OXIESEC PANEL
- Current Dir:
/
/
opt
/
golang
/
1.22.0
/
src
/
crypto
/
x509
Server IP: 191.96.63.230
Upload:
Create Dir:
Name
Size
Modified
Perms
π
..
-
02/02/2024 06:09:55 PM
rwxr-xr-x
π
boring.go
993 bytes
02/02/2024 06:09:55 PM
rw-r--r--
π
boring_test.go
3.75 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
cert_pool.go
8.93 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
cert_pool_test.go
2.25 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
example_test.go
5.32 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
hybrid_pool_test.go
3.72 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
internal
-
02/02/2024 06:09:55 PM
rwxr-xr-x
π
name_constraints_test.go
44.92 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
notboring.go
258 bytes
02/02/2024 06:09:55 PM
rw-r--r--
π
oid.go
5.75 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
oid_test.go
3.7 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
parser.go
36.57 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
parser_test.go
2.63 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
pem_decrypt.go
7.2 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
pem_decrypt_test.go
8.92 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
pkcs1.go
4.66 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
pkcs8.go
5.8 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
pkcs8_test.go
8.95 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
pkix
-
02/02/2024 06:09:55 PM
rwxr-xr-x
π
platform_root_cert.pem
749 bytes
02/02/2024 06:09:55 PM
rw-r--r--
π
platform_root_key.pem
227 bytes
02/02/2024 06:09:55 PM
rw-r--r--
π
platform_test.go
7.28 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
root.go
2.03 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
root_aix.go
410 bytes
02/02/2024 06:09:55 PM
rw-r--r--
π
root_bsd.go
748 bytes
02/02/2024 06:09:55 PM
rw-r--r--
π
root_darwin.go
3.48 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
root_darwin_test.go
3.7 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
root_linux.go
1.11 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
root_plan9.go
828 bytes
02/02/2024 06:09:55 PM
rw-r--r--
π
root_solaris.go
538 bytes
02/02/2024 06:09:55 PM
rw-r--r--
π
root_test.go
2.62 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
root_unix.go
2.67 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
root_unix_test.go
6.07 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
root_wasm.go
373 bytes
02/02/2024 06:09:55 PM
rw-r--r--
π
root_windows.go
8.74 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
root_windows_test.go
3.43 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
sec1.go
4.58 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
sec1_test.go
5.36 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
test-file.crt
1.9 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
testdata
-
02/02/2024 06:09:55 PM
rwxr-xr-x
π
verify.go
35.3 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
verify_test.go
108.97 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
x509.go
82.3 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
x509_test.go
159.96 KB
02/02/2024 06:09:55 PM
rw-r--r--
π
x509_test_import.go
1.7 KB
02/02/2024 06:09:55 PM
rw-r--r--
Editing: platform_test.go
Close
// Copyright 2023 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package x509 //go:generate go run gen_testing_root.go import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" "encoding/pem" "math/big" "os" "runtime" "strings" "testing" "time" ) // In order to run this test suite locally, you need to insert the test root, at // the path below, into your trust store. This root is constrained such that it // should not be dangerous to local developers to trust, but care should be // taken when inserting it into the trust store not to give it increased // permissions. // // On macOS the certificate can be further constrained to only be valid for // 'SSL' in the certificate properties pane of the 'Keychain Access' program. // // On Windows the certificate can also be constrained to only server // authentication in the properties pane of the certificate in the // "Certificates" snap-in of mmc.exe. const ( rootCertPath = "platform_root_cert.pem" rootKeyPath = "platform_root_key.pem" ) func TestPlatformVerifier(t *testing.T) { if runtime.GOOS != "windows" && runtime.GOOS != "darwin" { t.Skip("only tested on windows and darwin") } der, err := os.ReadFile(rootCertPath) if err != nil { t.Fatalf("failed to read test root: %s", err) } b, _ := pem.Decode(der) testRoot, err := ParseCertificate(b.Bytes) if err != nil { t.Fatalf("failed to parse test root: %s", err) } der, err = os.ReadFile(rootKeyPath) if err != nil { t.Fatalf("failed to read test key: %s", err) } b, _ = pem.Decode(der) testRootKey, err := ParseECPrivateKey(b.Bytes) if err != nil { t.Fatalf("failed to parse test key: %s", err) } if _, err := testRoot.Verify(VerifyOptions{}); err != nil { t.Skipf("test root is not in trust store, skipping (err: %q)", err) } now := time.Now() tests := []struct { name string cert *Certificate selfSigned bool dnsName string time time.Time eku []ExtKeyUsage expectedErr string windowsErr string macosErr string }{ { name: "valid", cert: &Certificate{ SerialNumber: big.NewInt(1), DNSNames: []string{"valid.testing.golang.invalid"}, NotBefore: now.Add(-time.Hour), NotAfter: now.Add(time.Hour), ExtKeyUsage: []ExtKeyUsage{ExtKeyUsageServerAuth}, }, }, { name: "valid (with name)", cert: &Certificate{ SerialNumber: big.NewInt(1), DNSNames: []string{"valid.testing.golang.invalid"}, NotBefore: now.Add(-time.Hour), NotAfter: now.Add(time.Hour), ExtKeyUsage: []ExtKeyUsage{ExtKeyUsageServerAuth}, }, dnsName: "valid.testing.golang.invalid", }, { name: "valid (with time)", cert: &Certificate{ SerialNumber: big.NewInt(1), DNSNames: []string{"valid.testing.golang.invalid"}, NotBefore: now.Add(-time.Hour), NotAfter: now.Add(time.Hour), ExtKeyUsage: []ExtKeyUsage{ExtKeyUsageServerAuth}, }, time: now.Add(time.Minute * 30), }, { name: "valid (with eku)", cert: &Certificate{ SerialNumber: big.NewInt(1), DNSNames: []string{"valid.testing.golang.invalid"}, NotBefore: now.Add(-time.Hour), NotAfter: now.Add(time.Hour), ExtKeyUsage: []ExtKeyUsage{ExtKeyUsageServerAuth}, }, eku: []ExtKeyUsage{ExtKeyUsageServerAuth}, }, { name: "wrong name", cert: &Certificate{ SerialNumber: big.NewInt(1), DNSNames: []string{"valid.testing.golang.invalid"}, NotBefore: now.Add(-time.Hour), NotAfter: now.Add(time.Hour), ExtKeyUsage: []ExtKeyUsage{ExtKeyUsageServerAuth}, }, dnsName: "invalid.testing.golang.invalid", expectedErr: "x509: certificate is valid for valid.testing.golang.invalid, not invalid.testing.golang.invalid", }, { name: "expired (future)", cert: &Certificate{ SerialNumber: big.NewInt(1), DNSNames: []string{"valid.testing.golang.invalid"}, NotBefore: now.Add(-time.Hour), NotAfter: now.Add(time.Hour), ExtKeyUsage: []ExtKeyUsage{ExtKeyUsageServerAuth}, }, time: now.Add(time.Hour * 2), expectedErr: "x509: certificate has expired or is not yet valid", }, { name: "expired (past)", cert: &Certificate{ SerialNumber: big.NewInt(1), DNSNames: []string{"valid.testing.golang.invalid"}, NotBefore: now.Add(-time.Hour), NotAfter: now.Add(time.Hour), ExtKeyUsage: []ExtKeyUsage{ExtKeyUsageServerAuth}, }, time: now.Add(time.Hour * 2), expectedErr: "x509: certificate has expired or is not yet valid", }, { name: "self-signed", cert: &Certificate{ SerialNumber: big.NewInt(1), DNSNames: []string{"valid.testing.golang.invalid"}, NotBefore: now.Add(-time.Hour), NotAfter: now.Add(time.Hour), ExtKeyUsage: []ExtKeyUsage{ExtKeyUsageServerAuth}, }, selfSigned: true, macosErr: "x509: βvalid.testing.golang.invalidβ certificate is not trusted", windowsErr: "x509: certificate signed by unknown authority", }, { name: "non-specified KU", cert: &Certificate{ SerialNumber: big.NewInt(1), DNSNames: []string{"valid.testing.golang.invalid"}, NotBefore: now.Add(-time.Hour), NotAfter: now.Add(time.Hour), ExtKeyUsage: []ExtKeyUsage{ExtKeyUsageServerAuth}, }, eku: []ExtKeyUsage{ExtKeyUsageEmailProtection}, expectedErr: "x509: certificate specifies an incompatible key usage", }, { name: "non-nested KU", cert: &Certificate{ SerialNumber: big.NewInt(1), DNSNames: []string{"valid.testing.golang.invalid"}, NotBefore: now.Add(-time.Hour), NotAfter: now.Add(time.Hour), ExtKeyUsage: []ExtKeyUsage{ExtKeyUsageEmailProtection}, }, macosErr: "x509: βvalid.testing.golang.invalidβ certificate is not permitted for this usage", windowsErr: "x509: certificate specifies an incompatible key usage", }, } leafKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { t.Fatalf("ecdsa.GenerateKey failed: %s", err) } for _, tc := range tests { tc := tc t.Run(tc.name, func(t *testing.T) { t.Parallel() parent := testRoot if tc.selfSigned { parent = tc.cert } certDER, err := CreateCertificate(rand.Reader, tc.cert, parent, leafKey.Public(), testRootKey) if err != nil { t.Fatalf("CreateCertificate failed: %s", err) } cert, err := ParseCertificate(certDER) if err != nil { t.Fatalf("ParseCertificate failed: %s", err) } var opts VerifyOptions if tc.dnsName != "" { opts.DNSName = tc.dnsName } if !tc.time.IsZero() { opts.CurrentTime = tc.time } if len(tc.eku) > 0 { opts.KeyUsages = tc.eku } expectedErr := tc.expectedErr if runtime.GOOS == "darwin" && tc.macosErr != "" { expectedErr = tc.macosErr } else if runtime.GOOS == "windows" && tc.windowsErr != "" { expectedErr = tc.windowsErr } _, err = cert.Verify(opts) if err != nil && expectedErr == "" { t.Errorf("unexpected verification error: %s", err) } else if err != nil && !strings.HasPrefix(err.Error(), expectedErr) { t.Errorf("unexpected verification error: got %q, want %q", err.Error(), expectedErr) } else if err == nil && expectedErr != "" { t.Errorf("unexpected verification success: want %q", expectedErr) } }) } }