|
Server IP : 2a02:4780:11:1359:0:1d43:a566:2 / Your IP : 216.73.216.161 Web Server : LiteSpeed System : Linux in-mum-web1259.main-hosting.eu 4.18.0-553.37.1.lve.el8.x86_64 #1 SMP Mon Feb 10 22:45:17 UTC 2025 x86_64 User : u490972518 ( 490972518) PHP Version : 5.6.40 Disable Function : system, exec, shell_exec, passthru, mysql_list_dbs, ini_alter, dl, symlink, link, chgrp, leak, popen, apache_child_terminate, virtual, mb_send_mail MySQL : ON | cURL : ON | WGET : ON | Perl : OFF | Python : OFF Directory (0755) : /home/../opt/golang/1.22.0/src/crypto/x509/ |
| [ Home ] | [ C0mmand ] | [ Upload File ] |
|---|
// Copyright 2013 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package x509_test
import (
"crypto/tls"
"crypto/x509"
"internal/testenv"
"testing"
"time"
)
func TestPlatformVerifierLegacy(t *testing.T) {
// TODO(#52108): This can be removed once the synthetic test root is deployed on
// builders.
if !testenv.HasExternalNetwork() {
t.Skip()
}
getChain := func(host string) []*x509.Certificate {
t.Helper()
c, err := tls.Dial("tcp", host+":443", &tls.Config{InsecureSkipVerify: true})
if err != nil {
t.Fatalf("tls connection failed: %s", err)
}
return c.ConnectionState().PeerCertificates
}
tests := []struct {
name string
host string
verifyName string
verifyTime time.Time
verifyEKU []x509.ExtKeyUsage
expectedErr string
skip string
}{
{
// whatever google.com serves should, hopefully, be trusted
name: "valid chain",
host: "google.com",
},
{
name: "expired leaf",
host: "expired.badssl.com",
expectedErr: "x509: certificate has expired or is not yet valid: “*.badssl.com” certificate is expired",
},
{
name: "wrong host for leaf",
host: "wrong.host.badssl.com",
verifyName: "wrong.host.badssl.com",
expectedErr: "x509: certificate is valid for *.badssl.com, badssl.com, not wrong.host.badssl.com",
},
{
name: "self-signed leaf",
host: "self-signed.badssl.com",
expectedErr: "x509: certificate signed by unknown authority",
},
{
name: "untrusted root",
host: "untrusted-root.badssl.com",
expectedErr: "x509: certificate signed by unknown authority",
},
{
name: "revoked leaf",
host: "revoked.badssl.com",
expectedErr: "x509: “revoked.badssl.com” certificate is revoked",
skip: "skipping; broken on recent versions of macOS. See issue 57428.",
},
{
name: "leaf missing SCTs",
host: "no-sct.badssl.com",
expectedErr: "x509: “no-sct.badssl.com” certificate is not standards compliant",
skip: "skipping; broken on recent versions of macOS. See issue 57428.",
},
{
name: "expired leaf (custom time)",
host: "google.com",
verifyTime: time.Time{}.Add(time.Hour),
expectedErr: "x509: certificate has expired or is not yet valid: “*.google.com” certificate is expired",
},
{
name: "valid chain (custom time)",
host: "google.com",
verifyTime: time.Now(),
},
{
name: "leaf doesn't have acceptable ExtKeyUsage",
host: "google.com",
expectedErr: "x509: certificate specifies an incompatible key usage",
verifyEKU: []x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection},
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
if tc.skip != "" {
t.Skip(tc.skip)
}
chain := getChain(tc.host)
var opts x509.VerifyOptions
if len(chain) > 1 {
opts.Intermediates = x509.NewCertPool()
for _, c := range chain[1:] {
opts.Intermediates.AddCert(c)
}
}
if tc.verifyName != "" {
opts.DNSName = tc.verifyName
}
if !tc.verifyTime.IsZero() {
opts.CurrentTime = tc.verifyTime
}
if len(tc.verifyEKU) > 0 {
opts.KeyUsages = tc.verifyEKU
}
_, err := chain[0].Verify(opts)
if err != nil && tc.expectedErr == "" {
t.Errorf("unexpected verification error: %s", err)
} else if err != nil && err.Error() != tc.expectedErr {
t.Errorf("unexpected verification error: got %q, want %q", err.Error(), tc.expectedErr)
} else if err == nil && tc.expectedErr != "" {
t.Errorf("unexpected verification success: want %q", tc.expectedErr)
}
})
}
}