github.com/dorkamotorka/go/src@v0.0.0-20230614113921-187095f0e316/crypto/x509/root_windows_test.go (about) 1 // Copyright 2021 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package x509_test 6 7 import ( 8 "crypto/tls" 9 "crypto/x509" 10 "errors" 11 "internal/testenv" 12 "net" 13 "strings" 14 "syscall" 15 "testing" 16 "time" 17 ) 18 19 func TestPlatformVerifier(t *testing.T) { 20 if !testenv.HasExternalNetwork() { 21 t.Skip() 22 } 23 24 getChain := func(t *testing.T, host string) []*x509.Certificate { 25 t.Helper() 26 c, err := tls.Dial("tcp", host+":443", &tls.Config{InsecureSkipVerify: true}) 27 if err != nil { 28 // From https://docs.microsoft.com/en-us/windows/win32/winsock/windows-sockets-error-codes-2, 29 // matching the error string observed in https://go.dev/issue/52094. 30 const WSATRY_AGAIN syscall.Errno = 11002 31 var errDNS *net.DNSError 32 if strings.HasSuffix(host, ".badssl.com") && errors.As(err, &errDNS) && strings.HasSuffix(errDNS.Err, WSATRY_AGAIN.Error()) { 33 t.Log(err) 34 testenv.SkipFlaky(t, 52094) 35 } 36 37 t.Fatalf("tls connection failed: %s", err) 38 } 39 return c.ConnectionState().PeerCertificates 40 } 41 42 tests := []struct { 43 name string 44 host string 45 verifyName string 46 verifyTime time.Time 47 expectedErr string 48 }{ 49 { 50 // whatever google.com serves should, hopefully, be trusted 51 name: "valid chain", 52 host: "google.com", 53 }, 54 { 55 name: "valid chain (dns check)", 56 host: "google.com", 57 verifyName: "google.com", 58 }, 59 { 60 name: "valid chain (fqdn dns check)", 61 host: "google.com.", 62 verifyName: "google.com.", 63 }, 64 { 65 name: "expired leaf", 66 host: "expired.badssl.com", 67 expectedErr: "x509: certificate has expired or is not yet valid: ", 68 }, 69 { 70 name: "wrong host for leaf", 71 host: "wrong.host.badssl.com", 72 verifyName: "wrong.host.badssl.com", 73 expectedErr: "x509: certificate is valid for *.badssl.com, badssl.com, not wrong.host.badssl.com", 74 }, 75 { 76 name: "self-signed leaf", 77 host: "self-signed.badssl.com", 78 expectedErr: "x509: certificate signed by unknown authority", 79 }, 80 { 81 name: "untrusted root", 82 host: "untrusted-root.badssl.com", 83 expectedErr: "x509: certificate signed by unknown authority", 84 }, 85 { 86 name: "expired leaf (custom time)", 87 host: "google.com", 88 verifyTime: time.Time{}.Add(time.Hour), 89 expectedErr: "x509: certificate has expired or is not yet valid: ", 90 }, 91 { 92 name: "valid chain (custom time)", 93 host: "google.com", 94 verifyTime: time.Now(), 95 }, 96 } 97 98 for _, tc := range tests { 99 t.Run(tc.name, func(t *testing.T) { 100 chain := getChain(t, tc.host) 101 var opts x509.VerifyOptions 102 if len(chain) > 1 { 103 opts.Intermediates = x509.NewCertPool() 104 for _, c := range chain[1:] { 105 opts.Intermediates.AddCert(c) 106 } 107 } 108 if tc.verifyName != "" { 109 opts.DNSName = tc.verifyName 110 } 111 if !tc.verifyTime.IsZero() { 112 opts.CurrentTime = tc.verifyTime 113 } 114 115 _, err := chain[0].Verify(opts) 116 if err != nil && tc.expectedErr == "" { 117 t.Errorf("unexpected verification error: %s", err) 118 } else if err != nil && err.Error() != tc.expectedErr { 119 t.Errorf("unexpected verification error: got %q, want %q", err.Error(), tc.expectedErr) 120 } else if err == nil && tc.expectedErr != "" { 121 t.Errorf("unexpected verification success: want %q", tc.expectedErr) 122 } 123 }) 124 } 125 }