github.com/AESNooper/go/src@v0.0.0-20220218095104-b56a4ab1bbbb/crypto/x509/root_darwin_test.go (about) 1 // Copyright 2013 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package x509_test 6 7 import ( 8 "crypto/tls" 9 "crypto/x509" 10 "internal/testenv" 11 "testing" 12 "time" 13 ) 14 15 func TestPlatformVerifier(t *testing.T) { 16 if !testenv.HasExternalNetwork() { 17 t.Skip() 18 } 19 20 getChain := func(host string) []*x509.Certificate { 21 t.Helper() 22 c, err := tls.Dial("tcp", host+":443", &tls.Config{InsecureSkipVerify: true}) 23 if err != nil { 24 t.Fatalf("tls connection failed: %s", err) 25 } 26 return c.ConnectionState().PeerCertificates 27 } 28 29 tests := []struct { 30 name string 31 host string 32 verifyName string 33 verifyTime time.Time 34 verifyEKU []x509.ExtKeyUsage 35 expectedErr string 36 }{ 37 { 38 // whatever google.com serves should, hopefully, be trusted 39 name: "valid chain", 40 host: "google.com", 41 }, 42 { 43 name: "expired leaf", 44 host: "expired.badssl.com", 45 expectedErr: "x509: “*.badssl.com” certificate is expired", 46 }, 47 { 48 name: "wrong host for leaf", 49 host: "wrong.host.badssl.com", 50 verifyName: "wrong.host.badssl.com", 51 expectedErr: "x509: “*.badssl.com” certificate name does not match input", 52 }, 53 { 54 name: "self-signed leaf", 55 host: "self-signed.badssl.com", 56 expectedErr: "x509: “*.badssl.com” certificate is not trusted", 57 }, 58 { 59 name: "untrusted root", 60 host: "untrusted-root.badssl.com", 61 expectedErr: "x509: “BadSSL Untrusted Root Certificate Authority” certificate is not trusted", 62 }, 63 { 64 name: "revoked leaf", 65 host: "revoked.badssl.com", 66 expectedErr: "x509: “revoked.badssl.com” certificate is revoked", 67 }, 68 { 69 name: "leaf missing SCTs", 70 host: "no-sct.badssl.com", 71 expectedErr: "x509: “no-sct.badssl.com” certificate is not standards compliant", 72 }, 73 { 74 name: "expired leaf (custom time)", 75 host: "google.com", 76 verifyTime: time.Time{}.Add(time.Hour), 77 expectedErr: "x509: “*.google.com” certificate is expired", 78 }, 79 { 80 name: "valid chain (custom time)", 81 host: "google.com", 82 verifyTime: time.Now(), 83 }, 84 { 85 name: "leaf doesn't have acceptable ExtKeyUsage", 86 host: "google.com", 87 expectedErr: "x509: certificate specifies an incompatible key usage", 88 verifyEKU: []x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection}, 89 }, 90 } 91 92 for _, tc := range tests { 93 t.Run(tc.name, func(t *testing.T) { 94 chain := getChain(tc.host) 95 var opts x509.VerifyOptions 96 if len(chain) > 1 { 97 opts.Intermediates = x509.NewCertPool() 98 for _, c := range chain[1:] { 99 opts.Intermediates.AddCert(c) 100 } 101 } 102 if tc.verifyName != "" { 103 opts.DNSName = tc.verifyName 104 } 105 if !tc.verifyTime.IsZero() { 106 opts.CurrentTime = tc.verifyTime 107 } 108 if len(tc.verifyEKU) > 0 { 109 opts.KeyUsages = tc.verifyEKU 110 } 111 112 _, err := chain[0].Verify(opts) 113 if err != nil && tc.expectedErr == "" { 114 t.Errorf("unexpected verification error: %s", err) 115 } else if err != nil && err.Error() != tc.expectedErr { 116 t.Errorf("unexpected verification error: got %q, want %q", err.Error(), tc.expectedErr) 117 } else if err == nil && tc.expectedErr != "" { 118 t.Errorf("unexpected verification success: want %q", tc.expectedErr) 119 } 120 }) 121 } 122 }