th5/root_test.go

// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package tls

import (
	"crypto/x509"
	"runtime"
	"testing"
)

var tlsServers = []string{
	"google.com",
	"github.com",
	"twitter.com",
}

func TestOSCertBundles(t *testing.T) {
	if testing.Short() {
		t.Logf("skipping certificate tests in short mode")
		return
	}

	for _, addr := range tlsServers {
		conn, err := Dial("tcp", addr+":443", &Config{ServerName: addr})
		if err != nil {
			t.Errorf("unable to verify %v: %v", addr, err)
			continue
		}
		err = conn.Close()
		if err != nil {
			t.Error(err)
		}
	}
}

func TestCertHostnameVerifyWindows(t *testing.T) {
	if runtime.GOOS != "windows" {
		return
	}

	if testing.Short() {
		t.Logf("skipping certificate tests in short mode")
		return
	}

	for _, addr := range tlsServers {
		cfg := &Config{ServerName: "example.com"}
		conn, err := Dial("tcp", addr+":443", cfg)
		if err == nil {
			conn.Close()
			t.Errorf("should fail to verify for example.com: %v", addr)
			continue
		}
		_, ok := err.(x509.HostnameError)
		if !ok {
			t.Errorf("error type mismatch, got: %v", err)
		}
	}
}
crypto/tls: fetch root certificates using Mac OS API Fixes #1009. R=adg, rsc CC=golang-dev https://golang.org/cl/5262041 2011-10-13 18:59:13 +01:00			`// Copyright 2011 The Go Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

			`package tls`

			`import (`
crypto/x509: new home for root fetchers; build chains using Windows API This moves the various CA root fetchers from crypto/tls into crypto/x509. The move was brought about by issue 2997. Windows doesn't ship with all its root certificates, but will instead download them as-needed when using CryptoAPI for certificate verification. This CL changes crypto/x509 to verify a certificate using the system root CAs when VerifyOptions.RootCAs == nil. On Windows, this verification is now implemented using Windows's CryptoAPI. All other root fetchers are unchanged, and still use Go's own verification code. The CL also fixes the hostname matching logic in crypto/tls/tls.go, in order to be able to test whether hostname mismatches are honored by the Windows verification code. The move to crypto/x509 also allows other packages to use the OS-provided root certificates, instead of hiding them inside the crypto/tls package. Fixes #2997. R=agl, golang-dev, alex.brainman, rsc, mikkel CC=golang-dev https://golang.org/cl/5700087 2012-03-07 18:12:35 +00:00			`"crypto/x509"`
			`"runtime"`
crypto/tls: fetch root certificates using Mac OS API Fixes #1009. R=adg, rsc CC=golang-dev https://golang.org/cl/5262041 2011-10-13 18:59:13 +01:00			`"testing"`
			`)`

			`var tlsServers = []string{`
crypto/x509: new home for root fetchers; build chains using Windows API This moves the various CA root fetchers from crypto/tls into crypto/x509. The move was brought about by issue 2997. Windows doesn't ship with all its root certificates, but will instead download them as-needed when using CryptoAPI for certificate verification. This CL changes crypto/x509 to verify a certificate using the system root CAs when VerifyOptions.RootCAs == nil. On Windows, this verification is now implemented using Windows's CryptoAPI. All other root fetchers are unchanged, and still use Go's own verification code. The CL also fixes the hostname matching logic in crypto/tls/tls.go, in order to be able to test whether hostname mismatches are honored by the Windows verification code. The move to crypto/x509 also allows other packages to use the OS-provided root certificates, instead of hiding them inside the crypto/tls package. Fixes #2997. R=agl, golang-dev, alex.brainman, rsc, mikkel CC=golang-dev https://golang.org/cl/5700087 2012-03-07 18:12:35 +00:00			`"google.com",`
			`"github.com",`
			`"twitter.com",`
crypto/tls: fetch root certificates using Mac OS API Fixes #1009. R=adg, rsc CC=golang-dev https://golang.org/cl/5262041 2011-10-13 18:59:13 +01:00			`}`

			`func TestOSCertBundles(t *testing.T) {`
			`if testing.Short() {`
			`t.Logf("skipping certificate tests in short mode")`
			`return`
			`}`

			`for _, addr := range tlsServers {`
crypto/x509: new home for root fetchers; build chains using Windows API This moves the various CA root fetchers from crypto/tls into crypto/x509. The move was brought about by issue 2997. Windows doesn't ship with all its root certificates, but will instead download them as-needed when using CryptoAPI for certificate verification. This CL changes crypto/x509 to verify a certificate using the system root CAs when VerifyOptions.RootCAs == nil. On Windows, this verification is now implemented using Windows's CryptoAPI. All other root fetchers are unchanged, and still use Go's own verification code. The CL also fixes the hostname matching logic in crypto/tls/tls.go, in order to be able to test whether hostname mismatches are honored by the Windows verification code. The move to crypto/x509 also allows other packages to use the OS-provided root certificates, instead of hiding them inside the crypto/tls package. Fixes #2997. R=agl, golang-dev, alex.brainman, rsc, mikkel CC=golang-dev https://golang.org/cl/5700087 2012-03-07 18:12:35 +00:00			`conn, err := Dial("tcp", addr+":443", &Config{ServerName: addr})`
crypto/tls: fetch root certificates using Mac OS API Fixes #1009. R=adg, rsc CC=golang-dev https://golang.org/cl/5262041 2011-10-13 18:59:13 +01:00			`if err != nil {`
			`t.Errorf("unable to verify %v: %v", addr, err)`
			`continue`
			`}`
			`err = conn.Close()`
			`if err != nil {`
			`t.Error(err)`
			`}`
			`}`
			`}`
crypto/x509: new home for root fetchers; build chains using Windows API This moves the various CA root fetchers from crypto/tls into crypto/x509. The move was brought about by issue 2997. Windows doesn't ship with all its root certificates, but will instead download them as-needed when using CryptoAPI for certificate verification. This CL changes crypto/x509 to verify a certificate using the system root CAs when VerifyOptions.RootCAs == nil. On Windows, this verification is now implemented using Windows's CryptoAPI. All other root fetchers are unchanged, and still use Go's own verification code. The CL also fixes the hostname matching logic in crypto/tls/tls.go, in order to be able to test whether hostname mismatches are honored by the Windows verification code. The move to crypto/x509 also allows other packages to use the OS-provided root certificates, instead of hiding them inside the crypto/tls package. Fixes #2997. R=agl, golang-dev, alex.brainman, rsc, mikkel CC=golang-dev https://golang.org/cl/5700087 2012-03-07 18:12:35 +00:00
			`func TestCertHostnameVerifyWindows(t *testing.T) {`
			`if runtime.GOOS != "windows" {`
			`return`
			`}`

			`if testing.Short() {`
			`t.Logf("skipping certificate tests in short mode")`
			`return`
			`}`

			`for _, addr := range tlsServers {`
			`cfg := &Config{ServerName: "example.com"}`
			`conn, err := Dial("tcp", addr+":443", cfg)`
			`if err == nil {`
			`conn.Close()`
crypto/tls, fmt: print fixes R=golang-dev, bradfitz, minux.ma, rsc, bradfitz CC=golang-dev https://golang.org/cl/5787069 2012-03-12 03:04:45 +00:00			`t.Errorf("should fail to verify for example.com: %v", addr)`
crypto/x509: new home for root fetchers; build chains using Windows API This moves the various CA root fetchers from crypto/tls into crypto/x509. The move was brought about by issue 2997. Windows doesn't ship with all its root certificates, but will instead download them as-needed when using CryptoAPI for certificate verification. This CL changes crypto/x509 to verify a certificate using the system root CAs when VerifyOptions.RootCAs == nil. On Windows, this verification is now implemented using Windows's CryptoAPI. All other root fetchers are unchanged, and still use Go's own verification code. The CL also fixes the hostname matching logic in crypto/tls/tls.go, in order to be able to test whether hostname mismatches are honored by the Windows verification code. The move to crypto/x509 also allows other packages to use the OS-provided root certificates, instead of hiding them inside the crypto/tls package. Fixes #2997. R=agl, golang-dev, alex.brainman, rsc, mikkel CC=golang-dev https://golang.org/cl/5700087 2012-03-07 18:12:35 +00:00			`continue`
			`}`
			`_, ok := err.(x509.HostnameError)`
			`if !ok {`
			`t.Errorf("error type mismatch, got: %v", err)`
			`}`
			`}`
			`}`