From f357528c5903572e400284af3dac384903f8fbf7 Mon Sep 17 00:00:00 2001 From: ComplexSpaces Date: Wed, 28 Jan 2026 21:51:36 -0600 Subject: [PATCH 1/2] Regenerate mock certificate data --- rustls-platform-verifier/src/tests/mod.rs | 4 ++-- .../verification_mock/root1-int1-ee_1-good.crt | Bin 413 -> 413 bytes .../verification_mock/root1-int1-ee_1-good.ocsp | Bin 299 -> 300 bytes .../root1-int1-ee_1-revoked.crt | Bin 413 -> 413 bytes .../root1-int1-ee_1-revoked.ocsp | Bin 317 -> 316 bytes .../root1-int1-ee_1-wrong_eku.crt | Bin 413 -> 413 bytes .../root1-int1-ee_127.0.0.1-good.crt | Bin 401 -> 401 bytes .../root1-int1-ee_127.0.0.1-good.ocsp | Bin 298 -> 299 bytes .../root1-int1-ee_127.0.0.1-revoked.crt | Bin 401 -> 401 bytes .../root1-int1-ee_127.0.0.1-revoked.ocsp | Bin 317 -> 316 bytes .../root1-int1-ee_127.0.0.1-wrong_eku.crt | Bin 400 -> 402 bytes .../root1-int1-ee_example.com-good.crt | Bin 408 -> 409 bytes .../root1-int1-ee_example.com-good.ocsp | Bin 299 -> 300 bytes .../root1-int1-ee_example.com-revoked.crt | Bin 407 -> 408 bytes .../root1-int1-ee_example.com-revoked.ocsp | Bin 316 -> 317 bytes .../root1-int1-ee_example.com-wrong_eku.crt | Bin 408 -> 407 bytes .../src/tests/verification_mock/root1-int1.crt | Bin 440 -> 441 bytes .../src/tests/verification_mock/root1.crt | Bin 402 -> 402 bytes 18 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rustls-platform-verifier/src/tests/mod.rs b/rustls-platform-verifier/src/tests/mod.rs index 134a20f..b9035a7 100644 --- a/rustls-platform-verifier/src/tests/mod.rs +++ b/rustls-platform-verifier/src/tests/mod.rs @@ -62,8 +62,8 @@ pub fn assert_cert_error_eq( /// we know the test certificates are valid. This must be updated if the mock certificates /// are regenerated. pub(crate) fn verification_time() -> pki_types::UnixTime { - // Sat, 3 January 2026 14:20:06 UTC - pki_types::UnixTime::since_unix_epoch(Duration::from_secs(1_767_450_006)) + // Thu, 29 January 2026 04:14:44 UTC + pki_types::UnixTime::since_unix_epoch(Duration::from_secs(1_769_660_084)) } fn test_provider() -> Arc { diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-good.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-good.crt index 0968a956569cc4b3210e316b61f00faac30cd687..5dd93cbace18d2f5793595572f03476e05596358 100644 GIT binary patch delta 259 zcmV+e0sQ`*1DykqI2blCF)}zXG%+$TFj^N4GB_|XGC43bF*1=*9bowbOrN+ttz(P~ zvCy{Om=N^;!^$E0 zZ+YIa%(rI(F#y~!@T#U$YKQ{>xZy@vv95Q|n3A$>f(J&T{A!~gbMcq@204DRC~O^H JJp-YFQkJP7fx7?z delta 259 zcmV+e0sQ`*1DykqI2biBI59FYIWsXZFj^N4GB+?dF*7kaGcl1+9bj(S@qp*|QR44Y z%720OUjW01OAqZcO;St7S50@P(s=5Ca8W?5@Y%+f)$>JlU!+nR9Bhe_U3aU5Li5b7zFL8K$AwD+b{g+g!-{7b^zfg%NY1ds(qS3Z|m_ J0R%54H+I1#b?X2C diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-good.ocsp b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-good.ocsp index 66e49a7e84864a5877ca34539018bd8c48d3e1c2..3028e4bb8f28b4e44d25b4421bae34f47cb96907 100644 GIT binary patch delta 266 zcmZ3@w1&yYpovj~i;-bL6Qd%KDa*#G&Bn;e%5K2O$kN2f2NdEmXq>Q6+(6V&*g%kt zIh2JX&}gEMPJPe#25C%&41K099#ZSx zu9(9*^S@{!+rQ&-YrgRp-DUP+T^3<{@j&|di($(hf8ChZ!yrB9T8pW`3ZR}>Ufw}` yQr~J1CKj1h*WGp~eyF9N_HmJQLgkM?*~>U5i|)Ap=gixJ6T%* delta 265 zcmZ3(w3^AspovkPi;-bL6QcrQ6+(6V&*g%kt zIh2J{a7#SNF;7W}^N(~I676^ic%z(OKLIzxH99nH2=WJP+nVB;f3{sg4l)ePN*|_6P z@xHSu4=xv8d%^c0bj$pHwq-t*F{h*SHmp7VHYe|n#?B===WUGG*`iENG8r;7_$-XG yb*lf)I(eB}j)>czZA*VKZ+iGM^^}SK-_?cZ*ZlBs(phmZAv35!f@#7==_mlLqFO!x diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-revoked.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_1-revoked.crt index b4f4012e2a97ca70286c0cda43e9f027b24911d8..ae7723a8e927b64284c14790d1a7047b3240875c 100644 GIT binary patch delta 259 zcmV+e0sQ`*1DykqI2blCF)}zXG%+$TFj^N4GB_|XGC43bF*1=*9bnALm6VUvzWN(! z0@A=0pABy?=6wgV7H&6H`wAt1{d^83blOgwR~ z7t*<#`jV~!F#ybm0=YAUtsJ=BIjca56G|6)7p};sTONbJ JTumppa}p0dbZh_s delta 259 zcmV+e0sQ`*1DykqI2biBI59FYIWsXZFj^N4GB+?dF*7kaGcl1+9bmwd*E5Qp{$&!q zhIhMFZnr}=kDo%A*g7Wj#*bnKAyJUXB$||~0WHo-Ym)3So4QLYxw@k1)j@}p7TV|Pl;-RM|=O`-|Rp$O~){9v4eaA}_ zz{N}})#T9vF#y$94Ao8k&Zpo!6fi;-bL6Qd!JsmsQx&Bn;e%5K2O$kN0p2NaSrXk55Z+(6V&*g%kt zIh2JX&}gEMPJP6FY_OO88FW51Td&idxwX3tHDa#fi>WnGJuQW)19E|A^$Y`%$xnBlXZ{!E4pOIpgZ y{a7?~Cd!j&319H6+*SP^Wtg^UAM&HvnDA`cJy4VJJ^ppVr(74LuR zM`N~9vNeP>U5Tv<@Pg1op|B2cHe7}RrU^Sd`DfRZ!Hbd2CKP7wU1ov0&a0%fQ(e@& ztzlcfh6z!O!h!9zA&MyWW(pT73oc4>$hhY0- JM4rF;+sjG)cuxQT delta 259 zcmV+e0sQ`*1DykqI2biBI59FYIWsXZFj^N4GB+?dF*7kaGcl1+9bn^yPn?CWd<~TE zjVOhL>lTn%4K6|7{GtJ8M|*BquGh%Vm${r^vH-KVMwV{`wx~)~pgYe8 zE)frvRU+&foxoFQYbya6kT}S-1wTS%0C6C+CkKs^y)}`|CKP_25$=Kj=INf5eyco$ z^Tk=6qk@wM0W)J=m{3OWdk!Nq*+OJm4h_wkf5m-xj~1?8k!A@@VI^VI`!?$JP!!R(c;guohAP0iWWLO+RKVSc3Bp=4HVs*tocHa&w$js5 JGZML@WX59XaAE)e diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-good.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-good.crt index 70b398f59511faea3af72c4188a6fa926695a812..9dd79470481937b70c622dd232682f540c355d02 100644 GIT binary patch delta 260 zcmV+f0sH=u1CaxeI2blCF)}zXG%+$TFj^N4GB_|XGC43bF*1=*9bi>mM;XlodTd=a z%Q*K~bm?IW{`z1=&~@STB9H~l6fz9a7g^N<5GxgCKP7wU1ov0&a0%fQ(e@& ztzlcfh67JA>LQW}Dm8=N0*zOmq;v)#@ zwCHe7ihzx?0x?cj}R%-JVoYG+dO*nit8i@ddymDZ8XCKP_25$=Kj=INf5eyco$ z^Tk=6qk@wM0VZTI0J(UfmK03YeYQ=KCfM5dTKN6?FY)%@Z7TZGXnT>#= zr$?r2G1P%kssb=W%l0DphCA{Q6+(6V&*g%kt zIh2JX&}gEMPJPI&Bn;e%5K2O$kN2f0~F#gXq>Q6+(6V&*g%kt zIh2J{a7#SNF;7W}^N(~I676^ic%z(OKLIzxH99nH2=WJP+nVHiW3{sd3Se@BdDf)Pp z?zr;s>9Ic4yso?x~LEpOrQ%FS3unoH&Ltw)psSX+WekK%@ zsku9G;81`!)wcyq3r0&Q%hd2KTbjZ3i;HHAboqM=OMj8gCKP7wU1ov0&a0%fQ(e@& ztzlcfh6CB-s$*U zmx|$0JPWx3Fk}EtFc?i%bkVLfv0ciQ@g~6QCr@r5fn4pFHBo@r-U zN01g;W}Mw_d-4h-U+hng!vJl_*0>P`k^k1OqBOif<4fG0ehXsE-h#2k)wdTi5&pO(i>7b8irf_0*zjLdU`zC9ILnCKP_25$=Kj=INf5eyco$ z^Tk=6qk@wM0Vra_&&%b%ET=WWg?}~&CQuxDv@W5ff2kJARCGjYFe8Qx7Z_G*;n@CY z>!|XZ|CogWFiDQkF^r>jv<#L0k@Le5xD*mh$QsDK045PrO%Jt9W(e&OS3^CCd;9L; IhOC#YI^1(~Y5)KL diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-revoked.ocsp b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-revoked.ocsp index 6dff38ec934b2e6a73ea618c78c7a42bfcd4ebd4..a19451741709cf5fb39be4d61af392daeb7e07c5 100644 GIT binary patch delta 282 zcmdnXw1>&Zpo!6fi;-bL6Qd!JsmsQx&Bn;e%5K2O$kN0p2NaSrXk55Z+(6V&*g%kt zIh2JX&}gEMPJPwdcC#YV@N#;T`&R@}!9M7Vyrcct|S^9RYMSiMabe2vfi$eYAupg2K! zu{6)?sNh=*7WgmSHtR~{?^L(z9|f;OJyW!Qz#g_)=K8mDJ$8F_^%t?_-Aj%G0QU@D Az5oCK delta 283 zcmdnPw3o@ppo!6vi;-bL6QdE3smI2t&Bn;e%5K2O$kN0p4-}F%Xk55Z+(6V&*g%kt zIh2J{a7?~Cd!j&3HJiX6vzGQyRyEiwcsWAfpTC!Tf diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-wrong_eku.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_127.0.0.1-wrong_eku.crt index 17bdbc054ec67b33e05551c3441b726d4db66ce7..841a17b094a99dd1ab1b049467ebcaf6807d80aa 100644 GIT binary patch delta 272 zcmV+r0q_2h1Cj#-FoFS&kpwgtHZUTfT-0lLrAIYH0v4W&$w)s=KBn;5)n9+n{DX69Rf_XJ*(OvZ_PHzY%Dqk75j{}z)*DxWQeL!2TjDv>#kiIfP34(#Hdnuv U603=@FHmD@g$?h5(t#mcslOI|P5=M^ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-good.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-good.crt index 0c2364f41aa735320f80c580cb8722ac37551253..c1f6c5bf2608f6cf46c1829eb20180aa3ffe2b23 100644 GIT binary patch delta 272 zcmV+r0q_2p1DOK^FoFS zFU#y+*kYvPa1FQR>u(g8`VMamuEjt{#uv5YAGM#p(O>T@$|b-akTfT-0lLrAPYH0v4W&$w)`&P*q*EEh2sd8hQ$2yyYyF2RY!oi<{I6+K= z*ztlWxB#ptf2v|Y&=X6p_wpFN0xr@_y!P&35pZr-c=N6afu@NQ6+(6V&*g%kt zIh2JX&}gEMPJPe#25C%&4724|>IHXJ z#WOsUjc-+UiRSO{E85dN61pu>5m+3KxPjK^($GgD?ppq}2zwMHL` xR`eLR9!dM=UVr)BJ8=v4stKCEH9f@U2wgLIo)#J7+0fo7e(BQAi#z_$0|2F(RJ;HH delta 265 zcmZ3(w3^AspovkPi;-bL6QcrQ6+(6V&*g%kt zIh2J{a7#SNF;7W}^N(~I676^ic%z(OKLIzxH99nH2=WJP+nVB;f3{sg4l%{?Axc|=b zpmsO4gv#*r>|_4hcf{#;ev+6P|4OR)YE;W6zx04FJ24RBZqN diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-revoked.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-revoked.crt index bf6c751af9941b54757f510a9edf6afb4cff7016..3349e9e7ca1fb4508e6b95cbaa4fba9166f8fcb7 100644 GIT binary patch delta 271 zcmV+q0r38p1DFE@FoFS;kpwgtHZU?Q-`xNIb9u3I+QWZ zwE_#=|KV?}Ljk1mnrE)v$jbvH5?R{vjxp!bd5@u+lkTfT-0lLrAPX=ng2Wdbn(=Mz?-XxI@-w&#eeBnML$x+mG$z^Gv+U2s30i_NAG%}O1icWnRw delta 270 zcmV+p0rCEr1D68?FoFS-kpwgtH840aGBG(bF)%P%7Y#BuFgP(YF*!3akx(6AXKwgv zSC5tO&Y5GwiXPWDl+l9TZXa&h-DM7QY}*UlXH>?zn(FwW#dtZPji9XNr6vucgTBx$ z;=4Q}=HSV1#&0}n-s-Yo2=^FY88sYX1fP_F?<$zw!-~LjQ#m%>kbX7Rh=jTFjhH3LwE4%C7~0vlsEJQBbdiw8w!h`c)2YtVbJNQ Uf#^iFfMDiyGH2?2h2_~Y4jvDCq5uE@ diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-revoked.ocsp b/rustls-platform-verifier/src/tests/verification_mock/root1-int1-ee_example.com-revoked.ocsp index bbd64a3708ddf3d8243d62b0046e9c2a5fe9f5de..59e7278a07b7361a1baa5c90f9daffb9d0aae21a 100644 GIT binary patch delta 283 zcmdnPw3o@ppo!6vi;-bL6QdE3smI2t&Bn;e%5K2O$kN0p4-}F%Xk55Z+(6V&*g%kt zIh2JX&}gEMPJPp#7Qu_e_K|5K- delta 282 zcmdnXw1>&Zpo!6fi;-bL6Qd!JsmsQx&Bn;e%5K2O$kN0p2NaSrXk55Z+(6V&*g%kt zIh2J{a7?~Cd!j&3{v4+l znzaw#ht9u}qsOxH;I_2J-PgZu)SErij-xQKZHtp)f@dn-(E-z?cGjTRS0Fvkdl3rt^<%5x3Tyz&h+kTfT-0lLrAPXlDR0WCAb+8?0jK+JQ}6ZRRsa`1B7w@H6;1(RmYOgLDkd zZ1MPo#{64aNQhjfT=N@L5h?)!FnpgJ@;Ifo;(q(Y2;*GZ06Sv@=YF8(MXo@rZOz0m Uz3EtNrm73Gsz-2*ilMZAM!)=a5dZ)H delta 271 zcmV+q0r38p1DFE@FoFS;kpwgtH840aGBG(bF)%P%7Y#BuFgP(YF*!3akx(6Aw&mR8 zyZw}hC4i>`O3qF)+MCy{_>>z|-jMeC?Z?Piw^2$sn;E%G3HB-3I(5ulJ{Cq*$qKG7 z6VMpXqP$qHDI8JoY}gQ8b26m@F#v~^2>tgnZ~(_+5;e+;_Om4ruR%n}q;VxA>MBms VhBE;cDwNN@sig9Qf4{7*G}tEfdq)5O diff --git a/rustls-platform-verifier/src/tests/verification_mock/root1-int1.crt b/rustls-platform-verifier/src/tests/verification_mock/root1-int1.crt index 7c059e530c146f3b5e10d5b5439afe52e3f86913..6b2159b12f618cb8e8de24b2580a4a6c3b7a090e 100644 GIT binary patch delta 314 zcmV-A0mc5f1GxhPFoFTKkpwRoHZU!wSG+lGG;*0$CcS zWTa>xOry_DU=gBES>XV2GZ@HFYl4n2TD(^oAyM|~JK^Si{YWWSk=-zVX6{{Pfx6DC zq_k6A)V!@>TfT-0Fdqg3RUIP)7%&!q6p6g$5xXRoC9e-z9Lh`YAIVm$CT3Q@LDO2lBvD3fUCcz2KZi_>LV@Q62x3sL&A z_1OrGfyRr8aXv|(z27C9tk=-zVex4ETf&k{} zo|S&9JcRSbS)HSTFdqg3RUIP)7%&!q6w-0*JAL#bptdLZd?scGh7gmI*DwkO2r7n1 z&OHPJ0|RIPFl7QTO*>~hM3k@iaceWkKfM5@tF0&{5JwWYqhuqTg0!QhZ^}G~<7os` z-{j}PD0Kf40xh1Cj%fGZ;27F)}zXG%+$TFj^N4GB+?WGC43bF*1=$Enr9BphZ%8Q3hJs zaRIXS0vlVM?s1%@Y0<<3G&0o)d^QOcB42=5mqPFn@`>tFnTFCkuPV z?niFjtsA`Obv!sG5r_S7U{VpZf&wuB;+|B-T;}Ro&6Pteh^^LSP1wYp Y$FVzPld9BV#|zN-fUS3ZCmPOAoaR1u!Th1Cj%fGZ-~6I59FYIWsXZFj^N4GBz+cF*7kaGcl1%Enw@aS)g!Hft|&} z-@MV4<#}V<3b7|!UWFn`i<>^pt*BA~V>`Ftj3 z2Zj)nlGiW_1_&yKNX|V30|NtS05D|&Feg_9?at#+wf%=G;V>c4Nh?v@I$`a!536kk z*BfZ8(?uoBv+-6zXv{8iKiSG2_5v{g#Wl{KXTcGgpu`}1cHUgkI4#}?sVjf+7R`j) YBs24B-4{c~DGMuHq)$ From 8ff7f21b8a1c581be91c731ac84de828fbefbddc Mon Sep 17 00:00:00 2001 From: ComplexSpaces Date: Wed, 28 Jan 2026 21:57:16 -0600 Subject: [PATCH 2/2] Add initial new_with_extra_roots testing --- .../src/tests/verification_mock/ca.go | 18 +++++- .../src/tests/verification_mock/mod.rs | 57 +++++++++++++++--- .../src/tests/verification_mock/root2.crt | Bin 0 -> 475 bytes 3 files changed, 66 insertions(+), 9 deletions(-) create mode 100644 rustls-platform-verifier/src/tests/verification_mock/root2.crt diff --git a/rustls-platform-verifier/src/tests/verification_mock/ca.go b/rustls-platform-verifier/src/tests/verification_mock/ca.go index ec3b4de..240bfde 100644 --- a/rustls-platform-verifier/src/tests/verification_mock/ca.go +++ b/rustls-platform-verifier/src/tests/verification_mock/ca.go @@ -69,7 +69,7 @@ func doIt() error { var err error = nil - root1_key, err := generateRoot("root1", now) + root1_key, err := generateRoot("root1", now, "") if err != nil { return err } @@ -96,6 +96,11 @@ func doIt() error { } } + _, err = generateRoot("root2", now, "example.com") + if err != nil { + return err + } + return nil } @@ -210,11 +215,12 @@ func generateInt(intName string, serial int64, now time.Time, caKey crypto.Signe return intKey, nil } -func generateRoot(name string, now time.Time) (crypto.Signer, error) { +func generateRoot(name string, now time.Time, commonName string) (crypto.Signer, error) { caKey, err := generateKey() if err != nil { return nil, err } + template := x509.Certificate{ SerialNumber: big.NewInt(1), Subject: pkix.Name{ @@ -227,6 +233,14 @@ func generateRoot(name string, now time.Time) (crypto.Signer, error) { BasicConstraintsValid: true, } + if len(commonName) != 0 { + template.Subject.CommonName = commonName + template.KeyUsage = 0 + // See `generateEndEntity` for list of macOS requirements. + template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth} + template.DNSNames = []string{commonName} + } + cert, err := x509.CreateCertificate(rand.Reader, &template, &template, caKey.Public(), caKey) if err != nil { return nil, err diff --git a/rustls-platform-verifier/src/tests/verification_mock/mod.rs b/rustls-platform-verifier/src/tests/verification_mock/mod.rs index 38a2686..0e8e322 100644 --- a/rustls-platform-verifier/src/tests/verification_mock/mod.rs +++ b/rustls-platform-verifier/src/tests/verification_mock/mod.rs @@ -28,7 +28,7 @@ use std::net::{Ipv4Addr, Ipv6Addr}; use std::sync::Arc; use rustls::client::danger::ServerCertVerifier; -use rustls::pki_types; +use rustls::pki_types::{self, CertificateDer}; #[cfg(not(any(target_vendor = "apple", windows)))] use rustls::pki_types::{DnsName, ServerName}; use rustls::{CertificateError, Error as TlsError, OtherError}; @@ -80,13 +80,17 @@ macro_rules! no_error { }; } -const ROOT1: pki_types::CertificateDer<'static> = - pki_types::CertificateDer::from_slice(include_bytes!("root1.crt")); +const ROOT1: CertificateDer = CertificateDer::from_slice(include_bytes!("root1.crt")); const ROOT1_INT1: &[u8] = include_bytes!("root1-int1.crt"); const ROOT1_INT1_EXAMPLE_COM_GOOD: &[u8] = include_bytes!("root1-int1-ee_example.com-good.crt"); const ROOT1_INT1_LOCALHOST_IPV4_GOOD: &[u8] = include_bytes!("root1-int1-ee_127.0.0.1-good.crt"); const ROOT1_INT1_LOCALHOST_IPV6_GOOD: &[u8] = include_bytes!("root1-int1-ee_1-good.crt"); +// `ffi-testing` is currently only used for Android, which doesn't support extra roots yet. +#[cfg_attr(feature = "ffi-testing", allow(unused))] +#[cfg(not(any(target_os = "android", target_os = "windows")))] +const ROOT2: CertificateDer = CertificateDer::from_slice(include_bytes!("root2.crt")); + const EXAMPLE_COM: &str = "example.com"; const LOCALHOST_IPV4: &str = "127.0.0.1"; const LOCALHOST_IPV6: &str = "::1"; @@ -111,8 +115,8 @@ pub(super) fn verification_without_mock_root() { let verifier = Verifier::new(crypto_provider).unwrap(); let server_name = pki_types::ServerName::try_from(EXAMPLE_COM).unwrap(); - let end_entity = pki_types::CertificateDer::from(ROOT1_INT1_EXAMPLE_COM_GOOD); - let intermediates = [pki_types::CertificateDer::from(ROOT1_INT1)]; + let end_entity = CertificateDer::from(ROOT1_INT1_EXAMPLE_COM_GOOD); + let intermediates = [CertificateDer::from(ROOT1_INT1)]; // Fails because the server cert has no trust root in Windows, and can't since it uses a self-signed CA. // Similarly on UNIX platforms using the Webpki verifier, it can't fetch extra certificates through @@ -139,6 +143,45 @@ fn test_verification_without_mock_root() { verification_without_mock_root() } +#[cfg(not(any(target_os = "android", target_os = "windows")))] +#[test] +fn test_selfsigned_cert_with_extra_roots() { + let crypto_provider = test_provider(); + + let selfsigned = ROOT2; + let roots = vec![selfsigned.clone()]; + let server_name = pki_types::ServerName::try_from(EXAMPLE_COM).unwrap(); + + let verifier = Verifier::new_with_extra_roots(roots, crypto_provider).unwrap(); + + verifier + .verify_server_cert(&selfsigned, &[], &server_name, &[], verification_time()) + .expect("failed to validate singular extra root certificate chain"); +} + +#[cfg(not(target_os = "android"))] +#[test] +fn test_chain_signed_with_extra_roots() { + let crypto_provider = test_provider(); + + let server_name = pki_types::ServerName::try_from(EXAMPLE_COM).unwrap(); + let end_entity = CertificateDer::from(ROOT1_INT1_EXAMPLE_COM_GOOD); + let intermediates = [CertificateDer::from(ROOT1_INT1)]; + let roots = vec![ROOT1]; + + let verifier = Verifier::new_with_extra_roots(roots, crypto_provider).unwrap(); + + verifier + .verify_server_cert( + &end_entity, + &intermediates, + &server_name, + &[], + verification_time(), + ) + .expect("failed to validate extra root-only certificate chain"); +} + // Note: Android does not currently support IP address hosts, so these tests are disabled for // Android. // Verifies that our test trust anchor(s) are not trusted when `Verifier::new()` @@ -349,10 +392,10 @@ fn test_with_mock_root( let mut chain = test_case .chain .iter() - .map(|bytes| pki_types::CertificateDer::from(*bytes)); + .map(|bytes| CertificateDer::from(*bytes)); let end_entity = chain.next().unwrap(); - let intermediates: Vec> = chain.collect(); + let intermediates: Vec> = chain.collect(); let server_name = pki_types::ServerName::try_from(test_case.reference_id).unwrap(); diff --git a/rustls-platform-verifier/src/tests/verification_mock/root2.crt b/rustls-platform-verifier/src/tests/verification_mock/root2.crt new file mode 100644 index 0000000000000000000000000000000000000000..19427faaad8afbf3653de2c484b197b7ee6d64ad GIT binary patch literal 475 zcmXqLV!Uq9#2CAPnTe5!iILHOi;Y98&EuRc3p2BUnjxP74;ynR3zsl!QGR}jk)eoz z5Qxt#%$-`1m|KvOs+XLfYal1iYh-3%Xk=kvVrXPw5C!C#1G$z^F45+c83?ekgKcMG zWMkECWMNQZPGVqLZFcl)oT0(Ym+?xzxJb8jliuvi%fgOV ziY`XHk>He+FtVb2Q@~jRF_5$%3%>zx6G{Lf1uAm}gFz~jA;a>BNvvw? zEIy=piZOS5YROu5*L73VV*B~uSM^?c*_Fop