summaryrefslogtreecommitdiff
path: root/src/regress/lib/libcrypto/certs/verify_test.go
blob: fa0a34f49fb7dd6bf8876191135f65e71ccfc051 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112

package verify

import (
	"crypto/x509"
	"encoding/pem"
	"io/ioutil"
	"path/filepath"
	"testing"
)

func TestVerify(t *testing.T) {
	tests := []struct {
		id         string
		wantChains int
	}{
		{"1a", 1},
		{"2a", 1},
		{"2b", 0},
		{"2c", 1},
		{"3a", 1},
		{"3b", 0},
		{"3c", 0},
		{"3d", 0},
		{"3e", 1},
		{"4a", 2},
		{"4b", 1},
		{"4c", 1},
		{"4d", 1},
		{"4e", 1},
		{"4f", 2},
		{"4g", 1},
		{"4h", 1},
		{"5a", 2},
		{"5b", 1},
		{"5c", 1},
		{"5d", 1},
		{"5e", 1},
		{"5f", 1},
		{"5g", 2},
		{"5h", 1},
		{"5i", 1},
		{"6a", 1},  // Expired root.
		{"6b", 1},  // Expired root.
		{"7a", 1},  // Expired root.
		{"7b", 1},  // Expired root.
		{"8a", 0},  // Expired leaf.
		{"9a", 0},  // Expired intermediate.
		{"10a", 1}, // Cross signed with expired intermediate.
		{"10b", 1}, // Cross signed with expired intermediate.
		{"11a", 1}, // Cross signed with expired intermediate.
		{"11b", 1}, // Cross signed with expired intermediate.
		{"12a", 1}, // Cross signed with expired intermediate.
		{"13a", 1}, // Cross signed with expired root.
	}

	for _, test := range tests {
		t.Run(test.id, func(t *testing.T) {
			rootsPEM, err := ioutil.ReadFile(filepath.Join(test.id, "roots.pem"))
			if err != nil {
				t.Fatalf("Failed to read roots PEM: %v", err)
			}
			bundlePEM, err := ioutil.ReadFile(filepath.Join(test.id, "bundle.pem"))
			if err != nil {
				t.Fatalf("Failed to read bundle PEM: %v", err)
			}

			// Pull the leaf certificate off the top of the bundle.
			block, intermediatesPEM := pem.Decode(bundlePEM)
			if block == nil {
				t.Fatal("Failed to parse leaf from bundle")
			}
			cert, err := x509.ParseCertificate(block.Bytes)
			if err != nil {
				t.Fatalf("Failed to parse certificate: %v", err)
			}

			roots := x509.NewCertPool()
			if !roots.AppendCertsFromPEM(rootsPEM) {
				t.Fatal("Failed to parse root certificates")
			}
			intermediates := x509.NewCertPool()
			if len(intermediatesPEM) > 0 {
				if !intermediates.AppendCertsFromPEM(intermediatesPEM) {
					t.Fatal("Failed to parse intermediate certificates")
				}
			}

			opts := x509.VerifyOptions{
				Roots:         roots,
				Intermediates: intermediates,
			}

			chains, err := cert.Verify(opts)
			if err != nil {
				if test.wantChains > 0 {
					t.Errorf("Failed to verify certificate: %v", err)
				}
				return
			}
			t.Logf("Found %d chains", len(chains))
			if got, want := len(chains), test.wantChains; got != want {
				t.Errorf("Got %d chains, want %d", got, want)
			}
			for i, chain := range chains {
				t.Logf("Chain %d\n", i)
				for _, cert := range chain {
					t.Logf("  %v\n", cert.Subject)
				}
			}
		})
	}
}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 16:08:56 +0000