Created
November 5, 2014 14:09
-
-
Save oxtoacart/e13883d91039dc44f5e6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package verifyhostnamesconfusion | |
import ( | |
"crypto/tls" | |
"testing" | |
"github.com/getlantern/keyman" | |
"github.com/getlantern/testify/assert" | |
) | |
const ( | |
CERTIFICATE_ERROR = "x509: certificate signed by unknown authority" | |
) | |
func TestUsingServerName(t *testing.T) { | |
badCert, err := keyman.LoadCertificateFromPEMBytes([]byte(GoogleInternetAuthority)) | |
if err != nil { | |
t.Fatalf("Unable to load GoogleInternetAuthority cert: %s", err) | |
} | |
conn, err := tls.Dial("tcp", "facebook.com:443", &tls.Config{ | |
RootCAs: badCert.PoolContainingCert(), | |
}) | |
if conn != nil { | |
conn.Close() | |
} | |
assert.Error(t, err, "There should have been a problem dialing") | |
if err != nil { | |
assert.Contains(t, err.Error(), CERTIFICATE_ERROR, "Wrong error on dial") | |
} | |
} | |
// TestUsingVerifyHostname demonstrates an erronous usage of VerifyHostname that | |
// at first glance seems like it should work, but doesn't because VerifyHostname | |
// doesn't actually verify the certificate chain against the RootCAs. | |
func TestUsingVerifyHostname(t *testing.T) { | |
badCert, err := keyman.LoadCertificateFromPEMBytes([]byte(GoogleInternetAuthority)) | |
if err != nil { | |
t.Fatalf("Unable to load GoogleInternetAuthority cert: %s", err) | |
} | |
conn, err := tls.Dial("tcp", "facebook.com:443", &tls.Config{ | |
InsecureSkipVerify: true, | |
RootCAs: badCert.PoolContainingCert(), | |
}) | |
assert.NoError(t, err, "Initial dial shouldn't have resulted in error") | |
if conn != nil { | |
conn.Close() | |
} | |
err = conn.VerifyHostname("facebook.com") | |
assert.Error(t, err, "There should have been a problem verifying hostname") | |
if err != nil { | |
assert.Contains(t, err.Error(), CERTIFICATE_ERROR, "Wrong error on dial") | |
} | |
} | |
const GoogleInternetAuthority = `-----BEGIN CERTIFICATE----- | |
MIID8DCCAtigAwIBAgIDAjp2MA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT | |
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i | |
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG | |
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy | |
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB | |
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP | |
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv | |
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE | |
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ | |
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC | |
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7 | |
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD | |
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig | |
JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF | |
BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBcGA1UdIAQQ | |
MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQUFAAOCAQEAJ4zP6cc7vsBv6JaE | |
+5xcXZDkd9uLMmCbZdiFJrW6nx7eZE4fxsggWwmfq6ngCTRFomUlNz1/Wm8gzPn6 | |
8R2PEAwCOsTJAXaWvpv5Fdg50cUDR3a4iowx1mDV5I/b+jzG1Zgo+ByPF5E0y8tS | |
etH7OiDk4Yax2BgPvtaHZI3FCiVCUe+yOLjgHdDh/Ob0r0a678C/xbQF9ZR1DP6i | |
vgK66oZb+TWzZvXFjYWhGiN3GhkXVBNgnwvhtJwoKvmuAjRtJZOcgqgXe/GFsNMP | |
WOH7sf6coaPo/ck/9Ndx3L2MpBngISMjVROPpBYCCX65r+7bU2S9cS+5Oc4wt7S8 | |
VOBHBw== | |
-----END CERTIFICATE-----` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment