diff --git a/t/02_hpkp_pinning.t b/t/11_hpkp.t similarity index 77% rename from t/02_hpkp_pinning.t rename to t/11_hpkp.t index 8de07b1b..6b8c3a05 100755 --- a/t/02_hpkp_pinning.t +++ b/t/11_hpkp.t @@ -18,45 +18,45 @@ $out = `./testssl.sh -H --jsonfile tmp.json --color 0 ssl.sectionzero.org`; $json = json('tmp.json'); # It is better to have findings in a hash -# Look for a leaf cert match in the process. +# Look for a host cert match in the process. my $found = 0; my %findings; foreach my $f ( @$json ) { $findings{$f->{id}} = $f; - if ( $f->{finding} =~ /matches the leaf certificate/ ) { + if ( $f->{finding} =~ /matches the host certificate/ ) { $found++; } } -is($found,1,"We found 1 'matches the leaf certificate' finding"); $tests++; -like($out,'/Leaf cert match/',"There is a 'Leaf cert match' in the text output"); $tests++; +is($found,1,"We found 1 'matches the host certificate' finding"); $tests++; +like($out,'/Host cert match/',"There is a 'Leaf cert match' in the text output"); $tests++; # Sub CA match ok( exists $findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"},"We have a finding for key YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"); $tests++; like($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{finding},'/Intermediate CA key matches a key pinned in the HPKP header/',"We have our Sub CA finding"); $tests++; is($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{severity}, "OK", "The finding is ok"); $tests++; -like($out,'/Sub CA match \: YLh1dUR9y6Kja30RrAn7JKnbQG\/uEtLMkBgFF2Fuihg/',"There is a 'Sub CA match' in the text output"); $tests++; +like($out,'/Sub CA match\: YLh1dUR9y6Kja30RrAn7JKnbQG\/uEtLMkBgFF2Fuihg/',"There is a 'Sub CA match' in the text output"); $tests++; # Root CA match Lets encrypt ok( exists $findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"},"We have a finding for key Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"); $tests++; like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/Root CA key matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++; like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/DST Root CA X3/',"Correct Root CA"); $tests++; like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/The CA is part of the chain/',"CA is indeed part of chain"); $tests++; -is($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{severity}, "OK", "The finding is ok"); $tests++; -like($out,'/Root CA match \: Vjs8r4z\+80wjNcr1YKepWQboSIRi63WsWXhIMN\+eWys/',"There is a 'Root CA match' in the text output"); $tests++; +is($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{severity}, "INFO", "The finding is informational"); $tests++; +like($out,'/Root CA match\: Vjs8r4z\+80wjNcr1YKepWQboSIRi63WsWXhIMN\+eWys/',"There is a 'Root CA match' in the text output"); $tests++; # Root CA StartCom ok( exists $findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"},"We have a finding for key 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"); $tests++; like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/Root CA key matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++; like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/StartCom Certification Authority/',"Correct Root CA"); $tests++; like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/The CA is not part of the chain/',"CA is indeed NOT part of chain"); $tests++; -is($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{severity}, "OK", "The finding is ok"); $tests++; -like($out,'/Root CA match \: 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU/',"There is a 'Root CA match' in the text output"); $tests++; +is($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{severity}, "INFO", "The finding is informational"); $tests++; +like($out,'/Root CA match\: 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU/',"There is a 'Root CA match' in the text output"); $tests++; # Bad PIN ok( exists $findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"},"We have a finding for key 123bad123bad123bad123bad123bad123bd123bad12"); $tests++; like($findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"}->{finding},'/doesn\'t match anything/',"It doesn't match indeed"); $tests++; -is($findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"}->{severity}, "WARN", "The finding is ok"); $tests++; -like($out,'/Unmatched key : 123bad123bad123bad123bad123bad123bd123bad12/',"There is an 'unmatched key' in the text output"); $tests++; +is($findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"}->{severity}, "INFO", "The finding is informational"); $tests++; +like($out,'/Unmatched key\: 123bad123bad123bad123bad123bad123bd123bad12/',"There is an 'unmatched key' in the text output"); $tests++; like($findings{hpkp_keys}->{finding},'/5 keys pinned/',"5 keys pinned in json"); $tests++; like($out,'/\# of keys: 5/',"5 keys pinned in text output"); $tests++; diff --git a/testssl.sh b/testssl.sh index cdb3dd53..aaad4dd1 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1076,22 +1076,23 @@ run_hpkp() { for hpkp_key in $(echo $pins); do # exho needed here? ^^^^ key_found=false - # compare pin against the leaf certificate + # compare pin against the host certificate if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then - out "\n$spaces Host cert match: " - pr_done_good "$hpkp_key" - fileout "hpkp_$hpkp_key" "OK" "PIN $hpkp_key matches the leaf certificate" + # We have a match key_found=true pins_match=true + out "\n$spaces Host cert match: " + pr_done_good "$hpkp_key" + fileout "hpkp_$hpkp_key" "OK" "PIN $hpkp_key matches the host certificate" fi debugme out "\n $hpkp_key | $hpkp_key_hostcert" # Check for intermediate match - if ! "$key_found"; then + if ! $key_found; then # doesn't work, "grep: /tmp/ssltester.Dp2ovS/intermediate.hashes: No such file or directory" if teested against testss.sh hpkp_matches=$(grep "$hpkp_key" $TEMPDIR/intermediate.hashes 2>/dev/null) if [[ -n $hpkp_matches ]]; then - # We have a winner! + # We have a match key_found=true pins_match=true out "\n$spaces Sub CA match: " @@ -1101,10 +1102,10 @@ run_hpkp() { fi fi - if ! "$key_found"; then + if ! $key_found; then hpkp_matches=$(grep -h "$hpkp_key" $ca_hashes | sort -u) if [[ -n $hpkp_matches ]]; then - # We have a winner! + # We have a match key_found=true pins_match=true if [[ $(count_lines "$hpkp_matches") -eq 1 ]]; then @@ -1128,19 +1129,19 @@ run_hpkp() { fi fi - if ! "$key_found" && [[ $DEBUG -eq 1 ]]; then - # Houston we may have a problem + if ! $key_found; then + # Most likely a backup pin out "\n\n$spaces Unmatched key: " out "$hpkp_key" - out "\n$spaces (This is OK for a backup pin of a leaf cert)" - fileout "hpkp_$hpkp_key" "INFO" "PIN $hpkp_key doesn't match anything. This could be ok if it is a backup pin for a leaf certificate" + out "\n$spaces (This is OK for a backup pin of a host cert)" + fileout "hpkp_$hpkp_key" "INFO" "PIN $hpkp_key doesn't match anything. This could be ok if it is a backup pin for a host certificate" fi done # If all else fails... - if ! "$pins_match"; then + if ! $pins_match; then pr_svrty_high " No matching key for pins found " - fileout "hpkp_keymatch" "NOT ok" "None of the HPKP PINS match your leaf certificate, intermediate CA or known root CAs. You may have bricked this site" + fileout "hpkp_keymatch" "NOT ok" "None of the HPKP PINS match your host certificate, intermediate CA or known root CAs. You may have bricked this site" fi else out "--"