mirror of
https://github.com/golang/go.git
synced 2025-12-08 06:10:04 +00:00
crypto/x509: move BetterTLS suite from crypto/tls
Move the BetterTLS test suite from crypto/tls to crypto/x509. Despite the name, the test suites we care about are actually related to X.509 path building and name constraint checking. As such it makes more sense to include these in the crypto/x509 package, so we are more likely to catch breaking behaviors during local testing. Change-Id: I5237903dcc9d9f60d6c7070db3c996ceb643b04c Reviewed-on: https://go-review.googlesource.com/c/go/+/719120 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Junyang Shao <shaojunyang@google.com> Auto-Submit: Roland Shoemaker <roland@golang.org>
This commit is contained in:
Roland Shoemaker
Gopher Robot
parent
6525f46707
commit
956909ff84
1 changed files with 11 additions and 12 deletions
|
|
@ -12,11 +12,10 @@
|
||||||
// https://github.com/netflix/bettertls
|
// https://github.com/netflix/bettertls
|
||||||
// https://netflixtechblog.com/bettertls-c9915cd255c0
|
// https://netflixtechblog.com/bettertls-c9915cd255c0
|
||||||
|
|
||||||
package tls_test
|
package x509
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/internal/cryptotest"
|
"crypto/internal/cryptotest"
|
||||||
"crypto/x509"
|
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"internal/testenv"
|
"internal/testenv"
|
||||||
|
|
@ -40,7 +39,7 @@ import (
|
||||||
func TestBetterTLS(t *testing.T) {
|
func TestBetterTLS(t *testing.T) {
|
||||||
testenv.SkipIfShortAndSlow(t)
|
testenv.SkipIfShortAndSlow(t)
|
||||||
|
|
||||||
data, roots := testData(t)
|
data, roots := betterTLSTestData(t)
|
||||||
|
|
||||||
for _, suite := range []string{"pathbuilding", "nameconstraints"} {
|
for _, suite := range []string{"pathbuilding", "nameconstraints"} {
|
||||||
t.Run(suite, func(t *testing.T) {
|
t.Run(suite, func(t *testing.T) {
|
||||||
|
|
@ -49,7 +48,7 @@ func TestBetterTLS(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func runTestSuite(t *testing.T, suiteName string, data *betterTLS, roots *x509.CertPool) {
|
func runTestSuite(t *testing.T, suiteName string, data *betterTLS, roots *CertPool) {
|
||||||
suite, exists := data.Suites[suiteName]
|
suite, exists := data.Suites[suiteName]
|
||||||
if !exists {
|
if !exists {
|
||||||
t.Fatalf("missing %s suite", suiteName)
|
t.Fatalf("missing %s suite", suiteName)
|
||||||
|
|
@ -73,7 +72,7 @@ func runTestSuite(t *testing.T, suiteName string, data *betterTLS, roots *x509.C
|
||||||
t.Fatalf("test case %d has no certificates", tc.ID)
|
t.Fatalf("test case %d has no certificates", tc.ID)
|
||||||
}
|
}
|
||||||
|
|
||||||
eeCert, err := x509.ParseCertificate(certsDER[0])
|
eeCert, err := ParseCertificate(certsDER[0])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// Several constraint test cases contain invalid end-entity
|
// Several constraint test cases contain invalid end-entity
|
||||||
// certificate extensions that we reject ahead of verification
|
// certificate extensions that we reject ahead of verification
|
||||||
|
|
@ -94,9 +93,9 @@ func runTestSuite(t *testing.T, suiteName string, data *betterTLS, roots *x509.C
|
||||||
tc.ID, err)
|
tc.ID, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
intermediates := x509.NewCertPool()
|
intermediates := NewCertPool()
|
||||||
for i, certDER := range certsDER[1:] {
|
for i, certDER := range certsDER[1:] {
|
||||||
cert, err := x509.ParseCertificate(certDER)
|
cert, err := ParseCertificate(certDER)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf(
|
t.Fatalf(
|
||||||
"failed to parse intermediate certificate %d for test case %d: %v",
|
"failed to parse intermediate certificate %d for test case %d: %v",
|
||||||
|
|
@ -105,11 +104,11 @@ func runTestSuite(t *testing.T, suiteName string, data *betterTLS, roots *x509.C
|
||||||
intermediates.AddCert(cert)
|
intermediates.AddCert(cert)
|
||||||
}
|
}
|
||||||
|
|
||||||
_, err = eeCert.Verify(x509.VerifyOptions{
|
_, err = eeCert.Verify(VerifyOptions{
|
||||||
Roots: roots,
|
Roots: roots,
|
||||||
Intermediates: intermediates,
|
Intermediates: intermediates,
|
||||||
DNSName: tc.Hostname,
|
DNSName: tc.Hostname,
|
||||||
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
KeyUsages: []ExtKeyUsage{ExtKeyUsageServerAuth},
|
||||||
})
|
})
|
||||||
|
|
||||||
switch tc.Expected {
|
switch tc.Expected {
|
||||||
|
|
@ -133,7 +132,7 @@ func runTestSuite(t *testing.T, suiteName string, data *betterTLS, roots *x509.C
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func testData(t *testing.T) (betterTLS, *x509.CertPool) {
|
func betterTLSTestData(t *testing.T) (betterTLS, *CertPool) {
|
||||||
const (
|
const (
|
||||||
bettertlsModule = "github.com/Netflix/bettertls"
|
bettertlsModule = "github.com/Netflix/bettertls"
|
||||||
bettertlsVersion = "v0.0.0-20250909192348-e1e99e353074"
|
bettertlsVersion = "v0.0.0-20250909192348-e1e99e353074"
|
||||||
|
|
@ -178,12 +177,12 @@ func testData(t *testing.T) (betterTLS, *x509.CertPool) {
|
||||||
t.Fatalf("failed to decode trust root: %v", err)
|
t.Fatalf("failed to decode trust root: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
rootCert, err := x509.ParseCertificate(rootDER)
|
rootCert, err := ParseCertificate(rootDER)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("failed to parse trust root certificate: %v", err)
|
t.Fatalf("failed to parse trust root certificate: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
roots := x509.NewCertPool()
|
roots := NewCertPool()
|
||||||
roots.AddCert(rootCert)
|
roots.AddCert(rootCert)
|
||||||
|
|
||||||
return data, roots
|
return data, roots
|
||||||
Loading…
Add table
Add a link
Reference in a new issue