Updated printingscheme and added tls13 cert status again

Author: ic0ns

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/OcspProbe.java

@@ -42,6 +42,13 @@
 import java.util.Random;
 
 import static de.rub.nds.tlsattacker.core.certificate.ocsp.OCSPResponseTypes.NONCE;
+import de.rub.nds.tlsattacker.core.constants.NamedGroup;
+import de.rub.nds.tlsattacker.core.constants.PskKeyExchangeMode;
+import de.rub.nds.tlsattacker.core.constants.SignatureAndHashAlgorithm;
+import de.rub.nds.tlsattacker.core.protocol.message.CertificateMessage;
+import de.rub.nds.tlsattacker.core.protocol.message.cert.CertificateEntry;
+import de.rub.nds.tlsattacker.core.protocol.message.extension.CertificateStatusRequestExtensionMessage;
+import de.rub.nds.tlsattacker.core.protocol.message.extension.ExtensionMessage;
 import de.rub.nds.tlsscanner.serverscanner.config.ScannerConfig;
 import de.rub.nds.tlsscanner.serverscanner.constants.ProbeType;
 import de.rub.nds.tlsscanner.serverscanner.report.SiteReport;
@@ -62,6 +69,7 @@ public class OcspProbe extends TlsProbe {
     private OCSPResponse firstResponse;
     private OCSPResponse secondResponse;
     private OCSPResponse httpGetResponse;
+    private List<NamedGroup> tls13NamedGroups;
 
     public static final int NONCE_TEST_VALUE_1 = 42;
     public static final int NONCE_TEST_VALUE_2 = 1337;
@@ -84,9 +92,12 @@ public ProbeResult executeTest() {
         getMustStaple(serverCertChain);
         getStapledResponse(tlsConfig);
         performRequest(serverCertChain);
-
+        List<CertificateStatusRequestExtensionMessage> tls13CertStatus = null;
+        if (tls13NamedGroups != null) {
+            tls13CertStatus = getCertificateStatusFromCertificateEntryExtension();
+        }
         return new OcspResult(supportsOcsp, supportsStapling, mustStaple, supportsNonce, stapledResponse,
-                firstResponse, secondResponse, httpGetResponse);
+                firstResponse, secondResponse, httpGetResponse, tls13CertStatus);
     }
 
     private void getMustStaple(Certificate certChain) {
@@ -222,16 +233,63 @@ private Config initTlsConfig() {
 
     @Override
     public boolean canBeExecuted(SiteReport report) {
-        return report.getCertificateChain() != null;
+        // We also need the tls13 groups to perform a tls13 handshake
+        return report.getCertificateChain() != null && report.isProbeAlreadyExecuted(ProbeType.NAMED_GROUPS);
     }
 
     @Override
     public void adjustConfig(SiteReport report) {
         serverCertChain = report.getCertificateChain().getCertificate();
+        tls13NamedGroups = report.getSupportedTls13Groups();
+    }
+
+    private List<CertificateStatusRequestExtensionMessage> getCertificateStatusFromCertificateEntryExtension() {
+        List<CertificateStatusRequestExtensionMessage> certificateStatuses = new LinkedList<>();
+        Config tlsConfig = getScannerConfig().createConfig();
+        tlsConfig.setQuickReceive(true);
+        tlsConfig.setDefaultClientSupportedCiphersuites(CipherSuite.getImplementedTls13CipherSuites());
+        tlsConfig.setHighestProtocolVersion(ProtocolVersion.TLS13);
+        tlsConfig.setSupportedVersions(ProtocolVersion.TLS13);
+        tlsConfig.setEnforceSettings(false);
+        tlsConfig.setEarlyStop(true);
+        tlsConfig.setStopReceivingAfterFatal(true);
+        tlsConfig.setStopActionsAfterFatal(true);
+        tlsConfig.setWorkflowTraceType(WorkflowTraceType.HELLO);
+        tlsConfig.setDefaultClientNamedGroups(tls13NamedGroups);
+        tlsConfig.setAddECPointFormatExtension(false);
+        tlsConfig.setAddEllipticCurveExtension(true);
+        tlsConfig.setAddSignatureAndHashAlgorithmsExtension(true);
+        tlsConfig.setAddSupportedVersionsExtension(true);
+        tlsConfig.setAddKeyShareExtension(true);
+        tlsConfig.setAddServerNameIndicationExtension(true);
+        tlsConfig.setAddCertificateStatusRequestExtension(true);
+        tlsConfig.setUseFreshRandom(true);
+        tlsConfig.setDefaultClientSupportedSignatureAndHashAlgorithms(SignatureAndHashAlgorithm
+                .getTls13SignatureAndHashAlgorithms());
+        State state = new State(tlsConfig);
+        List<PskKeyExchangeMode> pskKex = new LinkedList<>();
+        pskKex.add(PskKeyExchangeMode.PSK_DHE_KE);
+        pskKex.add(PskKeyExchangeMode.PSK_KE);
+        tlsConfig.setPSKKeyExchangeModes(pskKex);
+        tlsConfig.setAddPSKKeyExchangeModesExtension(true);
+        executeState(state);
+        if (WorkflowTraceUtil.didReceiveMessage(HandshakeMessageType.CERTIFICATE, state.getWorkflowTrace())) {
+            CertificateMessage certificateMessage = (CertificateMessage) WorkflowTraceUtil.getFirstReceivedMessage(
+                    HandshakeMessageType.CERTIFICATE, state.getWorkflowTrace());
+            List<CertificateEntry> certificateEntries = certificateMessage.getCertificatesListAsEntry();
+            for (CertificateEntry certificateEntry : certificateEntries) {
+                for (ExtensionMessage extensionMessage : certificateEntry.getExtensions()) {
+                    if (extensionMessage instanceof CertificateStatusRequestExtensionMessage) {
+                        certificateStatuses.add((CertificateStatusRequestExtensionMessage) extensionMessage);
+                    }
+                }
+            }
+        }
+        return certificateStatuses;
     }
 
     @Override
     public ProbeResult getCouldNotExecuteResult() {
-        return new OcspResult(null, false, false, false, null, null, null, null);
+        return new OcspResult(null, false, false, false, null, null, null, null, null);
     }
 }

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/report/PrintingScheme.java

@@ -91,6 +91,16 @@ public static PrintingScheme getDefaultPrintingScheme(boolean useColors) {
         attackEncodingMap.put(TestResult.UNCERTAIN, "uncertain - requires manual testing");
         attackEncodingMap.put(TestResult.UNSUPPORTED, "unsupported by TLS-Scanner");
 
+        HashMap<TestResult, String> freshnessMap = new HashMap<>();
+        freshnessMap.put(TestResult.COULD_NOT_TEST, "could not test (no)");
+        freshnessMap.put(TestResult.ERROR_DURING_TEST, "error");
+        freshnessMap.put(TestResult.FALSE, "false");
+        freshnessMap.put(TestResult.NOT_TESTED_YET, "not tested yet");
+        freshnessMap.put(TestResult.TIMEOUT, "timeout");
+        freshnessMap.put(TestResult.TRUE, "true");
+        freshnessMap.put(TestResult.UNCERTAIN, "uncertain - requires manual testing");
+        freshnessMap.put(TestResult.UNSUPPORTED, "unsupported by TLS-Scanner");
+
         ColorEncoding attacks = getDefaultColorEncoding(AnsiColor.RED, AnsiColor.GREEN);
 
         HashMap<AnalyzedProperty, ColorEncoding> colorMap = new HashMap<>();
@@ -297,6 +307,8 @@ public static PrintingScheme getDefaultPrintingScheme(boolean useColors) {
 
         HashMap<AnalyzedPropertyCategory, TextEncoding> textMap = new HashMap<>();
         textMap.put(AnalyzedPropertyCategory.ATTACKS, new TextEncoding(attackEncodingMap));
+        textMap.put(AnalyzedPropertyCategory.FRESHNESS, new TextEncoding(freshnessMap));
+        textMap.put(AnalyzedPropertyCategory.FFDHE, new TextEncoding(freshnessMap));
         PrintingScheme scheme = new PrintingScheme(colorMap, textMap, defaultTextEncoding, defaultColorEncoding,
                 useColors);
         return scheme;

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/report/result/OcspResult.java

@@ -10,6 +10,7 @@
 
 import de.rub.nds.tlsattacker.core.certificate.ocsp.CertificateStatus;
 import de.rub.nds.tlsattacker.core.certificate.ocsp.OCSPResponse;
+import de.rub.nds.tlsattacker.core.protocol.message.extension.CertificateStatusRequestExtensionMessage;
 import de.rub.nds.tlsscanner.serverscanner.constants.ProbeType;
 import de.rub.nds.tlsscanner.serverscanner.probe.OcspProbe;
 import de.rub.nds.tlsscanner.serverscanner.rating.TestResult;
@@ -20,6 +21,7 @@
 import java.time.Duration;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
+import java.util.List;
 import java.util.Locale;
 
 /**
@@ -37,9 +39,11 @@ public class OcspResult extends ProbeResult {
     private final OCSPResponse secondResponse;
     private final OCSPResponse httpGetResponse;
 
+    private final List<CertificateStatusRequestExtensionMessage> tls13CertStatus;
+
     public OcspResult(Boolean supportsOcsp, boolean supportsStapling, boolean mustStaple, boolean supportsNonce,
             OCSPResponse stapledResponse, OCSPResponse firstResponse, OCSPResponse secondResponse,
-            OCSPResponse httpGetResponse) {
+            OCSPResponse httpGetResponse, List<CertificateStatusRequestExtensionMessage> tls13CertStatus) {
         super(ProbeType.OCSP);
         this.supportsOcsp = supportsOcsp;
         this.supportsStapling = supportsStapling;
@@ -49,6 +53,7 @@ public OcspResult(Boolean supportsOcsp, boolean supportsStapling, boolean mustSt
         this.firstResponse = firstResponse;
         this.secondResponse = secondResponse;
         this.httpGetResponse = httpGetResponse;
+        this.tls13CertStatus = tls13CertStatus;
     }
 
     @Override
@@ -140,5 +145,21 @@ else if (secondResponse != null) {
                 report.putResult(AnalyzedProperty.SUPPORTS_NONCE, TestResult.FALSE);
             }
         }
+
+        if (tls13CertStatus != null) {
+            if (tls13CertStatus.size() == 1) {
+                report.putResult(AnalyzedProperty.SUPPORTS_CERTIFICATE_STATUS_REQUEST_TLS13, TestResult.TRUE);
+                report.putResult(AnalyzedProperty.STAPLING_TLS13_MULTIPLE_CERTIFICATES, TestResult.FALSE);
+            } else if (tls13CertStatus.size() > 1) {
+                report.putResult(AnalyzedProperty.SUPPORTS_CERTIFICATE_STATUS_REQUEST_TLS13, TestResult.TRUE);
+                report.putResult(AnalyzedProperty.STAPLING_TLS13_MULTIPLE_CERTIFICATES, TestResult.TRUE);
+            } else {
+                report.putResult(AnalyzedProperty.SUPPORTS_CERTIFICATE_STATUS_REQUEST_TLS13, TestResult.FALSE);
+                report.putResult(AnalyzedProperty.STAPLING_TLS13_MULTIPLE_CERTIFICATES, TestResult.FALSE);
+            }
+        } else {
+            report.putResult(AnalyzedProperty.SUPPORTS_CERTIFICATE_STATUS_REQUEST_TLS13, TestResult.COULD_NOT_TEST);
+            report.putResult(AnalyzedProperty.STAPLING_TLS13_MULTIPLE_CERTIFICATES, TestResult.COULD_NOT_TEST);
+        }
     }
 }