Handshake&Certificate Evaluation (#19)

* Removed unused imports

* Added basic classes for the handshake simulation

* Added client configs

* Removed unnecessary logger statements

* added functions to load all config files from resource

* changed method to get configList to method to get configFilesList because of memory issues

* added first functional handshake simulation which reports the selected ciphersuite for each tested client

* added performance flags

* added performance flag

* added new simulatedClient class which holds all the interesting parameters of the handshake

* added parameters protocolVersion, compressionMethod and namedGroup

* splitted handshake simulation report in overview and detailed information

* added new receive actions and removed debug settings

* added reporting for client handshake parameters forwardSecrecy and negotiatedExtensionSet

* restructured classes

* fixed printing of protocol version in handshake simulation

* added new LIBRESSL clientConfigs

* added reporting of Protocol Version Client and Protocol Version is highest and fxed some things

* fixed null pointer in result

* added report of crimeBug, bleichenbacherBug and paddingOracleBug for each simulated client and adjusted some things

* fixed null pointer in handshake result

* added reporting of server key length and fixed bug reporting in handshake simulation

* fixed reporting of server public key length when there is no server key exchange message

* fixed reporting of server key length in handshake simulation

* added invalidCurve and invalidCurveEphemeral vulnerabilities in handshake simulation

* added sweet32Vulnerable in handshake simulation and restructured the code

* added secure and insecure connection counter for handshake simulation and restructured the code

* added reporting if connection of each client is secure

* added HandshakeSimulationAfterProbe to scanner

* changed simulatedClient boolean variables to Boolean

* changed the way the report object is generated

* fixed GcmPattern output and noColor misspelling
added -detailed switch for the report

* changed simulatedClient Boolean getter

* splitted function appendHandshakeSimulation in overview and detailed

* added reporting of DROWN for handshake simulation

* changed detail switch from boolean to int (1-3)

* added new reporting functions for handshake simulation detail 2 and 3

* added new design for handshake report detail level 2

* small changes in reporting design of handshake simulation overwiew

* removed not relevant vulnerabilities in handshake simulation

* simplified siteReportPrinter code

* fixed runClient method according to new clientConfigs

* added variables to store rsa and dh min max lengths

* changed structure to handle arrays with test key lengths instead of just min and max values

* changed create method to constructor

* Revert "changed create method to constructor"

This reverts commit f3ce314.

* changed name of create method

* added new clientConfigs

* changed runClient method to set all extensions explicitly

* fixed setting extension bytes correctly

* updated clientConfigs and made small changes

* removed special switch for handshake simulation report detail

* removed special switch for handshake simulation report detail

* changed variables of class

* changed structure and added evaluation features

* changed structure to required minimum

* changed structure and added evaluation features

* restructured reporting and added new features

* changed structure

* changed report layout

* fixed getting correct rsa public key length

* added ciphersuite grade check to determine if connection is secure

* changed code structure and fixed some things

* changed logging

* changed handshake probe to parallel execution

* added boolean isDefaultVersion to TlsClientConfig

* changed name of variable

* added updated configs and processing of defaultVersions

* added updated configs and processing of defaultVersions

* added protocol version test lists

* simplified handshakeSimulationResult
report evaluation is now complete in handshakeSimulationAfterProbe

* restructured code and added new evaluation features

* changed handshake variables

* changed handshake variables

* added enums for failed and insecure handshakes

* changed variables

* updated handshake evaluation logic

* changed pfs check

* changed some identifier names

* updated clientConfigs

* added nullpointer checks

* renamed HandshakeInsecure to ConnectionInsecure

* fixed isPublicKeyLengthNotAccepted test

* changed variables

* changed logic to set value for NegotiatedExtensions

* updated siteReportPrinter and integrated new evaluation features

* changed checkWhyServerHelloDoneIsMissing

* updated handshake report

* removed unnecessary code

* added checkIfConnectionIsRfc7918Secure

* updated handshake overview report

* updated handshake overview report

* changed isPublicKeyLengthNotAccepted function

* changed handshake report

* changed reporting of handshake simulation

* changed some handshake failed reasons

* changed isPublicKeyLengthNotAccepted method and failed and insecure lists

* changed failed reason text

* changed key length test logging

* changed getting dh public key length

* added isPublicKeyLengthToSmall check and changed handshake report

* changed isPublicKeyLengthNotAccepted logging

* updated clientConfigs final

* fixed color bug in handshake report

* fixed typo

* removed unknown

* changed text for protocol mismatch

* changed handshakeFailed and connectionInsecure report text

* changed some functions and reporting of handshake simulation

* now uses AlgorithmResolver to get keyExchangeAlgos from cipherSuite

* changed names of some variables

* changed to AlgorithmResolver and formatted code

* changed to AlgorithmResolver and formatted code

* formatted code

* added more symmetric algorithms to whitelist

* changed name of variables

* code formatted

* added ConfigFileList and repaired loading of TlsClientConfig files

* removed unused code

* changed reporting of handshake simulation

* updated configs to match new variable names

* added special constructor for evaluation

* Changed default values for ScannerConfig

* Changed HS values from int to Integer

* Changed SimulatedClient to get exported as xml

* Changed names of SimulatedClient variables

* Added hsevaluation classes and files

* fixed bug and added evaluation function

* changed logging

* added counter for number of websites to evaluate

* changed testing csv to real csv

* fixed hs message evaluation and added parsingError to fail reasons

* changed code with algorithmresolver

* changed code with algorithmresolver

* changed parsingError reason text

* added config constants

* changed evaluation

* exchanged gnutls default profile

* exchanged gnutls default profile

* changed main

* changed jaxb context in hsresio

* added new variables for simulatedClient

* changed messageEvaluation of HandshakeSimulation

* changed messageEvaluation of HandshakeSimulation

* added variables

* changed small things

* changed structure

* improved performance of TlsClientConfigIO

* improved performance of HSResIO

* improved performance of ConfigFileListIO

* formatted code and fixed imports

* fixed check of isHighestPossibleProtocolVersionSeleceted

* changed HS reporting

* made evaluation parallel

* changed some config files

* fixed logging

* disabled progressbar

* fixed logging

* changed parameters

* renamed evaluation main

* enabled progressbar

* Revert "enabled progressbar"

This reverts commit 7a4479d.

* updated extractor

* updated pom

* updated gitignore

* updated main

* changed classpath of main

* added progress bar and changed logging

* added extracting loglist

* changed logging

* fixed logging

* added sorting of protocol lists to be independent

* added sorting of protocol list

* added sorting of protocol list

* fixed progress bars and changed logging

* made write method synchronized

* changed evaluation output

* changed logging

* changed logging

* changed logging

* added start number constant for extracting reports

* changed logging

* changed logging

* changed hs reporting

* fixed evaluation

* Final Evaluation 1

* Final Evaluation

* Final Evaluation

* Final Evaluation

* Final Evaluation

* Added Subheadings to the report

* added depth variable for subheadings
subheadings are now intended

* removed test of subheadings

* added setter of depth variable
changed names of subheading functions

* changed hstsMaxAge from Integer to Long (Issue #529)

* Update README.md

* Update README.md

* Rework of the colored text in the subheadings

* Formatted

* Added trust anchor submodule

* Current code of the certificate chain validation

* wip

* Current process for certificate/chain validation. Valid cases are already functionl, various invalid cases are not so much yet ;)

* Changed text in site report printer and removed debug output

* updated version in Readme

* Fixed various bugs in the certificate analysis

* Fixed bugs and added certificateIssue concept

* readed progressbar and removed unused imports

* added automatic sni extension to tls-scanner

* made handshake eval compile again

* Made Scanner run again and renamed some classes

* Cleaned up handshake simulation code

* Made getScannerConfig call final

* Cleaned up code and debulked output

* Cleaned up code

* Added no matching group failure reason

* added initial bytes and createClientHello function to client config

* switched hello creation to handler (from serializer and preparator)

* current status of TlsClientConfig

* Updated ClientConfig List
Added new Set of client configs

* Fixed handshake simulation with newly extracted clients (sslv2 & more)

* Updated Scanner to newer 3.0 branch

* Disabled handshake simulation

* Disabled HandshakeSimulationAfterprobe

* Changed default report detail back to normal

* Organized imports

* Updated licenseheader year

* Fixed licenseheader setting

* Removed commented code

* removed license template comment

* Removed printStacktrace and added correct logger statement

* Formatted

* Removed license header template comments

Author: ic0ns

.gitignore

@@ -1,6 +1,8 @@
 target/
 apps/
+trust_stores_observatory/
 log/
+src/main/resources/trust/*
 pom.xml.tag
 pom.xml.releaseBackup
 pom.xml.versionsBackup
@@ -9,4 +11,3 @@ release.properties
 dependency-reduced-pom.xml
 buildNumber.properties
 .mvn/timing.properties
-*.jar

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "trust_stores_observatory"]
+	path = trust_stores_observatory
+	url = https://github.com/nabla-c0d3/trust_stores_observatory

README.md

@@ -4,7 +4,7 @@ TLS-Scanner is a tool created by the Chair for Network and Data Security from th
 **Please note:**  *TLS-Scanner is a research tool intended for TLS developers, pentesters, administrators and researchers. There is no GUI. It is in the first version and may contain some bugs.*
 
 # Compiling
-In order to compile and use TLS-Scanner, you need to have Java and Maven installed, as well as [TLS-Attacker](https://github.com/RUB-NDS/TLS-Attacker) in Version 2.8
+In order to compile and use TLS-Scanner, you need to have Java and Maven installed, as well as [TLS-Attacker](https://github.com/RUB-NDS/TLS-Attacker) in Version 3.0
 
 ```bash
 $ cd TLS-Scanner
@@ -23,7 +23,7 @@ $ mvn clean install
 
 For hints on installing the required libraries checkout the corresponding GitHub repositories.
 
-**Please note:**  *In order to run this tool you need TLS-Attacker version 2.8*
+**Please note:**  *In order to run this tool you need TLS-Attacker version 3.0*
 
 # Running
 In order to run TLS-Scanner you need to run the jar file in the apps/ folder.

license_header.txt

@@ -1,7 +1,7 @@
 /**
  * TLS-Scanner - A TLS Configuration Analysistool based on TLS-Attacker
  *
- * Copyright 2017-2017 Ruhr University Bochum / Hackmanit GmbH
+ * Copyright 2017-2019 Ruhr University Bochum / Hackmanit GmbH
  * 
  * Licensed under Apache License 2.0
  * http://www.apache.org/licenses/LICENSE-2.0

license_header_plain.txt

@@ -1,6 +1,6 @@
 TLS-Scanner - A TLS Configuration Analysistool based on TLS-Attacker
 
-Copyright 2014-2017 Ruhr University Bochum / Hackmanit GmbH
+Copyright 2017-2019 Ruhr University Bochum / Hackmanit GmbH
 
 Licensed under Apache License 2.0
 http://www.apache.org/licenses/LICENSE-2.0

pom.xml

@@ -25,7 +25,7 @@
         <dependency>
             <groupId>me.tongfei</groupId>
             <artifactId>progressbar</artifactId>
-            <version>0.7.1</version>
+            <version>0.7.4</version>
         </dependency>
         <dependency>
             <groupId>com.googlecode.json-simple</groupId>
@@ -37,6 +37,28 @@
             <artifactId>commons-math3</artifactId>
             <version>3.6.1</version>
         </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>2.8.4</version>
+            <type>jar</type>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.dataformat</groupId>
+            <artifactId>jackson-dataformat-yaml</artifactId>
+            <version>2.9.0</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.9</version>
+        </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk15on</artifactId>
+            <version>1.60</version>
+            <type>jar</type>
+        </dependency>
     </dependencies>
     <profiles>
         <profile>
@@ -117,10 +139,9 @@
             </plugin>
             <plugin>
                 <groupId>com.mycila</groupId>
-                <version>3.0</version>
                 <artifactId>license-maven-plugin</artifactId>
                 <configuration>
-                    <header>${main.basedir}/license_header_plain.txt</header>
+                    <header>${basedir}/license_header_plain.txt</header>
                     <strictCheck>true</strictCheck>
                     <includes>
                         <include>src/**/*.java</include>
@@ -130,6 +151,14 @@
                         <owner>Ruhr University Bochum, Hackmanit GmbH</owner>
                     </properties>
                 </configuration>
+                <executions>
+                    <execution>
+                        <phase>process-sources</phase>
+                        <goals>
+                            <goal>format</goal>
+                        </goals>
+                    </execution>
+                </executions>
             </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
@@ -160,6 +189,30 @@
                     <argLine>-Dfile.encoding=${project.build.sourceEncoding}</argLine>
                 </configuration>
             </plugin>
+            <plugin>
+                <artifactId>maven-resources-plugin</artifactId>
+                <version>3.1.0</version>
+                <executions>
+                    <execution>
+                        <id>copy-resources</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${basedir}/src/main/resources/trust/</outputDirectory>
+                            <resources>          
+                                <resource>
+                                    <directory>${basedir}/trust_stores_observatory/trust_stores/</directory>
+                                </resource>
+                                <resource>
+                                    <directory>${basedir}/trust_stores_observatory/certificates/</directory>
+                                </resource>
+                            </resources>              
+                        </configuration>            
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
     <properties>

src/main/java/de/rub/nds/tlsscanner/ConsoleLogger.java

@@ -1,7 +1,7 @@
 /**
- * TLS-Attacker - A Modular Penetration Testing Framework for TLS
+ * TLS-Scanner - A TLS Configuration Analysistool based on TLS-Attacker
  *
- * Copyright 2014-2017 Ruhr University Bochum / Hackmanit GmbH
+ * Copyright 2017-2019 Ruhr University Bochum / Hackmanit GmbH
  *
  * Licensed under Apache License 2.0
  * http://www.apache.org/licenses/LICENSE-2.0

src/main/java/de/rub/nds/tlsscanner/Main.java

@@ -1,7 +1,7 @@
 /**
  * TLS-Scanner - A TLS Configuration Analysistool based on TLS-Attacker
  *
- * Copyright 2014-2017 Ruhr University Bochum / Hackmanit GmbH
+ * Copyright 2017-2019 Ruhr University Bochum / Hackmanit GmbH
  *
  * Licensed under Apache License 2.0
  * http://www.apache.org/licenses/LICENSE-2.0

src/main/java/de/rub/nds/tlsscanner/MultiThreadedScanJobExecutor.java

@@ -1,7 +1,7 @@
 /**
  * TLS-Scanner - A TLS Configuration Analysistool based on TLS-Attacker
  *
- * Copyright 2014-2017 Ruhr University Bochum / Hackmanit GmbH
+ * Copyright 2017-2019 Ruhr University Bochum / Hackmanit GmbH
  *
  * Licensed under Apache License 2.0
  * http://www.apache.org/licenses/LICENSE-2.0
@@ -159,7 +159,7 @@ private SiteReport scan(ScannerConfig config, ScanJob scanJob, ProgressBar pb) {
         }
         report.setExtractedValueContainerList(globalContainerList);
         //phase 4 - afterprobes
-        for (AfterProbe afterProbe : scanJob.getAfterProbes()) {
+        for (AfterProbe afterProbe : scanJob.getAfterList()) {
             afterProbe.analyze(report);
         }
         LOGGER.info("Finished scan for: " + hostname);

src/main/java/de/rub/nds/tlsscanner/ScanJob.java

@@ -1,7 +1,7 @@
 /**
  * TLS-Scanner - A TLS Configuration Analysistool based on TLS-Attacker
  *
- * Copyright 2014-2017 Ruhr University Bochum / Hackmanit GmbH
+ * Copyright 2017-2019 Ruhr University Bochum / Hackmanit GmbH
  *
  * Licensed under Apache License 2.0
  * http://www.apache.org/licenses/LICENSE-2.0
@@ -37,7 +37,7 @@ public List<TlsProbe> getPhaseTwoTestList() {
         return phaseTwoTestList;
     }
 
-    public List<AfterProbe> getAfterProbes() {
+    public List<AfterProbe> getAfterList() {
         return afterList;
     }