1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package x509_test
import (
"crypto/tls"
"crypto/x509"
"errors"
"internal/testenv"
"net"
"strings"
"syscall"
"testing"
"time"
)
func TestPlatformVerifier(t *testing.T) {
if !testenv.HasExternalNetwork() {
t.Skip()
}
getChain := func(t *testing.T, host string) []*x509.Certificate {
t.Helper()
c, err := tls.Dial("tcp", host+":443", &tls.Config{InsecureSkipVerify: true})
if err != nil {
// From https://docs.microsoft.com/en-us/windows/win32/winsock/windows-sockets-error-codes-2,
// matching the error string observed in https://go.dev/issue/52094.
const WSATRY_AGAIN syscall.Errno = 11002
var errDNS *net.DNSError
if strings.HasSuffix(host, ".badssl.com") && errors.As(err, &errDNS) && strings.HasSuffix(errDNS.Err, WSATRY_AGAIN.Error()) {
t.Log(err)
testenv.SkipFlaky(t, 52094)
}
t.Fatalf("tls connection failed: %s", err)
}
return c.ConnectionState().PeerCertificates
}
tests := []struct {
name string
host string
verifyName string
verifyTime time.Time
expectedErr string
}{
{
// whatever google.com serves should, hopefully, be trusted
name: "valid chain",
host: "google.com",
},
{
name: "valid chain (dns check)",
host: "google.com",
verifyName: "google.com",
},
{
name: "valid chain (fqdn dns check)",
host: "google.com.",
verifyName: "google.com.",
},
{
name: "expired leaf",
host: "expired.badssl.com",
expectedErr: "x509: certificate has expired or is not yet valid: ",
},
{
name: "wrong host for leaf",
host: "wrong.host.badssl.com",
verifyName: "wrong.host.badssl.com",
expectedErr: "x509: certificate is valid for *.badssl.com, badssl.com, not wrong.host.badssl.com",
},
{
name: "self-signed leaf",
host: "self-signed.badssl.com",
expectedErr: "x509: certificate signed by unknown authority",
},
{
name: "untrusted root",
host: "untrusted-root.badssl.com",
expectedErr: "x509: certificate signed by unknown authority",
},
{
name: "expired leaf (custom time)",
host: "google.com",
verifyTime: time.Time{}.Add(time.Hour),
expectedErr: "x509: certificate has expired or is not yet valid: ",
},
{
name: "valid chain (custom time)",
host: "google.com",
verifyTime: time.Now(),
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
chain := getChain(t, tc.host)
var opts x509.VerifyOptions
if len(chain) > 1 {
opts.Intermediates = x509.NewCertPool()
for _, c := range chain[1:] {
opts.Intermediates.AddCert(c)
}
}
if tc.verifyName != "" {
opts.DNSName = tc.verifyName
}
if !tc.verifyTime.IsZero() {
opts.CurrentTime = tc.verifyTime
}
_, err := chain[0].Verify(opts)
if err != nil && tc.expectedErr == "" {
t.Errorf("unexpected verification error: %s", err)
} else if err != nil && err.Error() != tc.expectedErr {
t.Errorf("unexpected verification error: got %q, want %q", err.Error(), tc.expectedErr)
} else if err == nil && tc.expectedErr != "" {
t.Errorf("unexpected verification success: want %q", tc.expectedErr)
}
})
}
}
|
