError> {
                evaluationError2
            });

            EvaluationResult <HostCertificates> evaluationResult = await _evaluator.Evaluate(hostCertificates);

            Assert.That(evaluationResult.Errors.Count, Is.EqualTo(2));
            Assert.That(evaluationResult.Errors[0], Is.EqualTo(evaluationError1));
            Assert.That(evaluationResult.Errors[1], Is.EqualTo(evaluationError2));
        }
Ejemplo n.º 20
0
        public async Task CrlRevocationAllCertificatesValidReturnsNoErrors()
        {
            HostCertificates hostCertificate = Create(
                Create("Leaf"),
                Create("Inter"),
                Create("Root"));

            A.CallTo(() => _ocspValidator.CheckOcspRevocation(null, null, null))
            .WithAnyArguments()
            .ReturnsNextFromSequence(
                new RevocationResult("Errored"),
                new RevocationResult("Errored"));

            List <EvaluationError> evaluationErrors = await _rule.Evaluate(hostCertificate);

            A.CallTo(() => _ocspValidator.CheckOcspRevocation(null, null, null)).WithAnyArguments().MustHaveHappenedTwiceExactly();
            A.CallTo(() => _crlValidator.CheckCrlRevocation(null, null)).WithAnyArguments().MustHaveHappenedTwiceExactly();

            Assert.That(evaluationErrors, Is.Empty);
        }
Ejemplo n.º 21
0
        public async Task StopRuleFailureHaltProcessing()
        {
            HostCertificates hostCertificates = A.Fake <HostCertificates>();

            var evaluationError1 = new EvaluationError(EvaluationErrorType.Error, "Rule 1 Failed");
            var evaluationError2 = new EvaluationError(EvaluationErrorType.Warning, "Rule 2 Failed");

            A.CallTo(() => _rule1.Evaluate(hostCertificates)).Returns(new List <EvaluationError> {
                evaluationError1
            });
            A.CallTo(() => _rule1.IsStopRule).Returns(true);

            A.CallTo(() => _rule2.Evaluate(hostCertificates)).Returns(new List <EvaluationError> {
                evaluationError2
            });

            EvaluationResult <HostCertificates> evaluationResult = await _evaluator.Evaluate(hostCertificates);

            Assert.That(evaluationResult.Errors.Count, Is.EqualTo(1));
            Assert.That(evaluationResult.Errors[0], Is.EqualTo(evaluationError1));
        }
Ejemplo n.º 22
0
        public async Task NoRootCertifcateAndRootCertificateExistsAppendsRootCertifcateToChain()
        {
            HostCertificates originalHostCertificates = Create(
                Create(
                    "CN=DigiCert Global CA G2, O=DigiCert Inc, C=US",
                    "CN=*.mimecast.com, OU=Technical Operations, O=Mimecast Services Limited, L=London, C=GB"),
                Create(
                    "CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US",
                    "CN=DigiCert Global CA G2, O=DigiCert Inc, C=US"));

            X509Certificate rootCertificate = Create(
                "CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US",
                "CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US");

            A.CallTo(() => _rootCertificateLookUp.GetCertificate(rootCertificate.Issuer)).Returns(rootCertificate);

            HostCertificates updatedHostCertificates = await _ensureRootCertificatePreprocessor.Preprocess(originalHostCertificates);

            Assert.That(updatedHostCertificates.Certificates.Count, Is.EqualTo(3));
            Assert.That(updatedHostCertificates.Certificates[0], Is.EqualTo(originalHostCertificates.Certificates[0]));
            Assert.That(updatedHostCertificates.Certificates[1], Is.EqualTo(originalHostCertificates.Certificates[1]));
            Assert.That(updatedHostCertificates.Certificates[2], Is.EqualTo(rootCertificate));
        }
Ejemplo n.º 23
0
        public async Task <CertificateResults> Process(TlsTestResults certificateResultMessage)
        {
            string hostName = certificateResultMessage.Id.ToLower();

            _log.LogInformation("Evaluating certificates for hostName {hostName}", hostName);

            HostCertificates hostCertificates = certificateResultMessage.MapToHostCertificates();

            try
            {
                EvaluationResult <HostCertificates> results = await Evaluate(hostCertificates);

                return(results.MapToHostResults());
            }
            catch (Exception e)
            {
                string formatString =
                    $"Error occured evaluating certificates for hostName {{hostName}} {{ExceptionMessage}} {Environment.NewLine} {{StackTrace}}";

                _log.LogError(formatString, hostName, e.Message, e.StackTrace);

                throw;
            }
        }
Ejemplo n.º 24
0
        public async Task <List <EvaluationError> > Test(string key, int keyLength, HostCertificates hostCertificates)
        {
            AllCertificatesShouldHaveStrongKey rule = new AllCertificatesShouldHaveStrongKey(A.Fake <ILogger <AllCertificatesShouldHaveStrongKey> >());

            return(await rule.Evaluate(hostCertificates));
        }
Ejemplo n.º 25
0
        public Task <List <EvaluationError> > Test(HostCertificates hostCertificates)
        {
            CertificateExpiryShouldBeInDate rule = new CertificateExpiryShouldBeInDate(A.Fake <ILogger <CertificateExpiryShouldBeInDate> >());

            return(rule.Evaluate(hostCertificates));
        }
Ejemplo n.º 26
0
 GetHostNotFoundResult(HostCertificates hostCertificates) =>
 Task.FromResult(new EvaluationResult <HostCertificates>(hostCertificates,
                                                         new List <EvaluationError>
 {
     new EvaluationError(EvaluationErrorType.Error, $"The host {hostCertificates.Host} does not exist.")
 }));
Ejemplo n.º 27
0
        public Task <List <EvaluationError> > Test(HostCertificates hostCertificates)
        {
            CertificateShouldMatchHostName certificateShouldMatchHostName = new CertificateShouldMatchHostName(A.Fake <ILogger <CertificateShouldMatchHostName> >());

            return(certificateShouldMatchHostName.Evaluate(hostCertificates));
        }