From 0b41f835294891448b5404c0707b173c9eb8a7a9 Mon Sep 17 00:00:00 2001 From: TLS-Scanner Developer Date: Fri, 27 Jun 2025 10:42:59 +0000 Subject: [PATCH] Add recommended fields to JSON output for guideline checks Fixes #115: Guidelines now include both recommended and notRecommended fields in the JSON output for better transparency about what configurations are actually recommended by BSI and NIST guidelines. Updated guideline check results for: - CipherSuiteGuidelineCheckResult - HashAlgorithmsGuidelineCheckResult - NamedGroupsGuidelineCheckResult - SignatureAlgorithmsGuidelineCheckResult - SignatureAndHashAlgorithmsCertificateGuidelineCheckResult - X509SignatureAlgorithmGuidelineCheckResult Added comprehensive tests to verify JSON serialization includes the new fields. --- .../checks/CipherSuiteGuidelineCheck.java | 5 +- .../checks/HashAlgorithmsGuidelineCheck.java | 10 +- .../checks/NamedGroupsGuidelineCheck.java | 2 +- .../SignatureAlgorithmsGuidelineCheck.java | 7 +- ...shAlgorithmsCertificateGuidelineCheck.java | 5 +- ...natureAndHashAlgorithmsGuidelineCheck.java | 10 +- .../CipherSuiteGuidelineCheckResult.java | 16 ++ .../HashAlgorithmsGuidelineCheckResult.java | 17 ++ .../NamedGroupsGuidelineCheckResult.java | 15 ++ ...gnatureAlgorithmsGuidelineCheckResult.java | 17 ++ ...rithmsCertificateGuidelineCheckResult.java | 17 ++ ...ignatureAlgorithmGuidelineCheckResult.java | 17 ++ .../CipherSuiteGuidelineCheckResultTest.java | 56 ++++++ ...ashAlgorithmsGuidelineCheckResultTest.java | 56 ++++++ .../GuidelineResultSerializationTest.java | 165 ++++++++++++++++++ 15 files changed, 404 insertions(+), 11 deletions(-) create mode 100644 TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResultTest.java create mode 100644 TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/HashAlgorithmsGuidelineCheckResultTest.java create mode 100644 TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/report/GuidelineResultSerializationTest.java diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/CipherSuiteGuidelineCheck.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/CipherSuiteGuidelineCheck.java index c36540db3..bb9b0a9fa 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/CipherSuiteGuidelineCheck.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/CipherSuiteGuidelineCheck.java @@ -64,7 +64,10 @@ public CipherSuiteGuidelineCheck( public GuidelineCheckResult evaluate(ServerReport report) { List nonRecommended = this.nonRecommendedSuites(report); return new CipherSuiteGuidelineCheckResult( - getName(), GuidelineAdherence.of(nonRecommended.isEmpty()), nonRecommended); + getName(), + GuidelineAdherence.of(nonRecommended.isEmpty()), + nonRecommended, + recommendedCipherSuites); } @Override diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/HashAlgorithmsGuidelineCheck.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/HashAlgorithmsGuidelineCheck.java index 376122ca7..e581aedcf 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/HashAlgorithmsGuidelineCheck.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/HashAlgorithmsGuidelineCheck.java @@ -64,10 +64,16 @@ public GuidelineCheckResult evaluate(ServerReport report) { } } return new HashAlgorithmsGuidelineCheckResult( - getName(), GuidelineAdherence.of(nonRecommended.isEmpty()), nonRecommended); + getName(), + GuidelineAdherence.of(nonRecommended.isEmpty()), + nonRecommended, + recommendedAlgorithms); } else { return new HashAlgorithmsGuidelineCheckResult( - getName(), GuidelineAdherence.CHECK_FAILED, Collections.emptySet()); + getName(), + GuidelineAdherence.CHECK_FAILED, + Collections.emptySet(), + recommendedAlgorithms); } } diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/NamedGroupsGuidelineCheck.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/NamedGroupsGuidelineCheck.java index f8a2dd6e6..b2e5d2644 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/NamedGroupsGuidelineCheck.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/NamedGroupsGuidelineCheck.java @@ -103,7 +103,7 @@ public GuidelineCheckResult evaluate(ServerReport report) { return new NamedGroupsGuidelineCheckResult(getName(), GuidelineAdherence.ADHERED); } else { return new NamedGroupsGuidelineCheckResult( - getName(), GuidelineAdherence.VIOLATED, nonRecommended); + getName(), GuidelineAdherence.VIOLATED, nonRecommended, recommendedGroups); } } diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAlgorithmsGuidelineCheck.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAlgorithmsGuidelineCheck.java index a298b8df6..da580e2fa 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAlgorithmsGuidelineCheck.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAlgorithmsGuidelineCheck.java @@ -63,10 +63,13 @@ public GuidelineCheckResult evaluate(ServerReport report) { } } return new SignatureAlgorithmsGuidelineCheckResult( - getName(), GuidelineAdherence.of(notRecommended.isEmpty()), notRecommended); + getName(), + GuidelineAdherence.of(notRecommended.isEmpty()), + notRecommended, + recommendedAlgorithms); } else { return new SignatureAlgorithmsGuidelineCheckResult( - getName(), GuidelineAdherence.CHECK_FAILED, null); + getName(), GuidelineAdherence.CHECK_FAILED, null, recommendedAlgorithms); } } diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsCertificateGuidelineCheck.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsCertificateGuidelineCheck.java index f2a0a19b0..d2f41b20e 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsCertificateGuidelineCheck.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsCertificateGuidelineCheck.java @@ -60,7 +60,10 @@ public GuidelineCheckResult evaluate(ServerReport report) { } } return new X509SignatureAlgorithmGuidelineCheckResult( - getName(), GuidelineAdherence.of(nonRecommended.isEmpty()), nonRecommended); + getName(), + GuidelineAdherence.of(nonRecommended.isEmpty()), + nonRecommended, + recommendedAlgorithms); } @Override diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsGuidelineCheck.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsGuidelineCheck.java index 8a5d81076..5b762a305 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsGuidelineCheck.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/checks/SignatureAndHashAlgorithmsGuidelineCheck.java @@ -88,7 +88,7 @@ public GuidelineCheckResult evaluate(ServerReport report) { } if (algorithms == null || algorithms.isEmpty()) { return new SignatureAndHashAlgorithmsCertificateGuidelineCheckResult( - getName(), GuidelineAdherence.CHECK_FAILED, null); + getName(), GuidelineAdherence.CHECK_FAILED, null, recommendedAlgorithms); } Set notRecommended = new HashSet<>(); for (SignatureAndHashAlgorithm alg : algorithms) { @@ -96,9 +96,11 @@ public GuidelineCheckResult evaluate(ServerReport report) { notRecommended.add(alg); } } - return new SignatureAndHashAlgorithmsCertificateGuidelineCheckResult( // TODO this needs to - // be a new result now - getName(), GuidelineAdherence.of(notRecommended.isEmpty()), notRecommended); + return new SignatureAndHashAlgorithmsCertificateGuidelineCheckResult( + getName(), + GuidelineAdherence.of(notRecommended.isEmpty()), + notRecommended, + recommendedAlgorithms); } @Override diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResult.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResult.java index 4f307a450..8f7ef52bc 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResult.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResult.java @@ -17,6 +17,7 @@ public class CipherSuiteGuidelineCheckResult extends GuidelineCheckResult { private final List notRecommendedSuites; + private final List recommendedSuites; public CipherSuiteGuidelineCheckResult( String checkName, @@ -24,6 +25,17 @@ public CipherSuiteGuidelineCheckResult( List notRecommendedSuites) { super(checkName, adherence); this.notRecommendedSuites = notRecommendedSuites; + this.recommendedSuites = null; + } + + public CipherSuiteGuidelineCheckResult( + String checkName, + GuidelineAdherence adherence, + List notRecommendedSuites, + List recommendedSuites) { + super(checkName, adherence); + this.notRecommendedSuites = notRecommendedSuites; + this.recommendedSuites = recommendedSuites; } @Override @@ -39,4 +51,8 @@ public String toString() { public List getNotRecommendedSuites() { return notRecommendedSuites; } + + public List getRecommendedSuites() { + return recommendedSuites; + } } diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/HashAlgorithmsGuidelineCheckResult.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/HashAlgorithmsGuidelineCheckResult.java index 2ad02edbe..b0ddd5ffc 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/HashAlgorithmsGuidelineCheckResult.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/HashAlgorithmsGuidelineCheckResult.java @@ -12,12 +12,14 @@ import de.rub.nds.protocol.constants.HashAlgorithm; import de.rub.nds.scanner.core.guideline.GuidelineAdherence; import de.rub.nds.scanner.core.guideline.GuidelineCheckResult; +import java.util.List; import java.util.Objects; import java.util.Set; public class HashAlgorithmsGuidelineCheckResult extends GuidelineCheckResult { private final Set notRecommendedAlgorithms; + private final List recommendedAlgorithms; public HashAlgorithmsGuidelineCheckResult( String checkName, @@ -25,6 +27,17 @@ public HashAlgorithmsGuidelineCheckResult( Set notRecommendedAlgorithms) { super(checkName, adherence); this.notRecommendedAlgorithms = notRecommendedAlgorithms; + this.recommendedAlgorithms = null; + } + + public HashAlgorithmsGuidelineCheckResult( + String checkName, + GuidelineAdherence adherence, + Set notRecommendedAlgorithms, + List recommendedAlgorithms) { + super(checkName, adherence); + this.notRecommendedAlgorithms = notRecommendedAlgorithms; + this.recommendedAlgorithms = recommendedAlgorithms; } @Override @@ -43,4 +56,8 @@ public String toString() { public Set getNotRecommendedAlgorithms() { return notRecommendedAlgorithms; } + + public List getRecommendedAlgorithms() { + return recommendedAlgorithms; + } } diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/NamedGroupsGuidelineCheckResult.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/NamedGroupsGuidelineCheckResult.java index 5a2c9fe5f..5297b20ad 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/NamedGroupsGuidelineCheckResult.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/NamedGroupsGuidelineCheckResult.java @@ -21,6 +21,7 @@ public class NamedGroupsGuidelineCheckResult extends GuidelineCheckResult { private Set notRecommendedGroups; private List missingRequired; private Integer groupCount; + private List recommendedGroups; public NamedGroupsGuidelineCheckResult(String checkName, GuidelineAdherence adherence) { super(checkName, adherence); @@ -32,6 +33,16 @@ public NamedGroupsGuidelineCheckResult( this.notRecommendedGroups = notRecommendedGroups; } + public NamedGroupsGuidelineCheckResult( + String checkName, + GuidelineAdherence adherence, + Set notRecommendedGroups, + List recommendedGroups) { + super(checkName, adherence); + this.notRecommendedGroups = notRecommendedGroups; + this.recommendedGroups = recommendedGroups; + } + public NamedGroupsGuidelineCheckResult( String checkName, GuidelineAdherence adherence, List missingRequired) { super(checkName, adherence); @@ -77,4 +88,8 @@ public List getMissingRequired() { public Integer getGroupCount() { return groupCount; } + + public List getRecommendedGroups() { + return recommendedGroups; + } } diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/SignatureAlgorithmsGuidelineCheckResult.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/SignatureAlgorithmsGuidelineCheckResult.java index 20866b436..7e0217f1e 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/SignatureAlgorithmsGuidelineCheckResult.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/SignatureAlgorithmsGuidelineCheckResult.java @@ -12,12 +12,14 @@ import de.rub.nds.protocol.constants.SignatureAlgorithm; import de.rub.nds.scanner.core.guideline.GuidelineAdherence; import de.rub.nds.scanner.core.guideline.GuidelineCheckResult; +import java.util.List; import java.util.Objects; import java.util.Set; public class SignatureAlgorithmsGuidelineCheckResult extends GuidelineCheckResult { private final Set notRecommendedAlgorithms; + private final List recommendedAlgorithms; public SignatureAlgorithmsGuidelineCheckResult( String checkName, @@ -25,6 +27,17 @@ public SignatureAlgorithmsGuidelineCheckResult( Set notRecommendedAlgorithms) { super(checkName, adherence); this.notRecommendedAlgorithms = notRecommendedAlgorithms; + this.recommendedAlgorithms = null; + } + + public SignatureAlgorithmsGuidelineCheckResult( + String checkName, + GuidelineAdherence adherence, + Set notRecommendedAlgorithms, + List recommendedAlgorithms) { + super(checkName, adherence); + this.notRecommendedAlgorithms = notRecommendedAlgorithms; + this.recommendedAlgorithms = recommendedAlgorithms; } @Override @@ -43,4 +56,8 @@ public String toString() { public Set getNotRecommendedAlgorithms() { return notRecommendedAlgorithms; } + + public List getRecommendedAlgorithms() { + return recommendedAlgorithms; + } } diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/SignatureAndHashAlgorithmsCertificateGuidelineCheckResult.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/SignatureAndHashAlgorithmsCertificateGuidelineCheckResult.java index ea3e26455..9ea0ca796 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/SignatureAndHashAlgorithmsCertificateGuidelineCheckResult.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/SignatureAndHashAlgorithmsCertificateGuidelineCheckResult.java @@ -12,6 +12,7 @@ import de.rub.nds.scanner.core.guideline.GuidelineAdherence; import de.rub.nds.scanner.core.guideline.GuidelineCheckResult; import de.rub.nds.tlsattacker.core.constants.SignatureAndHashAlgorithm; +import java.util.List; import java.util.Objects; import java.util.Set; @@ -19,6 +20,7 @@ public class SignatureAndHashAlgorithmsCertificateGuidelineCheckResult extends GuidelineCheckResult { private final Set notRecommendedAlgorithms; + private final List recommendedAlgorithms; public SignatureAndHashAlgorithmsCertificateGuidelineCheckResult( String checkName, @@ -26,6 +28,17 @@ public SignatureAndHashAlgorithmsCertificateGuidelineCheckResult( Set notRecommendedAlgorithms) { super(checkName, adherence); this.notRecommendedAlgorithms = notRecommendedAlgorithms; + this.recommendedAlgorithms = null; + } + + public SignatureAndHashAlgorithmsCertificateGuidelineCheckResult( + String checkName, + GuidelineAdherence adherence, + Set notRecommendedAlgorithms, + List recommendedAlgorithms) { + super(checkName, adherence); + this.notRecommendedAlgorithms = notRecommendedAlgorithms; + this.recommendedAlgorithms = recommendedAlgorithms; } @Override @@ -44,4 +57,8 @@ public String toString() { public Set getNotRecommendedAlgorithms() { return notRecommendedAlgorithms; } + + public List getRecommendedAlgorithms() { + return recommendedAlgorithms; + } } diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/X509SignatureAlgorithmGuidelineCheckResult.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/X509SignatureAlgorithmGuidelineCheckResult.java index 99b5e3fd0..36b9cfb21 100644 --- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/X509SignatureAlgorithmGuidelineCheckResult.java +++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/X509SignatureAlgorithmGuidelineCheckResult.java @@ -12,12 +12,14 @@ import de.rub.nds.scanner.core.guideline.GuidelineAdherence; import de.rub.nds.scanner.core.guideline.GuidelineCheckResult; import de.rub.nds.x509attacker.constants.X509SignatureAlgorithm; +import java.util.List; import java.util.Objects; import java.util.Set; public class X509SignatureAlgorithmGuidelineCheckResult extends GuidelineCheckResult { private final Set notRecommendedAlgorithms; + private final List recommendedAlgorithms; public X509SignatureAlgorithmGuidelineCheckResult( String checkName, @@ -25,6 +27,17 @@ public X509SignatureAlgorithmGuidelineCheckResult( Set notRecommendedAlgorithms) { super(checkName, adherence); this.notRecommendedAlgorithms = notRecommendedAlgorithms; + this.recommendedAlgorithms = null; + } + + public X509SignatureAlgorithmGuidelineCheckResult( + String checkName, + GuidelineAdherence adherence, + Set notRecommendedAlgorithms, + List recommendedAlgorithms) { + super(checkName, adherence); + this.notRecommendedAlgorithms = notRecommendedAlgorithms; + this.recommendedAlgorithms = recommendedAlgorithms; } @Override @@ -43,4 +56,8 @@ public String toString() { public Set getNotRecommendedAlgorithms() { return notRecommendedAlgorithms; } + + public List getRecommendedAlgorithms() { + return recommendedAlgorithms; + } } diff --git a/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResultTest.java b/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResultTest.java new file mode 100644 index 000000000..f126dd883 --- /dev/null +++ b/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/CipherSuiteGuidelineCheckResultTest.java @@ -0,0 +1,56 @@ +/* + * TLS-Scanner - A TLS configuration and analysis tool based on TLS-Attacker + * + * Copyright 2017-2023 Ruhr University Bochum, Paderborn University, Technology Innovation Institute, and Hackmanit GmbH + * + * Licensed under Apache License, Version 2.0 + * http://www.apache.org/licenses/LICENSE-2.0.txt + */ +package de.rub.nds.tlsscanner.serverscanner.guideline.results; + +import static org.junit.jupiter.api.Assertions.*; + +import de.rub.nds.scanner.core.guideline.GuidelineAdherence; +import de.rub.nds.tlsattacker.core.constants.CipherSuite; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; +import org.junit.jupiter.api.Test; + +public class CipherSuiteGuidelineCheckResultTest { + + @Test + public void testRecommendedSuitesField() { + List recommendedSuites = + Arrays.asList( + CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384); + List notRecommendedSuites = + Collections.singletonList(CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA); + + CipherSuiteGuidelineCheckResult result = + new CipherSuiteGuidelineCheckResult( + "Test Check", + GuidelineAdherence.VIOLATED, + notRecommendedSuites, + recommendedSuites); + + assertEquals(recommendedSuites, result.getRecommendedSuites()); + assertEquals(notRecommendedSuites, result.getNotRecommendedSuites()); + assertEquals(GuidelineAdherence.VIOLATED, result.getAdherence()); + } + + @Test + public void testBackwardCompatibility() { + List notRecommendedSuites = + Collections.singletonList(CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA); + + CipherSuiteGuidelineCheckResult result = + new CipherSuiteGuidelineCheckResult( + "Test Check", GuidelineAdherence.VIOLATED, notRecommendedSuites); + + assertNull(result.getRecommendedSuites()); + assertEquals(notRecommendedSuites, result.getNotRecommendedSuites()); + assertEquals(GuidelineAdherence.VIOLATED, result.getAdherence()); + } +} diff --git a/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/HashAlgorithmsGuidelineCheckResultTest.java b/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/HashAlgorithmsGuidelineCheckResultTest.java new file mode 100644 index 000000000..aefd68acc --- /dev/null +++ b/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/guideline/results/HashAlgorithmsGuidelineCheckResultTest.java @@ -0,0 +1,56 @@ +/* + * TLS-Scanner - A TLS configuration and analysis tool based on TLS-Attacker + * + * Copyright 2017-2023 Ruhr University Bochum, Paderborn University, Technology Innovation Institute, and Hackmanit GmbH + * + * Licensed under Apache License, Version 2.0 + * http://www.apache.org/licenses/LICENSE-2.0.txt + */ +package de.rub.nds.tlsscanner.serverscanner.guideline.results; + +import static org.junit.jupiter.api.Assertions.*; + +import de.rub.nds.protocol.constants.HashAlgorithm; +import de.rub.nds.scanner.core.guideline.GuidelineAdherence; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashSet; +import java.util.List; +import java.util.Set; +import org.junit.jupiter.api.Test; + +public class HashAlgorithmsGuidelineCheckResultTest { + + @Test + public void testRecommendedAlgorithmsField() { + List recommendedAlgorithms = + Arrays.asList(HashAlgorithm.SHA256, HashAlgorithm.SHA384); + Set notRecommendedAlgorithms = + new HashSet<>(Collections.singletonList(HashAlgorithm.SHA1)); + + HashAlgorithmsGuidelineCheckResult result = + new HashAlgorithmsGuidelineCheckResult( + "Test Check", + GuidelineAdherence.VIOLATED, + notRecommendedAlgorithms, + recommendedAlgorithms); + + assertEquals(recommendedAlgorithms, result.getRecommendedAlgorithms()); + assertEquals(notRecommendedAlgorithms, result.getNotRecommendedAlgorithms()); + assertEquals(GuidelineAdherence.VIOLATED, result.getAdherence()); + } + + @Test + public void testBackwardCompatibility() { + Set notRecommendedAlgorithms = + new HashSet<>(Collections.singletonList(HashAlgorithm.SHA1)); + + HashAlgorithmsGuidelineCheckResult result = + new HashAlgorithmsGuidelineCheckResult( + "Test Check", GuidelineAdherence.VIOLATED, notRecommendedAlgorithms); + + assertNull(result.getRecommendedAlgorithms()); + assertEquals(notRecommendedAlgorithms, result.getNotRecommendedAlgorithms()); + assertEquals(GuidelineAdherence.VIOLATED, result.getAdherence()); + } +} diff --git a/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/report/GuidelineResultSerializationTest.java b/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/report/GuidelineResultSerializationTest.java new file mode 100644 index 000000000..d49839c95 --- /dev/null +++ b/TLS-Server-Scanner/src/test/java/de/rub/nds/tlsscanner/serverscanner/report/GuidelineResultSerializationTest.java @@ -0,0 +1,165 @@ +/* + * TLS-Scanner - A TLS configuration and analysis tool based on TLS-Attacker + * + * Copyright 2017-2023 Ruhr University Bochum, Paderborn University, Technology Innovation Institute, and Hackmanit GmbH + * + * Licensed under Apache License, Version 2.0 + * http://www.apache.org/licenses/LICENSE-2.0.txt + */ +package de.rub.nds.tlsscanner.serverscanner.report; + +import static org.junit.jupiter.api.Assertions.*; + +import com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility; +import com.fasterxml.jackson.annotation.PropertyAccessor; +import com.fasterxml.jackson.databind.ObjectMapper; +import de.rub.nds.protocol.constants.HashAlgorithm; +import de.rub.nds.protocol.constants.SignatureAlgorithm; +import de.rub.nds.scanner.core.guideline.GuidelineAdherence; +import de.rub.nds.scanner.core.guideline.GuidelineCheckResult; +import de.rub.nds.scanner.core.guideline.GuidelineReport; +import de.rub.nds.tlsattacker.core.constants.CipherSuite; +import de.rub.nds.tlsattacker.core.constants.NamedGroup; +import de.rub.nds.tlsscanner.serverscanner.guideline.results.CipherSuiteGuidelineCheckResult; +import de.rub.nds.tlsscanner.serverscanner.guideline.results.HashAlgorithmsGuidelineCheckResult; +import de.rub.nds.tlsscanner.serverscanner.guideline.results.NamedGroupsGuidelineCheckResult; +import de.rub.nds.tlsscanner.serverscanner.guideline.results.SignatureAlgorithmsGuidelineCheckResult; +import java.io.ByteArrayOutputStream; +import java.util.*; +import org.junit.jupiter.api.Test; + +public class GuidelineResultSerializationTest { + + @Test + void testCipherSuiteGuidelineCheckResultSerialization() throws Exception { + List recommendedSuites = + Arrays.asList( + CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384); + List notRecommendedSuites = + Collections.singletonList(CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA); + + CipherSuiteGuidelineCheckResult result = + new CipherSuiteGuidelineCheckResult( + "BSI TR-02102-2 Cipher Suite Check", + GuidelineAdherence.VIOLATED, + notRecommendedSuites, + recommendedSuites); + + String json = serializeResult(result); + + assertTrue(json.contains("\"recommendedSuites\"")); + assertTrue(json.contains("\"notRecommendedSuites\"")); + assertTrue(json.contains("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256")); + assertTrue(json.contains("TLS_RSA_WITH_AES_128_CBC_SHA")); + } + + @Test + void testHashAlgorithmsGuidelineCheckResultSerialization() throws Exception { + List recommendedAlgorithms = + Arrays.asList(HashAlgorithm.SHA256, HashAlgorithm.SHA384); + Set notRecommendedAlgorithms = + new HashSet<>(Collections.singletonList(HashAlgorithm.SHA1)); + + HashAlgorithmsGuidelineCheckResult result = + new HashAlgorithmsGuidelineCheckResult( + "Hash Algorithm Check", + GuidelineAdherence.VIOLATED, + notRecommendedAlgorithms, + recommendedAlgorithms); + + String json = serializeResult(result); + + assertTrue(json.contains("\"recommendedAlgorithms\"")); + assertTrue(json.contains("\"notRecommendedAlgorithms\"")); + assertTrue(json.contains("SHA256")); + assertTrue(json.contains("SHA1")); + } + + @Test + void testNamedGroupsGuidelineCheckResultSerialization() throws Exception { + List recommendedGroups = + Arrays.asList(NamedGroup.SECP256R1, NamedGroup.SECP384R1); + Set notRecommendedGroups = + new HashSet<>(Collections.singletonList(NamedGroup.SECP160K1)); + + NamedGroupsGuidelineCheckResult result = + new NamedGroupsGuidelineCheckResult( + "Named Groups Check", + GuidelineAdherence.VIOLATED, + notRecommendedGroups, + recommendedGroups); + + String json = serializeResult(result); + + assertTrue(json.contains("\"recommendedGroups\"")); + assertTrue(json.contains("\"notRecommendedGroups\"")); + assertTrue(json.contains("SECP256R1")); + assertTrue(json.contains("SECP160K1")); + } + + @Test + void testSignatureAlgorithmsGuidelineCheckResultSerialization() throws Exception { + List recommendedAlgorithms = + Arrays.asList(SignatureAlgorithm.RSA_PKCS1, SignatureAlgorithm.ECDSA); + Set notRecommendedAlgorithms = + new HashSet<>(Collections.singletonList(SignatureAlgorithm.DSA)); + + SignatureAlgorithmsGuidelineCheckResult result = + new SignatureAlgorithmsGuidelineCheckResult( + "Signature Algorithm Check", + GuidelineAdherence.VIOLATED, + notRecommendedAlgorithms, + recommendedAlgorithms); + + String json = serializeResult(result); + + assertTrue(json.contains("\"recommendedAlgorithms\"")); + assertTrue(json.contains("\"notRecommendedAlgorithms\"")); + assertTrue(json.contains("RSA_PKCS1")); + assertTrue(json.contains("DSA")); + } + + @Test + void testFullGuidelineReportSerialization() throws Exception { + List checkResults = new ArrayList<>(); + + // Add cipher suite result + checkResults.add( + new CipherSuiteGuidelineCheckResult( + "Cipher Suite Check", + GuidelineAdherence.VIOLATED, + Collections.singletonList(CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA), + Arrays.asList(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256))); + + // Add hash algorithm result + checkResults.add( + new HashAlgorithmsGuidelineCheckResult( + "Hash Check", + GuidelineAdherence.ADHERED, + Collections.emptySet(), + Arrays.asList(HashAlgorithm.SHA256))); + + GuidelineReport report = + new GuidelineReport("BSI TR-02102-2", "https://www.bsi.bund.de/...", checkResults); + + ServerReport serverReport = new ServerReport(); + serverReport.addGuidelineReport(report); + + ByteArrayOutputStream stream = new ByteArrayOutputStream(); + ServerReportSerializer.serialize(stream, serverReport); + String json = stream.toString(); + + assertTrue(json.contains("\"guidelineReports\"")); + assertTrue(json.contains("\"recommendedSuites\"")); + assertTrue(json.contains("\"recommendedAlgorithms\"")); + } + + private String serializeResult(GuidelineCheckResult result) throws Exception { + ObjectMapper mapper = new ObjectMapper(); + mapper.setVisibility(PropertyAccessor.GETTER, Visibility.NONE); + mapper.setVisibility(PropertyAccessor.FIELD, Visibility.ANY); + + return mapper.writeValueAsString(result); + } +}