// Copyright 2013 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package x509_test import ( "crypto/tls" "crypto/x509" "internal/testenv" "testing" "time" ) func TestPlatformVerifierLegacy(t *testing.T) { // TODO(#52108): This can be removed once the synthetic test root is deployed on // builders. if !testenv.HasExternalNetwork() { t.Skip() } getChain := func(host string) []*x509.Certificate { t.Helper() c, err := tls.Dial("tcp", host+":443", &tls.Config{InsecureSkipVerify: true}) if err != nil { t.Fatalf("tls connection failed: %s", err) } return c.ConnectionState().PeerCertificates } tests := []struct { name string host string verifyName string verifyTime time.Time verifyEKU []x509.ExtKeyUsage expectedErr string skip string }{ { // whatever google.com serves should, hopefully, be trusted name: "valid chain", host: "google.com", }, { name: "expired leaf", host: "expired.badssl.com", expectedErr: "x509: certificate has expired or is not yet valid: “*.badssl.com” certificate is expired", }, { name: "wrong host for leaf", host: "wrong.host.badssl.com", verifyName: "wrong.host.badssl.com", expectedErr: "x509: certificate is valid for *.badssl.com, badssl.com, not wrong.host.badssl.com", }, { name: "self-signed leaf", host: "self-signed.badssl.com", expectedErr: "x509: certificate signed by unknown authority", }, { name: "untrusted root", host: "untrusted-root.badssl.com", expectedErr: "x509: certificate signed by unknown authority", }, { name: "revoked leaf", host: "revoked.badssl.com", expectedErr: "x509: “revoked.badssl.com” certificate is revoked", skip: "skipping; broken on recent versions of macOS. See issue 57428.", }, { name: "leaf missing SCTs", host: "no-sct.badssl.com", expectedErr: "x509: “no-sct.badssl.com” certificate is not standards compliant", skip: "skipping; broken on recent versions of macOS. See issue 57428.", }, { name: "expired leaf (custom time)", host: "google.com", verifyTime: time.Time{}.Add(time.Hour), expectedErr: "x509: certificate has expired or is not yet valid: “*.google.com” certificate is expired", }, { name: "valid chain (custom time)", host: "google.com", verifyTime: time.Now(), }, { name: "leaf doesn't have acceptable ExtKeyUsage", host: "google.com", expectedErr: "x509: certificate specifies an incompatible key usage", verifyEKU: []x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection}, }, } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { if tc.skip != "" { t.Skip(tc.skip) } chain := getChain(tc.host) var opts x509.VerifyOptions if len(chain) > 1 { opts.Intermediates = x509.NewCertPool() for _, c := range chain[1:] { opts.Intermediates.AddCert(c) } } if tc.verifyName != "" { opts.DNSName = tc.verifyName } if !tc.verifyTime.IsZero() { opts.CurrentTime = tc.verifyTime } if len(tc.verifyEKU) > 0 { opts.KeyUsages = tc.verifyEKU } _, err := chain[0].Verify(opts) if err != nil && tc.expectedErr == "" { t.Errorf("unexpected verification error: %s", err) } else if err != nil && err.Error() != tc.expectedErr { t.Errorf("unexpected verification error: got %q, want %q", err.Error(), tc.expectedErr) } else if err == nil && tc.expectedErr != "" { t.Errorf("unexpected verification success: want %q", tc.expectedErr) } }) } }