root_windows_test.go

     1  // Copyright 2021 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package x509_test
     6  
     7  import (
     8  	"crypto/tls"
     9  	"crypto/x509"
    10  	"errors"
    11  	"internal/testenv"
    12  	"net"
    13  	"strings"
    14  	"syscall"
    15  	"testing"
    16  	"time"
    17  )
    18  
    19  func TestPlatformVerifier(t *testing.T) {
    20  	if !testenv.HasExternalNetwork() {
    21  		t.Skip()
    22  	}
    23  
    24  	getChain := func(t *testing.T, host string) []*x509.Certificate {
    25  		t.Helper()
    26  		c, err := tls.Dial("tcp", host+":443", &tls.Config{InsecureSkipVerify: true})
    27  		if err != nil {
    28  			// From https://docs.microsoft.com/en-us/windows/win32/winsock/windows-sockets-error-codes-2,
    29  			// matching the error string observed in https://go.dev/issue/52094.
    30  			const WSATRY_AGAIN syscall.Errno = 11002
    31  			var errDNS *net.DNSError
    32  			if strings.HasSuffix(host, ".badssl.com") && errors.As(err, &errDNS) && strings.HasSuffix(errDNS.Err, WSATRY_AGAIN.Error()) {
    33  				t.Log(err)
    34  				testenv.SkipFlaky(t, 52094)
    35  			}
    36  
    37  			t.Fatalf("tls connection failed: %s", err)
    38  		}
    39  		return c.ConnectionState().PeerCertificates
    40  	}
    41  
    42  	tests := []struct {
    43  		name        string
    44  		host        string
    45  		verifyName  string
    46  		verifyTime  time.Time
    47  		expectedErr string
    48  	}{
    49  		{
    50  			// whatever google.com serves should, hopefully, be trusted
    51  			name: "valid chain",
    52  			host: "google.com",
    53  		},
    54  		{
    55  			name:        "expired leaf",
    56  			host:        "expired.badssl.com",
    57  			expectedErr: "x509: certificate has expired or is not yet valid: ",
    58  		},
    59  		{
    60  			name:        "wrong host for leaf",
    61  			host:        "wrong.host.badssl.com",
    62  			verifyName:  "wrong.host.badssl.com",
    63  			expectedErr: "x509: certificate is valid for *.badssl.com, badssl.com, not wrong.host.badssl.com",
    64  		},
    65  		{
    66  			name:        "self-signed leaf",
    67  			host:        "self-signed.badssl.com",
    68  			expectedErr: "x509: certificate signed by unknown authority",
    69  		},
    70  		{
    71  			name:        "untrusted root",
    72  			host:        "untrusted-root.badssl.com",
    73  			expectedErr: "x509: certificate signed by unknown authority",
    74  		},
    75  		{
    76  			name:        "expired leaf (custom time)",
    77  			host:        "google.com",
    78  			verifyTime:  time.Time{}.Add(time.Hour),
    79  			expectedErr: "x509: certificate has expired or is not yet valid: ",
    80  		},
    81  		{
    82  			name:       "valid chain (custom time)",
    83  			host:       "google.com",
    84  			verifyTime: time.Now(),
    85  		},
    86  	}
    87  
    88  	for _, tc := range tests {
    89  		t.Run(tc.name, func(t *testing.T) {
    90  			chain := getChain(t, tc.host)
    91  			var opts x509.VerifyOptions
    92  			if len(chain) > 1 {
    93  				opts.Intermediates = x509.NewCertPool()
    94  				for _, c := range chain[1:] {
    95  					opts.Intermediates.AddCert(c)
    96  				}
    97  			}
    98  			if tc.verifyName != "" {
    99  				opts.DNSName = tc.verifyName
   100  			}
   101  			if !tc.verifyTime.IsZero() {
   102  				opts.CurrentTime = tc.verifyTime
   103  			}
   104  
   105  			_, err := chain[0].Verify(opts)
   106  			if err != nil && tc.expectedErr == "" {
   107  				t.Errorf("unexpected verification error: %s", err)
   108  			} else if err != nil && err.Error() != tc.expectedErr {
   109  				t.Errorf("unexpected verification error: got %q, want %q", err.Error(), tc.expectedErr)
   110  			} else if err == nil && tc.expectedErr != "" {
   111  				t.Errorf("unexpected verification success: want %q", tc.expectedErr)
   112  			}
   113  		})
   114  	}
   115  }
   116
View as plain text