public async Task AllSignaturesValidNoError() { HostCertificates hostCertificates = Create(Create("Certificate1", true), Create("Certificate2", true)); List <EvaluationError> errors = await _allSignaturesShouldBeValid.Evaluate(hostCertificates); Assert.That(errors, Is.Empty); }
public async Task NoCertificatesNoChangesToChain() { HostCertificates originalHostCertificates = new HostCertificates("host", false, new List <X509Certificate>(), new List <SelectedCipherSuite>()); HostCertificates updatedHostCertificates = await _ensureRootCertificatePreprocessor.Preprocess(originalHostCertificates); Assert.That(updatedHostCertificates.Certificates.SequenceEqual(originalHostCertificates.Certificates)); }
public async Task CrlAndOcspErrorErrorReturnedOnlyFirstErrorReported() { HostCertificates hostCertificate = Create( Create("Leaf"), Create("Inter"), Create("Root")); A.CallTo(() => _ocspValidator.CheckOcspRevocation(null, null, null)) .WithAnyArguments() .ReturnsNextFromSequence( new RevocationResult("Errored Ocsp"), new RevocationResult("Errored Ocsp")); A.CallTo(() => _crlValidator.CheckCrlRevocation(null, null)) .WithAnyArguments() .ReturnsNextFromSequence( new RevocationResult("Errored Crl"), new RevocationResult("Errored Crl")); List <EvaluationError> evaluationErrors = await _rule.Evaluate(hostCertificate); A.CallTo(() => _ocspValidator.CheckOcspRevocation(null, null, null)).WithAnyArguments().MustHaveHappenedOnceExactly(); A.CallTo(() => _crlValidator.CheckCrlRevocation(null, null)).WithAnyArguments().MustHaveHappenedOnceExactly(); Assert.That(evaluationErrors.Count, Is.EqualTo(1)); Assert.That(evaluationErrors.First().ErrorType, Is.EqualTo(EvaluationErrorType.Inconclusive)); Assert.That(evaluationErrors.First().Message.StartsWith("The certificate Inter has unknown revocation status."), Is.True); Assert.That(evaluationErrors.First().Message.Contains("Errored Ocsp"), Is.True); Assert.That(evaluationErrors.First().Message.Contains("Errored Crl"), Is.True); }
public async Task CrlRevocationMultipleCertificatesOnRevocationOnlyFirstOneProcessed() { HostCertificates hostCertificate = Create( Create("Leaf"), Create("Inter"), Create("Root")); A.CallTo(() => _ocspValidator.CheckOcspRevocation(null, null, null)) .WithAnyArguments() .ReturnsNextFromSequence( new RevocationResult("Errored"), new RevocationResult("Errored")); A.CallTo(() => _crlValidator.CheckCrlRevocation(null, null)) .WithAnyArguments() .ReturnsNextFromSequence( new RevocationResult(true, new List <RevocationInfo>()), new RevocationResult(true, new List <RevocationInfo>())); List <EvaluationError> evaluationErrors = await _rule.Evaluate(hostCertificate); A.CallTo(() => _ocspValidator.CheckOcspRevocation(null, null, null)).WithAnyArguments().MustHaveHappenedOnceExactly(); A.CallTo(() => _crlValidator.CheckCrlRevocation(null, null)).WithAnyArguments().MustHaveHappenedOnceExactly(); Assert.That(evaluationErrors.Count, Is.EqualTo(1)); Assert.That(evaluationErrors.First().ErrorType, Is.EqualTo(EvaluationErrorType.Error)); Assert.That(evaluationErrors.First().Message.StartsWith("The certificate Inter is revoked:"), Is.True); }
public async Task InvalidSignaturesRaiseErrors() { HostCertificates hostCertificates = Create(Create("Certificate1", false), Create("Certificate2", true), Create("Certificate3", true)); List <EvaluationError> errors = await _allSignaturesShouldBeValid.Evaluate(hostCertificates); Assert.That(errors.Count, Is.EqualTo(1)); Assert.That(errors[0].ErrorType, Is.EqualTo(EvaluationErrorType.Error)); Assert.That(errors[0].Message, Is.EqualTo("The certificate Certificate1 does not have a valid signature.")); }
public async Task AllRulePassNoErrors() { HostCertificates hostCertificates = A.Fake <HostCertificates>(); A.CallTo(() => _rule1.Evaluate(hostCertificates)).Returns(new List <EvaluationError>()); A.CallTo(() => _rule2.Evaluate(hostCertificates)).Returns(new List <EvaluationError>()); EvaluationResult <HostCertificates> evaluationResult = await _evaluator.Evaluate(hostCertificates); Assert.That(evaluationResult.Errors, Is.Empty); }
private async Task <EvaluationResult <HostCertificates> > Evaluate(HostCertificates hostCertificates) { if (hostCertificates != null && hostCertificates.Host == ".") { return(new EvaluationResult <HostCertificates>(hostCertificates, new List <EvaluationError>())); } return(hostCertificates != null && hostCertificates.HostNotFound ? await GetHostNotFoundResult(hostCertificates) : await _evaluator.Evaluate(hostCertificates)); }
public async Task RootCertificateInLookUpRootIsTrusted() { string issuer = "CN=ABC, O=ABC, S=LONDON, C=uk"; HostCertificates hostCertificates = Create("Certificate1", issuer); A.CallTo(() => _rootCertificateLookUp.GetCertificate(issuer)).Returns(hostCertificates.Certificates.First()); List <EvaluationError> evaluationError = await _tlsRootCertificateShouldBeTrusted.Evaluate(hostCertificates); Assert.That(evaluationError, Is.Empty); }
public async Task ItShouldFailWhenNoRootIssuerIsPresent() { HostCertificates hostCertificates = Create( Create( "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2", "C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., CN=*.wikipedia.org")); List <EvaluationError> errors = await _allCertificatesShouldBeInOrder.Evaluate(hostCertificates); Assert.That(errors.Count, Is.EqualTo(1)); Assert.That(errors.First().ErrorType, Is.EqualTo(EvaluationErrorType.Error)); Assert.That(errors.First().Message, Is.EqualTo("The certificate chain is not in the correct order. Certificates must be ordered from the mailserver's certificate to the root certificate, with each certificate's issuer directly following it.")); }
public async Task ItShouldPassWhenTheOrderIsCorrect() { HostCertificates hostCertificates = Create( Create( "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2", "C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., CN=*.wikipedia.org"), Create( "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2", "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2")); List <EvaluationError> errors = await _allCertificatesShouldBeInOrder.Evaluate(hostCertificates); Assert.That(errors, Is.Empty); }
public async Task AllCertificateValidNoErrorsReturn() { HostCertificates hostCertificate = Create( Create("Leaf"), Create("Inter"), Create("Root")); List <EvaluationError> evaluationErrors = await _rule.Evaluate(hostCertificate); A.CallTo(() => _ocspValidator.CheckOcspRevocation(null, null, null)).WithAnyArguments().MustHaveHappenedTwiceExactly(); A.CallTo(() => _crlValidator.CheckCrlRevocation(null, null)).WithAnyArguments().MustNotHaveHappened(); Assert.That(evaluationErrors, Is.Empty); }
public async Task WhiteSpaceShouldntMatter() { HostCertificates hostCertificates = Create( Create( " C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 ", "C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., CN=*.wikipedia.org"), Create( "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2", "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2")); List <EvaluationError> errors = await _allCertificatesShouldBePresent.Evaluate(hostCertificates); Assert.That(errors, Is.Empty); }
public async Task ItShouldBeCaseInsensitiveAndIgnorePreceedingAndTrailingWhiteSpace() { HostCertificates hostCertificates = Create( Create( " C=BE, O=GlobalSign nv-sa, CN=gLoBaLsIgn OrGaNiZaTion VaLiDaTiOn ca - SHA256 - G2 ", "C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., CN=*.wikipedia.org"), Create( "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2", "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2")); List <EvaluationError> errors = await _allCertificatesShouldBeInOrder.Evaluate(hostCertificates); Assert.That(errors, Is.Empty); }
public static IEnumerable <TestCaseData> TestData() { HostCertificates expiredDate = Create(Create("Certificate1", DateTime.UtcNow.AddDays(-1))); HostCertificates sevenDaysFromToday = Create(Create("Certificate2", DateTime.UtcNow.AddDays(7))); HostCertificates fourteenDaysFromToday = Create(Create("Certificate3", DateTime.UtcNow.AddDays(14))); HostCertificates fifteenDaysFromToday = Create(Create("Certificate3", DateTime.UtcNow.AddDays(15))); HostCertificates thirtyDaysFromToday = Create(Create("Certificate4", DateTime.UtcNow.AddDays(30))); HostCertificates multipleExpiredDate = Create(Create("Certificate1", DateTime.UtcNow.AddDays(-1)), Create("Certificate2", DateTime.UtcNow.AddDays(-1))); HostCertificates multipleSevenDaysFromToday = Create(Create("Certificate1", DateTime.UtcNow.AddDays(7)), Create("Certificate2", DateTime.UtcNow.AddDays(7))); HostCertificates mixOfExpiredAndExpiring = Create(Create("Certificate1", DateTime.UtcNow.AddDays(-1)), Create("Certificate2", DateTime.UtcNow.AddDays(7))); yield return(new TestCaseData(expiredDate).Returns(new List <EvaluationError> { new EvaluationError(EvaluationErrorType.Error, $"The certificate Certificate1 expired on {expiredDate.Certificates.First().ValidTo:dd/MM/yyyy HH:mm} and should be replaced.") })
public async Task NoRootCertifcateAndRootCertificateDoenstExistsNoChangeToChain() { HostCertificates originalHostCertificates = Create( Create( "CN=DigiCert Global CA G2, O=DigiCert Inc, C=US", "CN=*.mimecast.com, OU=Technical Operations, O=Mimecast Services Limited, L=London, C=GB"), Create( "CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US", "CN=DigiCert Global CA G2, O=DigiCert Inc, C=US")); HostCertificates updatedHostCertificates = await _ensureRootCertificatePreprocessor.Preprocess(originalHostCertificates); Assert.That(updatedHostCertificates.Certificates.SequenceEqual(originalHostCertificates.Certificates)); }
public async Task RootCertificateInChainNoChangesToChain() { HostCertificates originalHostCertificates = Create( Create( "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2", "C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., CN=*.wikipedia.org"), Create( "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2", "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2")); HostCertificates updatedHostCertificates = await _ensureRootCertificatePreprocessor.Preprocess(originalHostCertificates); Assert.That(updatedHostCertificates.Certificates.SequenceEqual(originalHostCertificates.Certificates)); }
public async Task MixedRuleFailuresErrorsAsExpected() { HostCertificates hostCertificates = A.Fake <HostCertificates>(); var evaluationError1 = new EvaluationError(EvaluationErrorType.Error, "Rule 1 Failed"); A.CallTo(() => _rule1.Evaluate(hostCertificates)).Returns(new List <EvaluationError> { evaluationError1 }); A.CallTo(() => _rule2.Evaluate(hostCertificates)).Returns(new List <EvaluationError>()); EvaluationResult <HostCertificates> evaluationResult = await _evaluator.Evaluate(hostCertificates); Assert.That(evaluationResult.Errors.Count, Is.EqualTo(1)); Assert.That(evaluationResult.Errors[0], Is.EqualTo(evaluationError1)); }
public async Task ItShouldFailWhenAllIssuersAreNotPresent() { HostCertificates hostCertificates = Create( Create( "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2", "C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., CN=*.wikipedia.org"), Create( "CN = ABC, O = ABC, S = LONDON, C = uk", "CN = DEF, O = DEF, S = LONDON, C = uk")); List <EvaluationError> errors = await _allCertificatesShouldBePresent.Evaluate(hostCertificates); Assert.That(errors.Count, Is.EqualTo(2)); Assert.That(errors[0].ErrorType, Is.EqualTo(EvaluationErrorType.Error)); Assert.That(errors[0].Message, Is.EqualTo("The certificate chain is missing the certificate with issuer C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2.")); Assert.That(errors[1].ErrorType, Is.EqualTo(EvaluationErrorType.Error)); Assert.That(errors[1].Message, Is.EqualTo("The certificate chain is missing the certificate with issuer CN = ABC, O = ABC, S = LONDON, C = uk.")); }
public async Task AllRulesFailErrors() { HostCertificates hostCertificates = A.Fake <HostCertificates>(); var evaluationError1 = new EvaluationError(EvaluationErrorType.Error, "Rule 1 Failed"); var evaluationError2 = new EvaluationError(EvaluationErrorType.Warning, "Rule 2 Failed"); A.CallTo(() => _rule1.Evaluate(hostCertificates)).Returns(new List <EvaluationError> { evaluationError1 }); A.CallTo(() => _rule2.Evaluate(hostCertificates)).Returns(new List <EvaluationError> { evaluationError2 }); EvaluationResult <HostCertificates> evaluationResult = await _evaluator.Evaluate(hostCertificates); Assert.That(evaluationResult.Errors.Count, Is.EqualTo(2)); Assert.That(evaluationResult.Errors[0], Is.EqualTo(evaluationError1)); Assert.That(evaluationResult.Errors[1], Is.EqualTo(evaluationError2)); }
public async Task CrlRevocationAllCertificatesValidReturnsNoErrors() { HostCertificates hostCertificate = Create( Create("Leaf"), Create("Inter"), Create("Root")); A.CallTo(() => _ocspValidator.CheckOcspRevocation(null, null, null)) .WithAnyArguments() .ReturnsNextFromSequence( new RevocationResult("Errored"), new RevocationResult("Errored")); List <EvaluationError> evaluationErrors = await _rule.Evaluate(hostCertificate); A.CallTo(() => _ocspValidator.CheckOcspRevocation(null, null, null)).WithAnyArguments().MustHaveHappenedTwiceExactly(); A.CallTo(() => _crlValidator.CheckCrlRevocation(null, null)).WithAnyArguments().MustHaveHappenedTwiceExactly(); Assert.That(evaluationErrors, Is.Empty); }
public async Task StopRuleFailureHaltProcessing() { HostCertificates hostCertificates = A.Fake <HostCertificates>(); var evaluationError1 = new EvaluationError(EvaluationErrorType.Error, "Rule 1 Failed"); var evaluationError2 = new EvaluationError(EvaluationErrorType.Warning, "Rule 2 Failed"); A.CallTo(() => _rule1.Evaluate(hostCertificates)).Returns(new List <EvaluationError> { evaluationError1 }); A.CallTo(() => _rule1.IsStopRule).Returns(true); A.CallTo(() => _rule2.Evaluate(hostCertificates)).Returns(new List <EvaluationError> { evaluationError2 }); EvaluationResult <HostCertificates> evaluationResult = await _evaluator.Evaluate(hostCertificates); Assert.That(evaluationResult.Errors.Count, Is.EqualTo(1)); Assert.That(evaluationResult.Errors[0], Is.EqualTo(evaluationError1)); }
public async Task NoRootCertifcateAndRootCertificateExistsAppendsRootCertifcateToChain() { HostCertificates originalHostCertificates = Create( Create( "CN=DigiCert Global CA G2, O=DigiCert Inc, C=US", "CN=*.mimecast.com, OU=Technical Operations, O=Mimecast Services Limited, L=London, C=GB"), Create( "CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US", "CN=DigiCert Global CA G2, O=DigiCert Inc, C=US")); X509Certificate rootCertificate = Create( "CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US", "CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US"); A.CallTo(() => _rootCertificateLookUp.GetCertificate(rootCertificate.Issuer)).Returns(rootCertificate); HostCertificates updatedHostCertificates = await _ensureRootCertificatePreprocessor.Preprocess(originalHostCertificates); Assert.That(updatedHostCertificates.Certificates.Count, Is.EqualTo(3)); Assert.That(updatedHostCertificates.Certificates[0], Is.EqualTo(originalHostCertificates.Certificates[0])); Assert.That(updatedHostCertificates.Certificates[1], Is.EqualTo(originalHostCertificates.Certificates[1])); Assert.That(updatedHostCertificates.Certificates[2], Is.EqualTo(rootCertificate)); }
public async Task <CertificateResults> Process(TlsTestResults certificateResultMessage) { string hostName = certificateResultMessage.Id.ToLower(); _log.LogInformation("Evaluating certificates for hostName {hostName}", hostName); HostCertificates hostCertificates = certificateResultMessage.MapToHostCertificates(); try { EvaluationResult <HostCertificates> results = await Evaluate(hostCertificates); return(results.MapToHostResults()); } catch (Exception e) { string formatString = $"Error occured evaluating certificates for hostName {{hostName}} {{ExceptionMessage}} {Environment.NewLine} {{StackTrace}}"; _log.LogError(formatString, hostName, e.Message, e.StackTrace); throw; } }
public async Task <List <EvaluationError> > Test(string key, int keyLength, HostCertificates hostCertificates) { AllCertificatesShouldHaveStrongKey rule = new AllCertificatesShouldHaveStrongKey(A.Fake <ILogger <AllCertificatesShouldHaveStrongKey> >()); return(await rule.Evaluate(hostCertificates)); }
public Task <List <EvaluationError> > Test(HostCertificates hostCertificates) { CertificateExpiryShouldBeInDate rule = new CertificateExpiryShouldBeInDate(A.Fake <ILogger <CertificateExpiryShouldBeInDate> >()); return(rule.Evaluate(hostCertificates)); }
GetHostNotFoundResult(HostCertificates hostCertificates) => Task.FromResult(new EvaluationResult <HostCertificates>(hostCertificates, new List <EvaluationError> { new EvaluationError(EvaluationErrorType.Error, $"The host {hostCertificates.Host} does not exist.") }));
public Task <List <EvaluationError> > Test(HostCertificates hostCertificates) { CertificateShouldMatchHostName certificateShouldMatchHostName = new CertificateShouldMatchHostName(A.Fake <ILogger <CertificateShouldMatchHostName> >()); return(certificateShouldMatchHostName.Evaluate(hostCertificates)); }