diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-08 04:11:07 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-08 04:11:07 +0000 |
commit | 17cd1672e40d83687d20266b4f71a0dce064f0e4 (patch) | |
tree | 1e10132d08269d9fba82dbba3c5b991e070d3446 /src/crypto | |
parent | Releasing progress-linux version 1.22.3-1~progress7.99u1. (diff) | |
download | golang-1.22-17cd1672e40d83687d20266b4f71a0dce064f0e4.tar.xz golang-1.22-17cd1672e40d83687d20266b4f71a0dce064f0e4.zip |
Merging upstream version 1.22.4.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/crypto')
-rw-r--r-- | src/crypto/x509/root_darwin_test.go | 131 | ||||
-rw-r--r-- | src/crypto/x509/root_windows_test.go | 127 |
2 files changed, 0 insertions, 258 deletions
diff --git a/src/crypto/x509/root_darwin_test.go b/src/crypto/x509/root_darwin_test.go deleted file mode 100644 index e6b52e9..0000000 --- a/src/crypto/x509/root_darwin_test.go +++ /dev/null @@ -1,131 +0,0 @@ -// Copyright 2013 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package x509_test - -import ( - "crypto/tls" - "crypto/x509" - "internal/testenv" - "testing" - "time" -) - -func TestPlatformVerifierLegacy(t *testing.T) { - // TODO(#52108): This can be removed once the synthetic test root is deployed on - // builders. - if !testenv.HasExternalNetwork() { - t.Skip() - } - - getChain := func(host string) []*x509.Certificate { - t.Helper() - c, err := tls.Dial("tcp", host+":443", &tls.Config{InsecureSkipVerify: true}) - if err != nil { - t.Fatalf("tls connection failed: %s", err) - } - return c.ConnectionState().PeerCertificates - } - - tests := []struct { - name string - host string - verifyName string - verifyTime time.Time - verifyEKU []x509.ExtKeyUsage - expectedErr string - skip string - }{ - { - // whatever google.com serves should, hopefully, be trusted - name: "valid chain", - host: "google.com", - }, - { - name: "expired leaf", - host: "expired.badssl.com", - expectedErr: "x509: certificate has expired or is not yet valid: “*.badssl.com” certificate is expired", - }, - { - name: "wrong host for leaf", - host: "wrong.host.badssl.com", - verifyName: "wrong.host.badssl.com", - expectedErr: "x509: certificate is valid for *.badssl.com, badssl.com, not wrong.host.badssl.com", - }, - { - name: "self-signed leaf", - host: "self-signed.badssl.com", - expectedErr: "x509: certificate signed by unknown authority", - }, - { - name: "untrusted root", - host: "untrusted-root.badssl.com", - expectedErr: "x509: certificate signed by unknown authority", - }, - { - name: "revoked leaf", - host: "revoked.badssl.com", - expectedErr: "x509: “revoked.badssl.com” certificate is revoked", - skip: "skipping; broken on recent versions of macOS. See issue 57428.", - }, - { - name: "leaf missing SCTs", - host: "no-sct.badssl.com", - expectedErr: "x509: “no-sct.badssl.com” certificate is not standards compliant", - skip: "skipping; broken on recent versions of macOS. See issue 57428.", - }, - { - name: "expired leaf (custom time)", - host: "google.com", - verifyTime: time.Time{}.Add(time.Hour), - expectedErr: "x509: certificate has expired or is not yet valid: “*.google.com” certificate is expired", - }, - { - name: "valid chain (custom time)", - host: "google.com", - verifyTime: time.Now(), - }, - { - name: "leaf doesn't have acceptable ExtKeyUsage", - host: "google.com", - expectedErr: "x509: certificate specifies an incompatible key usage", - verifyEKU: []x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection}, - }, - } - - for _, tc := range tests { - t.Run(tc.name, func(t *testing.T) { - if tc.skip != "" { - t.Skip(tc.skip) - } - - chain := getChain(tc.host) - var opts x509.VerifyOptions - if len(chain) > 1 { - opts.Intermediates = x509.NewCertPool() - for _, c := range chain[1:] { - opts.Intermediates.AddCert(c) - } - } - if tc.verifyName != "" { - opts.DNSName = tc.verifyName - } - if !tc.verifyTime.IsZero() { - opts.CurrentTime = tc.verifyTime - } - if len(tc.verifyEKU) > 0 { - opts.KeyUsages = tc.verifyEKU - } - - _, err := chain[0].Verify(opts) - if err != nil && tc.expectedErr == "" { - t.Errorf("unexpected verification error: %s", err) - } else if err != nil && err.Error() != tc.expectedErr { - t.Errorf("unexpected verification error: got %q, want %q", err.Error(), tc.expectedErr) - } else if err == nil && tc.expectedErr != "" { - t.Errorf("unexpected verification success: want %q", tc.expectedErr) - } - }) - } -} diff --git a/src/crypto/x509/root_windows_test.go b/src/crypto/x509/root_windows_test.go deleted file mode 100644 index 1372c04..0000000 --- a/src/crypto/x509/root_windows_test.go +++ /dev/null @@ -1,127 +0,0 @@ -// Copyright 2021 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package x509_test - -import ( - "crypto/tls" - "crypto/x509" - "errors" - "internal/testenv" - "net" - "strings" - "syscall" - "testing" - "time" -) - -func TestPlatformVerifierLegacy(t *testing.T) { - // TODO(#52108): This can be removed once the synthetic test root is deployed on - // builders. - if !testenv.HasExternalNetwork() { - t.Skip() - } - - getChain := func(t *testing.T, host string) []*x509.Certificate { - t.Helper() - c, err := tls.Dial("tcp", host+":443", &tls.Config{InsecureSkipVerify: true}) - if err != nil { - // From https://docs.microsoft.com/en-us/windows/win32/winsock/windows-sockets-error-codes-2, - // matching the error string observed in https://go.dev/issue/52094. - const WSATRY_AGAIN syscall.Errno = 11002 - var errDNS *net.DNSError - if strings.HasSuffix(host, ".badssl.com") && errors.As(err, &errDNS) && strings.HasSuffix(errDNS.Err, WSATRY_AGAIN.Error()) { - t.Log(err) - testenv.SkipFlaky(t, 52094) - } - - t.Fatalf("tls connection failed: %s", err) - } - return c.ConnectionState().PeerCertificates - } - - tests := []struct { - name string - host string - verifyName string - verifyTime time.Time - expectedErr string - }{ - { - // whatever google.com serves should, hopefully, be trusted - name: "valid chain", - host: "google.com", - }, - { - name: "valid chain (dns check)", - host: "google.com", - verifyName: "google.com", - }, - { - name: "valid chain (fqdn dns check)", - host: "google.com.", - verifyName: "google.com.", - }, - { - name: "expired leaf", - host: "expired.badssl.com", - expectedErr: "x509: certificate has expired or is not yet valid: ", - }, - { - name: "wrong host for leaf", - host: "wrong.host.badssl.com", - verifyName: "wrong.host.badssl.com", - expectedErr: "x509: certificate is valid for *.badssl.com, badssl.com, not wrong.host.badssl.com", - }, - { - name: "self-signed leaf", - host: "self-signed.badssl.com", - expectedErr: "x509: certificate signed by unknown authority", - }, - { - name: "untrusted root", - host: "untrusted-root.badssl.com", - expectedErr: "x509: certificate signed by unknown authority", - }, - { - name: "expired leaf (custom time)", - host: "google.com", - verifyTime: time.Time{}.Add(time.Hour), - expectedErr: "x509: certificate has expired or is not yet valid: ", - }, - { - name: "valid chain (custom time)", - host: "google.com", - verifyTime: time.Now(), - }, - } - - for _, tc := range tests { - t.Run(tc.name, func(t *testing.T) { - chain := getChain(t, tc.host) - var opts x509.VerifyOptions - if len(chain) > 1 { - opts.Intermediates = x509.NewCertPool() - for _, c := range chain[1:] { - opts.Intermediates.AddCert(c) - } - } - if tc.verifyName != "" { - opts.DNSName = tc.verifyName - } - if !tc.verifyTime.IsZero() { - opts.CurrentTime = tc.verifyTime - } - - _, err := chain[0].Verify(opts) - if err != nil && tc.expectedErr == "" { - t.Errorf("unexpected verification error: %s", err) - } else if err != nil && err.Error() != tc.expectedErr { - t.Errorf("unexpected verification error: got %q, want %q", err.Error(), tc.expectedErr) - } else if err == nil && tc.expectedErr != "" { - t.Errorf("unexpected verification success: want %q", tc.expectedErr) - } - }) - } -} |