TestEmbeddedRoots ensures the package's embedded root certificates parse successfully. The roots are used by Validate to avoid falling back to the platform's system verifier (notably Apple's Security framework on macOS), which previously caused TestValidate/regular to fail on macOS with `x509: "meta
(t *testing.T)
| 17 | // `x509: "metadata.azure.com" certificate is not standards compliant`. |
| 18 | // See https://github.com/coder/coder/issues/12978. |
| 19 | func TestEmbeddedRoots(t *testing.T) { |
| 20 | t.Parallel() |
| 21 | require.NotEmpty(t, embeddedRoots, "embedded roots must not be empty") |
| 22 | seen := map[string]bool{} |
| 23 | for _, pemCert := range embeddedRoots { |
| 24 | block, rest := pem.Decode([]byte(pemCert)) |
| 25 | require.NotNil(t, block, "PEM block should decode") |
| 26 | require.Zero(t, len(rest), "no trailing data after PEM block") |
| 27 | cert, err := x509.ParseCertificate(block.Bytes) |
| 28 | require.NoError(t, err) |
| 29 | // Each root must be self-signed (issuer == subject). |
| 30 | require.Equal(t, cert.Issuer.String(), cert.Subject.String(), |
| 31 | "root certificate must be self-signed: %s", cert.Subject.CommonName) |
| 32 | require.False(t, seen[cert.Subject.CommonName], |
| 33 | "duplicate embedded root: %s", cert.Subject.CommonName) |
| 34 | seen[cert.Subject.CommonName] = true |
| 35 | } |
| 36 | // Verify the three roots Azure instance-identity chains ultimately |
| 37 | // terminate at are all present. |
| 38 | for _, name := range []string{ |
| 39 | "DigiCert Global Root G2", |
| 40 | "DigiCert Global Root G3", |
| 41 | "Baltimore CyberTrust Root", |
| 42 | } { |
| 43 | require.True(t, seen[name], "missing embedded root %q", name) |
| 44 | } |
| 45 | } |