Source file
src/crypto/x509/root_darwin_test.go
1
2
3
4
5 package x509_test
6
7 import (
8 "crypto/tls"
9 "crypto/x509"
10 "internal/testenv"
11 "testing"
12 "time"
13 )
14
15 func TestPlatformVerifier(t *testing.T) {
16 if !testenv.HasExternalNetwork() {
17 t.Skip()
18 }
19
20 getChain := func(host string) []*x509.Certificate {
21 t.Helper()
22 c, err := tls.Dial("tcp", host+":443", &tls.Config{InsecureSkipVerify: true})
23 if err != nil {
24 t.Fatalf("tls connection failed: %s", err)
25 }
26 return c.ConnectionState().PeerCertificates
27 }
28
29 tests := []struct {
30 name string
31 host string
32 verifyName string
33 verifyTime time.Time
34 verifyEKU []x509.ExtKeyUsage
35 expectedErr string
36 }{
37 {
38
39 name: "valid chain",
40 host: "google.com",
41 },
42 {
43 name: "expired leaf",
44 host: "expired.badssl.com",
45 expectedErr: "x509: “*.badssl.com” certificate is expired",
46 },
47 {
48 name: "wrong host for leaf",
49 host: "wrong.host.badssl.com",
50 verifyName: "wrong.host.badssl.com",
51 expectedErr: "x509: “*.badssl.com” certificate name does not match input",
52 },
53 {
54 name: "self-signed leaf",
55 host: "self-signed.badssl.com",
56 expectedErr: "x509: “*.badssl.com” certificate is not trusted",
57 },
58 {
59 name: "untrusted root",
60 host: "untrusted-root.badssl.com",
61 expectedErr: "x509: “BadSSL Untrusted Root Certificate Authority” certificate is not trusted",
62 },
63 {
64 name: "revoked leaf",
65 host: "revoked.badssl.com",
66 expectedErr: "x509: “revoked.badssl.com” certificate is revoked",
67 },
68 {
69 name: "leaf missing SCTs",
70 host: "no-sct.badssl.com",
71 expectedErr: "x509: “no-sct.badssl.com” certificate is not standards compliant",
72 },
73 {
74 name: "expired leaf (custom time)",
75 host: "google.com",
76 verifyTime: time.Time{}.Add(time.Hour),
77 expectedErr: "x509: “*.google.com” certificate is expired",
78 },
79 {
80 name: "valid chain (custom time)",
81 host: "google.com",
82 verifyTime: time.Now(),
83 },
84 {
85 name: "leaf doesn't have acceptable ExtKeyUsage",
86 host: "google.com",
87 expectedErr: "x509: certificate specifies an incompatible key usage",
88 verifyEKU: []x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection},
89 },
90 }
91
92 for _, tc := range tests {
93 t.Run(tc.name, func(t *testing.T) {
94 chain := getChain(tc.host)
95 var opts x509.VerifyOptions
96 if len(chain) > 1 {
97 opts.Intermediates = x509.NewCertPool()
98 for _, c := range chain[1:] {
99 opts.Intermediates.AddCert(c)
100 }
101 }
102 if tc.verifyName != "" {
103 opts.DNSName = tc.verifyName
104 }
105 if !tc.verifyTime.IsZero() {
106 opts.CurrentTime = tc.verifyTime
107 }
108 if len(tc.verifyEKU) > 0 {
109 opts.KeyUsages = tc.verifyEKU
110 }
111
112 _, err := chain[0].Verify(opts)
113 if err != nil && tc.expectedErr == "" {
114 t.Errorf("unexpected verification error: %s", err)
115 } else if err != nil && err.Error() != tc.expectedErr {
116 t.Errorf("unexpected verification error: got %q, want %q", err.Error(), tc.expectedErr)
117 } else if err == nil && tc.expectedErr != "" {
118 t.Errorf("unexpected verification success: want %q", tc.expectedErr)
119 }
120 })
121 }
122 }
123
View as plain text