Source file
src/crypto/x509/root_windows_test.go
1
2
3
4
5 package x509_test
6
7 import (
8 "crypto/tls"
9 "crypto/x509"
10 "errors"
11 "internal/testenv"
12 "net"
13 "strings"
14 "syscall"
15 "testing"
16 "time"
17 )
18
19 func TestPlatformVerifierLegacy(t *testing.T) {
20
21
22 if !testenv.HasExternalNetwork() {
23 t.Skip()
24 }
25
26 getChain := func(t *testing.T, host string) []*x509.Certificate {
27 t.Helper()
28 c, err := tls.Dial("tcp", host+":443", &tls.Config{InsecureSkipVerify: true})
29 if err != nil {
30
31
32 const WSATRY_AGAIN syscall.Errno = 11002
33 var errDNS *net.DNSError
34 if strings.HasSuffix(host, ".badssl.com") && errors.As(err, &errDNS) && strings.HasSuffix(errDNS.Err, WSATRY_AGAIN.Error()) {
35 t.Log(err)
36 testenv.SkipFlaky(t, 52094)
37 }
38
39 t.Fatalf("tls connection failed: %s", err)
40 }
41 return c.ConnectionState().PeerCertificates
42 }
43
44 tests := []struct {
45 name string
46 host string
47 verifyName string
48 verifyTime time.Time
49 expectedErr string
50 }{
51 {
52
53 name: "valid chain",
54 host: "google.com",
55 },
56 {
57 name: "valid chain (dns check)",
58 host: "google.com",
59 verifyName: "google.com",
60 },
61 {
62 name: "valid chain (fqdn dns check)",
63 host: "google.com.",
64 verifyName: "google.com.",
65 },
66 {
67 name: "expired leaf",
68 host: "expired.badssl.com",
69 expectedErr: "x509: certificate has expired or is not yet valid: ",
70 },
71 {
72 name: "wrong host for leaf",
73 host: "wrong.host.badssl.com",
74 verifyName: "wrong.host.badssl.com",
75 expectedErr: "x509: certificate is valid for *.badssl.com, badssl.com, not wrong.host.badssl.com",
76 },
77 {
78 name: "self-signed leaf",
79 host: "self-signed.badssl.com",
80 expectedErr: "x509: certificate signed by unknown authority",
81 },
82 {
83 name: "untrusted root",
84 host: "untrusted-root.badssl.com",
85 expectedErr: "x509: certificate signed by unknown authority",
86 },
87 {
88 name: "expired leaf (custom time)",
89 host: "google.com",
90 verifyTime: time.Time{}.Add(time.Hour),
91 expectedErr: "x509: certificate has expired or is not yet valid: ",
92 },
93 {
94 name: "valid chain (custom time)",
95 host: "google.com",
96 verifyTime: time.Now(),
97 },
98 }
99
100 for _, tc := range tests {
101 t.Run(tc.name, func(t *testing.T) {
102 chain := getChain(t, tc.host)
103 var opts x509.VerifyOptions
104 if len(chain) > 1 {
105 opts.Intermediates = x509.NewCertPool()
106 for _, c := range chain[1:] {
107 opts.Intermediates.AddCert(c)
108 }
109 }
110 if tc.verifyName != "" {
111 opts.DNSName = tc.verifyName
112 }
113 if !tc.verifyTime.IsZero() {
114 opts.CurrentTime = tc.verifyTime
115 }
116
117 _, err := chain[0].Verify(opts)
118 if err != nil && tc.expectedErr == "" {
119 t.Errorf("unexpected verification error: %s", err)
120 } else if err != nil && err.Error() != tc.expectedErr {
121 t.Errorf("unexpected verification error: got %q, want %q", err.Error(), tc.expectedErr)
122 } else if err == nil && tc.expectedErr != "" {
123 t.Errorf("unexpected verification success: want %q", tc.expectedErr)
124 }
125 })
126 }
127 }
128
View as plain text