Source file src/crypto/x509/root_windows_test.go

     1  // Copyright 2021 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package x509_test
     6  
     7  import (
     8  	"crypto/tls"
     9  	"crypto/x509"
    10  	"errors"
    11  	"internal/testenv"
    12  	"net"
    13  	"strings"
    14  	"syscall"
    15  	"testing"
    16  	"time"
    17  )
    18  
    19  func TestPlatformVerifierLegacy(t *testing.T) {
    20  	// TODO(#52108): This can be removed once the synthetic test root is deployed on
    21  	// builders.
    22  	if !testenv.HasExternalNetwork() {
    23  		t.Skip()
    24  	}
    25  
    26  	getChain := func(t *testing.T, host string) []*x509.Certificate {
    27  		t.Helper()
    28  		c, err := tls.Dial("tcp", host+":443", &tls.Config{InsecureSkipVerify: true})
    29  		if err != nil {
    30  			// From https://docs.microsoft.com/en-us/windows/win32/winsock/windows-sockets-error-codes-2,
    31  			// matching the error string observed in https://go.dev/issue/52094.
    32  			const WSATRY_AGAIN syscall.Errno = 11002
    33  			var errDNS *net.DNSError
    34  			if strings.HasSuffix(host, ".badssl.com") && errors.As(err, &errDNS) && strings.HasSuffix(errDNS.Err, WSATRY_AGAIN.Error()) {
    35  				t.Log(err)
    36  				testenv.SkipFlaky(t, 52094)
    37  			}
    38  
    39  			t.Fatalf("tls connection failed: %s", err)
    40  		}
    41  		return c.ConnectionState().PeerCertificates
    42  	}
    43  
    44  	tests := []struct {
    45  		name        string
    46  		host        string
    47  		verifyName  string
    48  		verifyTime  time.Time
    49  		expectedErr string
    50  	}{
    51  		{
    52  			// whatever google.com serves should, hopefully, be trusted
    53  			name: "valid chain",
    54  			host: "google.com",
    55  		},
    56  		{
    57  			name:       "valid chain (dns check)",
    58  			host:       "google.com",
    59  			verifyName: "google.com",
    60  		},
    61  		{
    62  			name:       "valid chain (fqdn dns check)",
    63  			host:       "google.com.",
    64  			verifyName: "google.com.",
    65  		},
    66  		{
    67  			name:        "expired leaf",
    68  			host:        "expired.badssl.com",
    69  			expectedErr: "x509: certificate has expired or is not yet valid: ",
    70  		},
    71  		{
    72  			name:        "wrong host for leaf",
    73  			host:        "wrong.host.badssl.com",
    74  			verifyName:  "wrong.host.badssl.com",
    75  			expectedErr: "x509: certificate is valid for *.badssl.com, badssl.com, not wrong.host.badssl.com",
    76  		},
    77  		{
    78  			name:        "self-signed leaf",
    79  			host:        "self-signed.badssl.com",
    80  			expectedErr: "x509: certificate signed by unknown authority",
    81  		},
    82  		{
    83  			name:        "untrusted root",
    84  			host:        "untrusted-root.badssl.com",
    85  			expectedErr: "x509: certificate signed by unknown authority",
    86  		},
    87  		{
    88  			name:        "expired leaf (custom time)",
    89  			host:        "google.com",
    90  			verifyTime:  time.Time{}.Add(time.Hour),
    91  			expectedErr: "x509: certificate has expired or is not yet valid: ",
    92  		},
    93  		{
    94  			name:       "valid chain (custom time)",
    95  			host:       "google.com",
    96  			verifyTime: time.Now(),
    97  		},
    98  	}
    99  
   100  	for _, tc := range tests {
   101  		t.Run(tc.name, func(t *testing.T) {
   102  			chain := getChain(t, tc.host)
   103  			var opts x509.VerifyOptions
   104  			if len(chain) > 1 {
   105  				opts.Intermediates = x509.NewCertPool()
   106  				for _, c := range chain[1:] {
   107  					opts.Intermediates.AddCert(c)
   108  				}
   109  			}
   110  			if tc.verifyName != "" {
   111  				opts.DNSName = tc.verifyName
   112  			}
   113  			if !tc.verifyTime.IsZero() {
   114  				opts.CurrentTime = tc.verifyTime
   115  			}
   116  
   117  			_, err := chain[0].Verify(opts)
   118  			if err != nil && tc.expectedErr == "" {
   119  				t.Errorf("unexpected verification error: %s", err)
   120  			} else if err != nil && err.Error() != tc.expectedErr {
   121  				t.Errorf("unexpected verification error: got %q, want %q", err.Error(), tc.expectedErr)
   122  			} else if err == nil && tc.expectedErr != "" {
   123  				t.Errorf("unexpected verification success: want %q", tc.expectedErr)
   124  			}
   125  		})
   126  	}
   127  }
   128  

View as plain text