github.com/twelsh-aw/go/src@v0.0.0-20230516233729-a56fe86a7c81/crypto/x509/root_darwin_test.go (about) 1 // Copyright 2013 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package x509_test 6 7 import ( 8 "crypto/tls" 9 "crypto/x509" 10 "internal/testenv" 11 "testing" 12 "time" 13 ) 14 15 func TestPlatformVerifier(t *testing.T) { 16 if !testenv.HasExternalNetwork() { 17 t.Skip() 18 } 19 20 getChain := func(host string) []*x509.Certificate { 21 t.Helper() 22 c, err := tls.Dial("tcp", host+":443", &tls.Config{InsecureSkipVerify: true}) 23 if err != nil { 24 t.Fatalf("tls connection failed: %s", err) 25 } 26 return c.ConnectionState().PeerCertificates 27 } 28 29 tests := []struct { 30 name string 31 host string 32 verifyName string 33 verifyTime time.Time 34 verifyEKU []x509.ExtKeyUsage 35 expectedErr string 36 skip string 37 }{ 38 { 39 // whatever google.com serves should, hopefully, be trusted 40 name: "valid chain", 41 host: "google.com", 42 }, 43 { 44 name: "expired leaf", 45 host: "expired.badssl.com", 46 expectedErr: "x509: certificate has expired or is not yet valid: “*.badssl.com” certificate is expired", 47 }, 48 { 49 name: "wrong host for leaf", 50 host: "wrong.host.badssl.com", 51 verifyName: "wrong.host.badssl.com", 52 expectedErr: "x509: certificate is valid for *.badssl.com, badssl.com, not wrong.host.badssl.com", 53 }, 54 { 55 name: "self-signed leaf", 56 host: "self-signed.badssl.com", 57 expectedErr: "x509: certificate signed by unknown authority", 58 }, 59 { 60 name: "untrusted root", 61 host: "untrusted-root.badssl.com", 62 expectedErr: "x509: certificate signed by unknown authority", 63 }, 64 { 65 name: "revoked leaf", 66 host: "revoked.badssl.com", 67 expectedErr: "x509: “revoked.badssl.com” certificate is revoked", 68 skip: "skipping; broken on recent versions of macOS. See issue 57428.", 69 }, 70 { 71 name: "leaf missing SCTs", 72 host: "no-sct.badssl.com", 73 expectedErr: "x509: “no-sct.badssl.com” certificate is not standards compliant", 74 skip: "skipping; broken on recent versions of macOS. See issue 57428.", 75 }, 76 { 77 name: "expired leaf (custom time)", 78 host: "google.com", 79 verifyTime: time.Time{}.Add(time.Hour), 80 expectedErr: "x509: certificate has expired or is not yet valid: “*.google.com” certificate is expired", 81 }, 82 { 83 name: "valid chain (custom time)", 84 host: "google.com", 85 verifyTime: time.Now(), 86 }, 87 { 88 name: "leaf doesn't have acceptable ExtKeyUsage", 89 host: "google.com", 90 expectedErr: "x509: certificate specifies an incompatible key usage", 91 verifyEKU: []x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection}, 92 }, 93 } 94 95 for _, tc := range tests { 96 t.Run(tc.name, func(t *testing.T) { 97 if tc.skip != "" { 98 t.Skip(tc.skip) 99 } 100 101 chain := getChain(tc.host) 102 var opts x509.VerifyOptions 103 if len(chain) > 1 { 104 opts.Intermediates = x509.NewCertPool() 105 for _, c := range chain[1:] { 106 opts.Intermediates.AddCert(c) 107 } 108 } 109 if tc.verifyName != "" { 110 opts.DNSName = tc.verifyName 111 } 112 if !tc.verifyTime.IsZero() { 113 opts.CurrentTime = tc.verifyTime 114 } 115 if len(tc.verifyEKU) > 0 { 116 opts.KeyUsages = tc.verifyEKU 117 } 118 119 _, err := chain[0].Verify(opts) 120 if err != nil && tc.expectedErr == "" { 121 t.Errorf("unexpected verification error: %s", err) 122 } else if err != nil && err.Error() != tc.expectedErr { 123 t.Errorf("unexpected verification error: got %q, want %q", err.Error(), tc.expectedErr) 124 } else if err == nil && tc.expectedErr != "" { 125 t.Errorf("unexpected verification success: want %q", tc.expectedErr) 126 } 127 }) 128 } 129 }