From 2a1affdbc46850416fad72196f6adaa319feb0a6 Mon Sep 17 00:00:00 2001 From: cstkingkey Date: Sat, 31 Jan 2026 09:11:52 +0800 Subject: [PATCH 1/4] Regenerate mock certificate data --- rustls-platform-verifier/src/tests/mod.rs | 4 ++-- .../verification_mock/root1-int1-ee_1-good.crt | Bin 413 -> 412 bytes .../verification_mock/root1-int1-ee_1-good.ocsp | Bin 299 -> 298 bytes .../root1-int1-ee_1-revoked.crt | Bin 413 -> 414 bytes .../root1-int1-ee_1-revoked.ocsp | Bin 317 -> 316 bytes .../root1-int1-ee_1-wrong_eku.crt | Bin 413 -> 413 bytes .../root1-int1-ee_127.0.0.1-good.crt | Bin 401 -> 401 bytes .../root1-int1-ee_127.0.0.1-good.ocsp | Bin 298 -> 300 bytes .../root1-int1-ee_127.0.0.1-revoked.crt | Bin 401 -> 401 bytes .../root1-int1-ee_127.0.0.1-revoked.ocsp | Bin 317 -> 315 bytes .../root1-int1-ee_127.0.0.1-wrong_eku.crt | Bin 400 -> 401 bytes .../root1-int1-ee_example.com-good.crt | Bin 408 -> 409 bytes .../root1-int1-ee_example.com-good.ocsp | Bin 299 -> 299 bytes .../root1-int1-ee_example.com-revoked.crt | Bin 407 -> 409 bytes .../root1-int1-ee_example.com-revoked.ocsp | Bin 316 -> 316 bytes .../root1-int1-ee_example.com-wrong_eku.crt | Bin 408 -> 409 bytes .../src/tests/verification_mock/root1-int1.crt | Bin 440 -> 440 bytes .../src/tests/verification_mock/root1.crt | Bin 402 -> 403 bytes 18 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rustls-platform-verifier/src/tests/mod.rs b/rustls-platform-verifier/src/tests/mod.rs index 134a20f..9f799d8 100644 --- a/rustls-platform-verifier/src/tests/mod.rs +++ b/rustls-platform-verifier/src/tests/mod.rs @@ -62,8 +62,8 @@ pub fn assert_cert_error_eq( /// we know the test certificates are valid. This must be updated if the mock certificates /// are regenerated. pub(crate) fn verification_time() -> pki_types::UnixTime { - // Sat, 3 January 2026 14:20:06 UTC - pki_types::UnixTime::since_unix_epoch(Duration::from_secs(1_767_450_006)) + // Sat, 31 January 2026 11:28:26 UTC + pki_types::UnixTime::since_unix_epoch(Duration::from_secs(1_769_858_906)) } fn test_provider() -> Arc { diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-good.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-good.crt index 0968a956569cc4b3210e316b61f00faac30cd687..70c23702fb2d5afda83d4fea2d3aeab4d8b6cf6d 100644 GIT binary patch delta 270 zcmV+p0rCEw1Dpc{FoFS?kpwgtHZUw=cr547sr=!uOt(@(`(x>VD}cLQW0Zr_)n%Yi6F&{6kDGl|nNu%#2Pgj? zkg}qajT(TFvIc4^@p)^V5Q8`|Huyhr=eTl{4Zu^3YoZm&-jbEVkL>VR-jK&|lE#+TLeMRi}KQW_j=iHuAn zCS}rRdj>;(!$S(HH`9q3zuGZbJ+J1yw&oG?0dSYZXl6ZE?<7kykL8K$AwD+b{g+g!-{7b^zf Vg%NY1ds(qS3Z|m_0R%54H+DupcxnIu diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-good.ocsp b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-good.ocsp index 66e49a7e84864a5877ca34539018bd8c48d3e1c2..c2dd9ab436b269f145d725c9a2132d1124ff03d0 100644 GIT binary patch delta 264 zcmZ3@w2H~cpovk9i;-bL6QewkDb2>I&Bn;e%5K2O$kN2f0~F#gXq>Q6+(6V&*g%kt zIh2J$YP?8PJR5$x9i_+sR?F3`h5EO(xt!t zu2&RbVq|P!fGafsDK#*NS|A7(G6(902^ny)acH%9oU>(NW@b)jFi2rCCRS*2Ka@t1KwlYwFSi5Y_0 x3#)v7KKp+Bv7hMTsB6z^{_ZlIceZ*(t)KOs%icDRo~@9I>wP3Ar=9q#2LL28TVwzL delta 265 zcmZ3*w3^AspovkPi;-bL6QcrQ6+(6V&*g%kt zIh2J{a7#SNF;7W}^N(~I676^ic%z(OKLIzxH99nH2=WJP+nVB;f3{sg4l)ePN*|_6P z@xHSu4=xv8d%^c0bj$pHwq-t*F{h*SHmp7VHYe|n#?B===WUGG*`iENG8r;7_$-XG yb*lf)I(eB}j)>czZA*VKZ+iGM^^}SK-_?cZ*ZlBs(phmZAv35!f@#7==_mlJkXk$d diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-revoked.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-revoked.crt index b4f4012e2a97ca70286c0cda43e9f027b24911d8..dcbc9e984d5022463163058c05637b6baf516b87 100644 GIT binary patch delta 272 zcmV+r0q_2u1D*o}FoFS^kpwgtHZUdP(o?dGQuYub{G@r3vxQDBN$Hf-WCp@3nR zNDMiLG#f$hA)YC3l%SP;!Oe;GPqa WYvInJl8YX8k4(+!O?55I#og6k>V4q= delta 271 zcmV+q0r38w1Dyi|FoFS@kpwgtH840aGBG(bF)%P%7Y#BuFgP(YF*!3akx(6Az?0WA zik<#t61|3ZyH#$tLpG0}LYUY(CiBLRVg?~mkjNyOl&b+P&Pr>N>@l0VODnoSk`uQ~ zusV*l1lZr(ez|hhdx1eZmBg4uC_475dck@}p7TV|Pl;-RM|=O`-| zRp$O~){9v4eaA}_z{N}})#T9vF#y$94Ao8k&Zpo!6fi;-bL6Qd!JsmsQx&Bn;e%5K2O$kN0p2NaSrXk55Z+(6V&*g%kt zIh2J$YP?8PJR5$x9i_+sR?F3`h5EO(xt!t zu2&RbVq{t<2v=$VQfgojg(0v2qQ)F(988S?7aNCGo5wj@7G`GV3Gjvgop z<_$|e;dkM;#ah?is4f2}fwe+~}@5m(p$s%2T delta 283 zcmdnPw3o@ppo!6vi;-bL6QdE3smI2t&Bn;e%5K2O$kN0p4-}F%Xk55Z+(6V&*g%kt zIh2J{a7?~Cd!j&31y0T)Qy)T&Y)=5oPUH%PT4h5i45<%Ja zYZCr=W}AC5;OeMv)%22Z>LeC^8E6g?=94tKyV}M1gzb^dCKO+p?XT{%d{YO-=a;W_ zrTYD^ArO-X0W)J)l*=N;FJ@E#<2t3B5-kWs&f&6kimnn!=~Z8W(9?9 zbT-6v7Q#0IF#ypHiy87j*ge@@(;{lKAk7)qRr2K};;my8G`k&zu_R0g%!3Sp{NHUE J5v$vkw~V9Gbou}Q delta 259 zcmV+e0sQ`*1DykqI2biBI59FYIWsXZFj^N4GB+?dF*7kaGcl1+9bn^yPn?CWd<~TE zjVOhL>lTn%4K6|7{GtJ8M|*BquGh%Vm${r^vH-KVMwV{`wx~)~pgYe8 zE)frvRU+&foxoFQYbya6kT}S-1wTS%0C6C+CkKs^y)}`|CKP_25$=Kj=INf5eyco$ z^Tk=6qk@wM0W)J=m{3OWdk!Nq*+OJm4h_wkf5m-xj~1?8k!A@@VI^VI`!?$JP!!R(c;guohAP0iWWLO+RKVSc3Bp=4HVs*tocHa&w$js5 JGZML@WX59XaAE)e diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-good.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-good.crt index 70b398f59511faea3af72c4188a6fa926695a812..bf6046379019ae78eb9231c7c0a1bcb387430a8f 100644 GIT binary patch delta 260 zcmV+f0sH=u1CaxeI2blCF*7hRF)}zXFj^N4GB_|XGchqSGB}Y?9bkq#y#?FOqO*)R z%BAr}B|+4Q%^kzUr6t?9x(40pZX)x*C?vQ!>&7QT2Y1k&bdobTEtx6ZU^4$IB*}Qs zj<5Q2A|zcvCVRkYL|~`Qa>?(Kx-wU)*nstd`Y))f7qyYiCKO+p?XT{%d{YO-=a;W_ zrTYD^ArO-X0VZTHM^w?cj}R%-JVoYG+dO*nit8i@ddymDZ8XCKP_25$=Kj=INf5eyco$ z^Tk=6qk@wM0VZTI0J(UfmK03YeYQ=KCfM5dTKN6?FY)%@Z7TZGXnT>#= zr$?r2G1P%kssb=W%l0DphCA{Q6+(6V&*g%kt zIh2J$YP?8PJR5$x9i_+sR?F3`h5EO(xt!t zu2&RbVq|P!fGafsDK#*NS|A7(G6(902^ny)acH%9oU>(NW@gT0Fi2xEWLTpf$-Zn! zz+2ukz8lO7zUDNh@;?xrk)0s^I{wbO>C=DBdwr|rUq|$WN^XXns5z!ptAKho-94N! zBYOS8*UTo*q>rza$TWU@+iTl49#^q{>Pm?ZKIS-;xqc3s!?non_9Uqf`?ml9e|%aj delta 264 zcmZ3(w2H~cpovk9i;-bL6QewkDb2>I&Bn;e%5K2O$kN2f0~F#gXq>Q6+(6V&*g%kt zIh2J{a7#SNF;7W}^N(~I676^ic%z(OKLIzxH99nH2=WJP+nVHiW3{sd3Se@BdDf)Pp z?zr;s>9IceDZ(L^hsnWAl88fmOG!eqeP8F%SEJ3Tt$La2$JWe0=Z$7y{Hgh#v?Y=%B zVCBso)~3x?I2<4+PsIb!rF&@OD)Xbc|K=99@3c2JYv7U1CKO+p?XT{%d{YO-=a;W_ zrTYD^ArO-X0VZTHZJg|Jk&7fCcC$e>5XCk;FE5shd&%AMn4T4nf=A1?hQwTpp!Bug zp_C|%1up}w0xsONkkq0t$`c28vb9sgtbjJxI#q%7$)$?(${77z=)8 KjTxLmJpO(`{CU#= delta 260 zcmV+f0sH=u1CaxeI2biBI59FYIWsXZFj^N4GB+?dF*7kaGcl1+9blxAO8&^>o@r-U zN01g;W}Mw_d-4h-U+hng!vJl_*0>P`k^k1OqBOif<4fG0ehXsE-h#2k)wdTi5&pO(i>7b8irf_0*zjLdU`zC9ILnCKP_25$=Kj=INf5eyco$ z^Tk=6qk@wM0VZTI0K?DA<-aVaHNk~{HU}n99D1}ap`?GQ7Rpp~L~1Z2h71=NR%+qc z{%Gr{@|*vdg#s{1j?giTqjt0mmHv_Q!x6X?5=_V%$h`n25mQYMwM=FR?GaZ)J&Ak! K?%{^4m#jK_esr4v diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-revoked.ocsp b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-revoked.ocsp index 6dff38ec934b2e6a73ea618c78c7a42bfcd4ebd4..b9ca0b27b826a5afd71bb205eb0fdb8c09e48260 100644 GIT binary patch delta 281 zcmdnXw42Gtpo!6(i;-bL6Qco;sl&#p&Bn;e%5K2O$kN0p3lx$xXk55Z+(6V&*g%kt zIh2J$YP?8PJR5$x9i_+sR?F3`h5EO(xt!t zu2&RbVq{t<2v=$VQfgojg(0v2qQ)F(988S?7aNCGo5wj@7G`GVbOwVICWF`+8%*Zc zOzi5szajJC@-p?fmV-BgcBd{}@c^N+Pyhp@#0OOd^0M`ARkgFjyrWdi^!16gta delta 283 zcmdnZw3o@ppo!6vi;-bL6QdE3smI2t&Bn;e%5K2O$kN0p4-}F%Xk55Z+(6V&*g%kt zIh2J{a7?~Cd!j&3HJiX6vzGQyRyEiwcsWAfpS(jSC diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-wrong_eku.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-wrong_eku.crt index 17bdbc054ec67b33e05551c3441b726d4db66ce7..709f3cfaaffccee427201e0c047160bbc93199d1 100644 GIT binary patch delta 271 zcmV+q0r38i1Cav+FoFS%kpwgtHZUvqK-3` Vh|5!z8G;`8C4s3hZyG6ekWi!Ad*1*6 delta 270 zcmV+p0rCEk1CRp*FoFS$kpwgtH840aGBG(bF)%P%7Y#BuFgP(YF*!3akx(6A0N3Yn zH3;DNg`eAFy4AB75j{}z)*DxWQeL!2TjDv>#kiIfP34(#Hdnuv U603=@FHmD@g$?h5(t#mcslEt(O#lD@ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-good.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-good.crt index 0c2364f41aa735320f80c580cb8722ac37551253..6d657c54dd2a6e4c4cc43befd2dd3bb8d13da51e 100644 GIT binary patch delta 272 zcmV+r0q_2p1DOK^FoFS& zjc^3oC*II(bP5+y9AS=QTNORhji?lY`A-U)FE$6ICBq{9S#p)1kplz)YlD`bBH7Ll WVWLfrN?}Fvk^S}FDN*0e-JyO_+;yD* delta 271 zcmV+q0r38r1DFE@FoFS;kpwgtH840aGBG(bF)%P%7Y#BuFgP(YF*!3akx(6AIIf=( zWqa}n)v#Y%M*2tQqN^W#Io@)AY*$xv48M%au=kfubC#4xNP1&e#9YxGln;XMujF2A zXbcgPkR7_yle&fbbkuKz^6IONu{K^T0-cBpT~m@tz9S_0-aDojkr@_y!P&35pZr-c=N6afu@Np|PQ%p^?QzAD#O6nQzy>+fozEe)ReD^`%RH{avppz{JSdz#zeI zWMBkRY5-DdU=X!H5G-VlBxJzF#-Y{ban6>7nVC6*!622%kYWB55x-NDqJDL{2{(nW zUfSyV?yJ7x*{v1Ny}Lhj7Svxb|9j=CN~KLp77xFj+*Fg9mzfNd?wqc!n^lm=-~CW{ qr-ZZ9hoX3!<2(NW@gS{Fi2%GP@4AbxJ8Yn_7>Bb@{edYp5mjc?{!z8z6r}Ef7QY?zSd=SDm_EoO*TqMawe@UG*9Q zJv8k4EzmO5k+MvLC)Qi1V-}RqTFBWKgvnGeK=B$X>SUSD7T4%NkNY<``Ujfwh@o)eZhgLXP7r$Tt3#^A4%!8 z5Bjlpx+o>^NCuo9{`RgPJsn5K0x?zn(FwW#dtZPji9XNr6vucgTBx$ z;=4Q}=HSV1#&0}n-s-Yo2=^FY88sYX1fP_F?<$zw!-~LjQ#m%>kbX7Rh=jTFjhH3LwE4%C7~0vlsEJQBbdiw8w!h`c)2YtVbJNQ Uf#^iFfMDiyGH2?2h2_~Y4j&zRqW}N^ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-revoked.ocsp b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-revoked.ocsp index bbd64a3708ddf3d8243d62b0046e9c2a5fe9f5de..daaf181fbc151cd4105c95599194bcd7a94a86d3 100644 GIT binary patch delta 217 zcmdnPw1;VeGpCt>p|PQ%p^?QzAD#O6nQzy>+fozEe)ReD^`%RH{avppz{JS3P*8&3 z$iN7s)BvQ^z#s}kU;#vpIg%O!E;bIWHji_*EX>Tz84L!gOoj|oXL-a_YtC}|Yrp97 z7ao@2LzC4RIA885_-(aQfyZ^nhR3yQe3<|13RwM{p~*a*L;g9FL4H)@!=Gl&BH{1d sj*LATDfkt51b;nr|b%6X=&)EM>|dd01diN7XSbN delta 217 zcmdnPw1;VeGpDJ6g`u&brLo~eAD#NTd4lhn7@obHH??lHP0Qz_k#iR}F)=bN6qMjM zGB5%uH3BI$Fo?nsSO8IDhNQ-Ti;Y98&EuRc3o|ow27^H=lL4nh_ks4>E$_{A7u^VR zyzOHA|B$wPS%uGhUtf&}r(N@TBzGU}F0a$t|43@FSKP;rw@ii%{W(rAG;1He51oG{ rM~`LY!EI@cyRU!Ss5g72$+ZsqA3`&mILggz7s(ymBb4@k+CdfoMEp=H diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-wrong_eku.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-wrong_eku.crt index e311b4fa98c2bc937752ade4224b2a40179ebf75..c6212126fe113c6c78ca2af461cc76a6c3e3f3f4 100644 GIT binary patch delta 272 zcmV+r0q_2p1DOK^FoFSUvRNl_iG+Z?Q2^q7Baa;f9?=q91d;K4-k^CBR$=UZX9pX?suWBlM!#diCL&rR-U^5j z!G`O3qF)+MCy{_>>z|-jMeC?Z?Piw^2$sn;E%G3HB-3I(5ulJ{Cq*$qKG7 z6VMpXqP$qHDI8JoY}gQ8b26m@F#v~^2>tgnZ~(_+5;e+;_Om4ruR%n}q;VxA>MBms VhBE;cDwNN@sig9Qf4{7*G}tK)69BJPqTfC& zQvV99f3#rFTqTW@%6zG-AZ#vjhD9yC>Lt`h7HxT>bUa|yT#=vJsj89PFn?c}?XT{%d{YO-=a;W_ zrTYD^ArLSh1_M~Rqb z2t(Sh;2J&F;n1}td}A35`54liv!g^GoA$kkC) zueaF6kKnr^b1S-}FbW0;DuzhTJp=;-18D#-W&$w)($15fxM}v?q_HwNBqQdU+95k- zhl~S>aJvEKDnyxU1GJCSop-ZuXfeCs!bNXx0x#A9x za8ZGs#lzpc-?3<|_WKC&7brk-~CT0hQ5R;PEFbW0;DuzhTJp=;-184v+WdblKR|W0P<50EzhbrMPA<#)HQQSIV z?X(Z8Z3fpHXspvkCCsz&RzYaYE^|NG${zLtF#yFi&Yx$&5t^XHAbWP+T+ui!-Uz8H efAJR0gxe%D^J?7}L&hl!E0jRqen>f(0ib_r*m^Ml From 4e0db54d9f01cb1b220dba9415e4b8e4e89ae497 Mon Sep 17 00:00:00 2001 From: cstkingkey Date: Sat, 31 Jan 2026 09:33:16 +0800 Subject: [PATCH 2/4] Add initial new_with_extra_roots testing --- .../src/tests/verification_mock/ca.go | 25 ++++- .../src/tests/verification_mock/mod.rs | 93 ++++++++++++++++-- .../src/tests/verification_mock/root2.crt | Bin 0 -> 474 bytes .../src/tests/verification_mock/root3.crt | Bin 0 -> 442 bytes 4 files changed, 108 insertions(+), 10 deletions(-) create mode 100644 rustls-platform-verifier/src/tests/verification_mock/root2.crt create mode 100644 rustls-platform-verifier/src/tests/verification_mock/root3.crt diff --git a/rustls-platform-verifier/src/tests/verification_mock/ca.go b/rustls-platform-verifier/src/tests/verification_mock/ca.go index ec3b4de..0ed5edf 100644 --- a/rustls-platform-verifier/src/tests/verification_mock/ca.go +++ b/rustls-platform-verifier/src/tests/verification_mock/ca.go @@ -69,7 +69,7 @@ func doIt() error { var err error = nil - root1_key, err := generateRoot("root1", now) + root1_key, err := generateRoot("root1", now, "", true) if err != nil { return err } @@ -96,6 +96,16 @@ func doIt() error { } } + _, err = generateRoot("root2", now, "example.com", true) + if err != nil { + return err + } + + _, err = generateRoot("root3", now, "example.com", false) + if err != nil { + return err + } + return nil } @@ -210,11 +220,12 @@ func generateInt(intName string, serial int64, now time.Time, caKey crypto.Signe return intKey, nil } -func generateRoot(name string, now time.Time) (crypto.Signer, error) { +func generateRoot(name string, now time.Time, commonName string, IsCA bool) (crypto.Signer, error) { caKey, err := generateKey() if err != nil { return nil, err } + template := x509.Certificate{ SerialNumber: big.NewInt(1), Subject: pkix.Name{ @@ -222,11 +233,19 @@ func generateRoot(name string, now time.Time) (crypto.Signer, error) { }, NotBefore: now.Add(-OneDay), NotAfter: now.Add(OneYear), - IsCA: true, + IsCA: IsCA, KeyUsage: x509.KeyUsageCertSign, BasicConstraintsValid: true, } + if len(commonName) != 0 { + template.Subject.CommonName = commonName + template.KeyUsage = 0 + // See `generateEndEntity` for list of macOS requirements. + template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth} + template.DNSNames = []string{commonName} + } + cert, err := x509.CreateCertificate(rand.Reader, &template, &template, caKey.Public(), caKey) if err != nil { return nil, err diff --git a/rustls-platform-verifier/src/tests/verification_mock/mod.rs b/rustls-platform-verifier/src/tests/verification_mock/mod.rs index 38a2686..b38f5e2 100644 --- a/rustls-platform-verifier/src/tests/verification_mock/mod.rs +++ b/rustls-platform-verifier/src/tests/verification_mock/mod.rs @@ -28,7 +28,7 @@ use std::net::{Ipv4Addr, Ipv6Addr}; use std::sync::Arc; use rustls::client::danger::ServerCertVerifier; -use rustls::pki_types; +use rustls::pki_types::{self, CertificateDer}; #[cfg(not(any(target_vendor = "apple", windows)))] use rustls::pki_types::{DnsName, ServerName}; use rustls::{CertificateError, Error as TlsError, OtherError}; @@ -80,13 +80,21 @@ macro_rules! no_error { }; } -const ROOT1: pki_types::CertificateDer<'static> = - pki_types::CertificateDer::from_slice(include_bytes!("root1.crt")); +const ROOT1: CertificateDer = CertificateDer::from_slice(include_bytes!("root1.crt")); const ROOT1_INT1: &[u8] = include_bytes!("root1-int1.crt"); const ROOT1_INT1_EXAMPLE_COM_GOOD: &[u8] = include_bytes!("root1-int1-ee_example.com-good.crt"); const ROOT1_INT1_LOCALHOST_IPV4_GOOD: &[u8] = include_bytes!("root1-int1-ee_127.0.0.1-good.crt"); const ROOT1_INT1_LOCALHOST_IPV6_GOOD: &[u8] = include_bytes!("root1-int1-ee_1-good.crt"); +// `ffi-testing` is currently only used for Android, which doesn't support extra roots yet. +#[cfg_attr(feature = "ffi-testing", allow(unused))] +#[cfg(not(target_os = "android"))] +const ROOT2: CertificateDer = CertificateDer::from_slice(include_bytes!("root2.crt")); + +#[cfg_attr(feature = "ffi-testing", allow(unused))] +#[cfg(not(target_os = "android"))] +const ROOT3: CertificateDer = CertificateDer::from_slice(include_bytes!("root3.crt")); + const EXAMPLE_COM: &str = "example.com"; const LOCALHOST_IPV4: &str = "127.0.0.1"; const LOCALHOST_IPV6: &str = "::1"; @@ -111,8 +119,8 @@ pub(super) fn verification_without_mock_root() { let verifier = Verifier::new(crypto_provider).unwrap(); let server_name = pki_types::ServerName::try_from(EXAMPLE_COM).unwrap(); - let end_entity = pki_types::CertificateDer::from(ROOT1_INT1_EXAMPLE_COM_GOOD); - let intermediates = [pki_types::CertificateDer::from(ROOT1_INT1)]; + let end_entity = CertificateDer::from(ROOT1_INT1_EXAMPLE_COM_GOOD); + let intermediates = [CertificateDer::from(ROOT1_INT1)]; // Fails because the server cert has no trust root in Windows, and can't since it uses a self-signed CA. // Similarly on UNIX platforms using the Webpki verifier, it can't fetch extra certificates through @@ -139,6 +147,77 @@ fn test_verification_without_mock_root() { verification_without_mock_root() } +#[cfg(not(target_os = "android"))] +#[test] +fn test_selfsigned_cert_with_extra_roots() { + let crypto_provider = test_provider(); + + let selfsigned = ROOT2; + let selfsigned_as_leaf = ROOT3; + let roots = vec![selfsigned.clone(), selfsigned_as_leaf.clone()]; + let server_name = pki_types::ServerName::try_from(EXAMPLE_COM).unwrap(); + + let verifier = Verifier::new_with_extra_roots(roots, crypto_provider).unwrap(); + + let result = + verifier.verify_server_cert(&selfsigned, &[], &server_name, &[], verification_time()); + + #[cfg(target_vendor = "apple")] + assert!( + result.is_ok(), + "failed to validate self-signed ca certificate" + ); + + #[cfg(not(target_vendor = "apple"))] + assert!( + result.is_err(), + "self-signed ca certificate is accepted unexpectly" + ); + + let result = verifier.verify_server_cert( + &selfsigned_as_leaf, + &[], + &server_name, + &[], + verification_time(), + ); + + #[cfg(not(target_os = "windows"))] + assert!( + result.is_ok(), + "failed to validate self-signed leaf certificate" + ); + + #[cfg(target_os = "windows")] + assert!( + result.is_err(), + "self-signed leaf certificate is accepted unexpectly" + ); +} + +#[cfg(not(target_os = "android"))] +#[test] +fn test_chain_signed_with_extra_roots() { + let crypto_provider = test_provider(); + + let server_name = pki_types::ServerName::try_from(EXAMPLE_COM).unwrap(); + let end_entity = CertificateDer::from(ROOT1_INT1_EXAMPLE_COM_GOOD); + let intermediates = [CertificateDer::from(ROOT1_INT1)]; + let roots = vec![ROOT1]; + + let verifier = Verifier::new_with_extra_roots(roots, crypto_provider).unwrap(); + + verifier + .verify_server_cert( + &end_entity, + &intermediates, + &server_name, + &[], + verification_time(), + ) + .expect("failed to validate extra root-only certificate chain"); +} + // Note: Android does not currently support IP address hosts, so these tests are disabled for // Android. // Verifies that our test trust anchor(s) are not trusted when `Verifier::new()` @@ -349,10 +428,10 @@ fn test_with_mock_root( let mut chain = test_case .chain .iter() - .map(|bytes| pki_types::CertificateDer::from(*bytes)); + .map(|bytes| CertificateDer::from(*bytes)); let end_entity = chain.next().unwrap(); - let intermediates: Vec> = chain.collect(); + let intermediates: Vec> = chain.collect(); let server_name = pki_types::ServerName::try_from(test_case.reference_id).unwrap(); diff --git a/rustls-platform-verifier/src/tests/verification_mock/root2.crt b/rustls-platform-verifier/src/tests/verification_mock/root2.crt new file mode 100644 index 0000000000000000000000000000000000000000..72579d64002bfa658075cc0b1b63b8c728f8c24a GIT binary patch literal 474 zcmXqLV!US1#2CAPnTe5!iILHOi;Y98&EuRc3p2BUnjxP74;ynR3zsl!QGR}jk)eoz z5Qxt#%$-`1m|KvOs+XLfYal1iYh-3%Xl!6;Xk=kv5C!C#1G$D!F45+c83?ekgKcMG zWMkECWMNQZPGVp&Gukb)bobd3)(Kr(=N-5=|6E6BZ`6{%m1pL=>^j4>bkE(4%S(7S zhhE~JF0hDczk5PW`jUAa>mO>MO%| z-4@@?QEn?+H8!htnAE;2K*pFVMfOPEUX61K*~TCB*4ca z#v+pAsDNvcy84OaG3=-Bj9$DMb z!1_q+!M8v04SITST0hu-_HX_fy4T`rM%4U!u0|K!^m_!H_VrDFoly9X$v`wMEN7!% x%_WEABTdYU=NnqOq%PPh^>EsrM612iZUx_*@om{FrJFXa&PyIjUTUzM2>>|Go}K^z literal 0 HcmV?d00001 diff --git a/rustls-platform-verifier/src/tests/verification_mock/root3.crt b/rustls-platform-verifier/src/tests/verification_mock/root3.crt new file mode 100644 index 0000000000000000000000000000000000000000..0c619cdd65c4c1ed3401d3f2accdd034863f03e4 GIT binary patch literal 442 zcmXqLV%%oX#Av;MnTe5!iILHOi;Y98&EuRc3p2BUnjxP74;ynR3zsl!QGR}jv7v~8 z5Qxt#%$-`1m|KvOs+XLfYal1iYh-3%Xl!6;Xk=kv5C!C#1G$D!F45+c83?ekgKcMG zWMkECWMNQZPGVrmcri2Cap(D}T=jhuUo1bTzwqZq`h<%*YjdMpq2yjdnK Date: Sat, 31 Jan 2026 20:38:29 +0800 Subject: [PATCH 3/4] test long-validity period certificate --- .../src/tests/verification_mock/ca.go | 15 ++++++--- .../src/tests/verification_mock/mod.rs | 31 +++++++++++++++++- .../src/tests/verification_mock/root4.crt | Bin 0 -> 441 bytes 3 files changed, 40 insertions(+), 6 deletions(-) create mode 100644 rustls-platform-verifier/src/tests/verification_mock/root4.crt diff --git a/rustls-platform-verifier/src/tests/verification_mock/ca.go b/rustls-platform-verifier/src/tests/verification_mock/ca.go index 0ed5edf..dbe2f8f 100644 --- a/rustls-platform-verifier/src/tests/verification_mock/ca.go +++ b/rustls-platform-verifier/src/tests/verification_mock/ca.go @@ -69,7 +69,7 @@ func doIt() error { var err error = nil - root1_key, err := generateRoot("root1", now, "", true) + root1_key, err := generateRoot("root1", now, "", true, 365) if err != nil { return err } @@ -96,12 +96,17 @@ func doIt() error { } } - _, err = generateRoot("root2", now, "example.com", true) + _, err = generateRoot("root2", now, "example.com", true, 365) if err != nil { return err } - _, err = generateRoot("root3", now, "example.com", false) + _, err = generateRoot("root3", now, "example.com", false, 365) + if err != nil { + return err + } + + _, err = generateRoot("root4", now, "example.com", false, 1000) if err != nil { return err } @@ -220,7 +225,7 @@ func generateInt(intName string, serial int64, now time.Time, caKey crypto.Signe return intKey, nil } -func generateRoot(name string, now time.Time, commonName string, IsCA bool) (crypto.Signer, error) { +func generateRoot(name string, now time.Time, commonName string, IsCA bool, validDays int64) (crypto.Signer, error) { caKey, err := generateKey() if err != nil { return nil, err @@ -232,7 +237,7 @@ func generateRoot(name string, now time.Time, commonName string, IsCA bool) (cry Organization: []string{name}, }, NotBefore: now.Add(-OneDay), - NotAfter: now.Add(OneYear), + NotAfter: now.Add(time.Duration(validDays) * 24 * time.Hour), IsCA: IsCA, KeyUsage: x509.KeyUsageCertSign, BasicConstraintsValid: true, diff --git a/rustls-platform-verifier/src/tests/verification_mock/mod.rs b/rustls-platform-verifier/src/tests/verification_mock/mod.rs index b38f5e2..ae1db53 100644 --- a/rustls-platform-verifier/src/tests/verification_mock/mod.rs +++ b/rustls-platform-verifier/src/tests/verification_mock/mod.rs @@ -95,6 +95,10 @@ const ROOT2: CertificateDer = CertificateDer::from_slice(include_bytes!("root2.c #[cfg(not(target_os = "android"))] const ROOT3: CertificateDer = CertificateDer::from_slice(include_bytes!("root3.crt")); +#[cfg_attr(feature = "ffi-testing", allow(unused))] +#[cfg(not(target_os = "android"))] +const ROOT4: CertificateDer = CertificateDer::from_slice(include_bytes!("root4.crt")); + const EXAMPLE_COM: &str = "example.com"; const LOCALHOST_IPV4: &str = "127.0.0.1"; const LOCALHOST_IPV6: &str = "::1"; @@ -154,7 +158,12 @@ fn test_selfsigned_cert_with_extra_roots() { let selfsigned = ROOT2; let selfsigned_as_leaf = ROOT3; - let roots = vec![selfsigned.clone(), selfsigned_as_leaf.clone()]; + let selfsigned_as_leaf_long_validity = ROOT4; + let roots = vec![ + selfsigned.clone(), + selfsigned_as_leaf.clone(), + selfsigned_as_leaf_long_validity.clone(), + ]; let server_name = pki_types::ServerName::try_from(EXAMPLE_COM).unwrap(); let verifier = Verifier::new_with_extra_roots(roots, crypto_provider).unwrap(); @@ -193,6 +202,26 @@ fn test_selfsigned_cert_with_extra_roots() { result.is_err(), "self-signed leaf certificate is accepted unexpectly" ); + + let result = verifier.verify_server_cert( + &selfsigned_as_leaf_long_validity, + &[], + &server_name, + &[], + verification_time(), + ); + + #[cfg(target_vendor = "apple")] + assert!( + result.is_err(), + "self-signed leaf certificate with long validity period is accepted unexpectly" + ); + + #[cfg(not(target_vendor = "apple"))] + assert!( + result.is_ok(), + "failed to validate self-signed leaf certificate with long validity period" + ); } #[cfg(not(target_os = "android"))] diff --git a/rustls-platform-verifier/src/tests/verification_mock/root4.crt b/rustls-platform-verifier/src/tests/verification_mock/root4.crt new file mode 100644 index 0000000000000000000000000000000000000000..0e3f11f016d3008d5f5b21cdd9f7100493d40d64 GIT binary patch literal 441 zcmXqLV%%!b#Av;MnTe5!iILHOi;Y98&EuRc3p2BUnjxP74;ynR3zsl!QGR}jiJ^#r z5Qxt#%$-`1m|KvOs+XLfYal1iYh-3%Xl!6;WNKz$5C!B~7#bLvL%BqoQ)VE*#tycf ziII&}yOD)Ki8+aZ#U}cH$8PRtiH%*gfuWBdJ4_4;{>eROm7Dxr`|B^y>}8X^=JVoD ziq*8cZYw7l`OSiK^A@k z-X;|9BLx|A27^H=lYyncE(ibqsQj)hmtWfVzKc(2Ijpge`J}A)tHY=2jGkmoC|}Yk zJLwloYj5h3k|Uz!Ooj~4?^VS@aU-gHH9rxru SS#HI6{8r@NvIVmD&jJ9&zmB2+ literal 0 HcmV?d00001 From 26908a8c12ce2849ba2c2b64a01fb66e896dbfb9 Mon Sep 17 00:00:00 2001 From: cstkingkey Date: Sun, 1 Feb 2026 08:25:01 +0800 Subject: [PATCH 4/4] fix windows --- rustls-platform-verifier/src/tests/verification_mock/mod.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rustls-platform-verifier/src/tests/verification_mock/mod.rs b/rustls-platform-verifier/src/tests/verification_mock/mod.rs index ae1db53..c871950 100644 --- a/rustls-platform-verifier/src/tests/verification_mock/mod.rs +++ b/rustls-platform-verifier/src/tests/verification_mock/mod.rs @@ -211,13 +211,13 @@ fn test_selfsigned_cert_with_extra_roots() { verification_time(), ); - #[cfg(target_vendor = "apple")] + #[cfg(any(target_vendor = "apple", target_os = "windows"))] assert!( result.is_err(), "self-signed leaf certificate with long validity period is accepted unexpectly" ); - #[cfg(not(target_vendor = "apple"))] + #[cfg(not(any(target_vendor = "apple", target_os = "windows")))] assert!( result.is_ok(), "failed to validate self-signed leaf certificate with long validity period"