Source file
src/crypto/x509/root_darwin_test.go
1
2
3
4
5 package x509_test
6
7 import (
8 "crypto/tls"
9 "crypto/x509"
10 "internal/testenv"
11 "testing"
12 "time"
13 )
14
15 func TestPlatformVerifierLegacy(t *testing.T) {
16
17
18 if !testenv.HasExternalNetwork() {
19 t.Skip()
20 }
21
22 getChain := func(host string) []*x509.Certificate {
23 t.Helper()
24 c, err := tls.Dial("tcp", host+":443", &tls.Config{InsecureSkipVerify: true})
25 if err != nil {
26 t.Fatalf("tls connection failed: %s", err)
27 }
28 return c.ConnectionState().PeerCertificates
29 }
30
31 tests := []struct {
32 name string
33 host string
34 verifyName string
35 verifyTime time.Time
36 verifyEKU []x509.ExtKeyUsage
37 expectedErr string
38 skip string
39 }{
40 {
41
42 name: "valid chain",
43 host: "google.com",
44 },
45 {
46 name: "expired leaf",
47 host: "expired.badssl.com",
48 expectedErr: "x509: certificate has expired or is not yet valid: “*.badssl.com” certificate is expired",
49 },
50 {
51 name: "wrong host for leaf",
52 host: "wrong.host.badssl.com",
53 verifyName: "wrong.host.badssl.com",
54 expectedErr: "x509: certificate is valid for *.badssl.com, badssl.com, not wrong.host.badssl.com",
55 },
56 {
57 name: "self-signed leaf",
58 host: "self-signed.badssl.com",
59 expectedErr: "x509: certificate signed by unknown authority",
60 },
61 {
62 name: "untrusted root",
63 host: "untrusted-root.badssl.com",
64 expectedErr: "x509: certificate signed by unknown authority",
65 },
66 {
67 name: "revoked leaf",
68 host: "revoked.badssl.com",
69 expectedErr: "x509: “revoked.badssl.com” certificate is revoked",
70 skip: "skipping; broken on recent versions of macOS. See issue 57428.",
71 },
72 {
73 name: "leaf missing SCTs",
74 host: "no-sct.badssl.com",
75 expectedErr: "x509: “no-sct.badssl.com” certificate is not standards compliant",
76 skip: "skipping; broken on recent versions of macOS. See issue 57428.",
77 },
78 {
79 name: "expired leaf (custom time)",
80 host: "google.com",
81 verifyTime: time.Time{}.Add(time.Hour),
82 expectedErr: "x509: certificate has expired or is not yet valid: “*.google.com” certificate is expired",
83 },
84 {
85 name: "valid chain (custom time)",
86 host: "google.com",
87 verifyTime: time.Now(),
88 },
89 {
90 name: "leaf doesn't have acceptable ExtKeyUsage",
91 host: "google.com",
92 expectedErr: "x509: certificate specifies an incompatible key usage",
93 verifyEKU: []x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection},
94 },
95 }
96
97 for _, tc := range tests {
98 t.Run(tc.name, func(t *testing.T) {
99 if tc.skip != "" {
100 t.Skip(tc.skip)
101 }
102
103 chain := getChain(tc.host)
104 var opts x509.VerifyOptions
105 if len(chain) > 1 {
106 opts.Intermediates = x509.NewCertPool()
107 for _, c := range chain[1:] {
108 opts.Intermediates.AddCert(c)
109 }
110 }
111 if tc.verifyName != "" {
112 opts.DNSName = tc.verifyName
113 }
114 if !tc.verifyTime.IsZero() {
115 opts.CurrentTime = tc.verifyTime
116 }
117 if len(tc.verifyEKU) > 0 {
118 opts.KeyUsages = tc.verifyEKU
119 }
120
121 _, err := chain[0].Verify(opts)
122 if err != nil && tc.expectedErr == "" {
123 t.Errorf("unexpected verification error: %s", err)
124 } else if err != nil && err.Error() != tc.expectedErr {
125 t.Errorf("unexpected verification error: got %q, want %q", err.Error(), tc.expectedErr)
126 } else if err == nil && tc.expectedErr != "" {
127 t.Errorf("unexpected verification success: want %q", tc.expectedErr)
128 }
129 })
130 }
131 }
132
View as plain text