Move to direct AWS certificate chain for secondary real-world CA test

Author: complexspaces

rustls-platform-verifier/examples/update-certs.rs

@@ -44,4 +44,10 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     Ok(())
 }
 
-const HOSTS: &[&str] = &["letsencrypt.org"];
+// We use two different CAs for better coverage and...
+const HOSTS: &[&str] = &[
+    // This host is using EC-based certificates for coverage.
+    "letsencrypt.org",
+    // This host is using RSA-based certificates for coverage.
+    "aws.amazon.com",
+];

rustls-platform-verifier/src/tests/mod.rs

@@ -62,8 +62,8 @@ pub fn assert_cert_error_eq<E: StdError + PartialEq + 'static>(
 /// we know the test certificates are valid. This must be updated if the mock certificates
 /// are regenerated.
 pub(crate) fn verification_time() -> pki_types::UnixTime {
-    // Fri, 30 May 2025 21:27:00 UTC
-    pki_types::UnixTime::since_unix_epoch(Duration::from_secs(1_748_633_220))
+    // Wed, 13 August 2025 18:30:53 UTC
+    pki_types::UnixTime::since_unix_epoch(Duration::from_secs(1_755_109_853))
 }
 
 fn test_provider() -> Arc<CryptoProvider> {

rustls-platform-verifier/src/tests/verification_real_world/1password_com_valid_1.crt

@@ -46,29 +46,49 @@ use crate::tests::{assert_cert_error_eq, test_provider, verification_time};
 use crate::Verifier;
 
 // This is the certificate chain presented by one server for
-// my.1password.com when this test was updated 2023-08-01. It is
-// valid for *.1password.com and 1password.com from
-// "Jun 24 00:00:00 2023 GMT" through "Jul 22 23:59:59 2024 GMT".
+// `aws.amazon.com` when this test was updated 2025-08-13.
 //
 // Use this to template view the certificate using OpenSSL:
 // ```sh
-// openssl x509 -inform der -text -in 1password_com_valid_1.crt | less
+// openssl x509 -inform der -text -in aws_amazon_com_valid_1.crt | less
 // ```
 //
-// You can update the cert file with `update_valid_ee_certs.rs`
-const VALID_1PASSWORD_COM_CHAIN: &[&[u8]] = &[
-    include_bytes!("1password_com_valid_1.crt"),
-    include_bytes!("1password_com_valid_2.crt"),
-    include_bytes!("1password_com_valid_3.crt"),
+// You can update these cert files with `examples/update-certs.rs`
+const VALID_AWS_AMAZON_COM_CHAIN: &[&[u8]] = &[
+    include_bytes!("aws_amazon_com_valid_1.crt"),
+    include_bytes!("aws_amazon_com_valid_2.crt"),
+    include_bytes!("aws_amazon_com_valid_3.crt"),
     // XXX: This certificate is included for testing in environments that might need
     // a cross-signed root certificate instead of the just the server-provided one.
-    include_bytes!("1password_com_valid_4.crt"),
+    include_bytes!("aws_amazon_com_valid_4.crt"),
 ];
 
-const MY_1PASSWORD_COM: &str = "my.1password.com";
+/// Returns a list of names valid for [VALID_AWS_AMAZON_COM_CHAIN], in a format
+/// expected by `CertificateError::NotValidForContext`.
+#[cfg(not(any(target_vendor = "apple", windows)))]
+fn valid_aws_chain_names() -> Vec<String> {
+    const VALID_AWS_NAMES: &[&str] = &[
+        "aws.amazon.com",
+        "www.aws.amazon.com",
+        "aws-us-east-1.amazon.com",
+        "aws-us-west-2.amazon.com",
+        "amazonaws-china.com",
+        "www.amazonaws-china.com",
+        "1.aws-lbr.amazonaws.com",
+    ];
+
+    VALID_AWS_NAMES
+        .iter()
+        .copied()
+        .map(|name| format!("DnsName(\"{name}\")"))
+        .collect()
+}
 
-// A domain name for which `VALID_AWS_AMAZON_COM_CHAIN` isn't valid.
+const AWS_AMAZON_COM: &str = "aws.amazon.com";
+
+// Domain names for which `VALID_AWS_AMAZON_COM_CHAIN` isn't valid.
 const VALID_UNRELATED_DOMAIN: &str = "my.1password.com";
+const VALID_UNRELATED_SUBDOMAIN: &str = "www.amazon.com";
 
 const LETSENCRYPT_ORG: &str = "letsencrypt.org";
 
@@ -167,43 +187,43 @@ fn real_world_test<E: std::error::Error>(test_case: &TestCase<E>) {
 // Prefer to staple the OCSP response for the end-entity certificate for
 // performance and repeatability.
 real_world_test_cases! {
-    // The certificate is valid for *.1password.com.
-    my_1password_com_valid => TestCase {
-        reference_id: MY_1PASSWORD_COM,
-        chain: VALID_1PASSWORD_COM_CHAIN,
+    // The certificate is valid for *.aws.amazon.com.
+    aws_amazon_com_valid => TestCase {
+        reference_id: AWS_AMAZON_COM,
+        chain: VALID_AWS_AMAZON_COM_CHAIN,
         stapled_ocsp: None,
         verification_time: verification_time(),
         expected_result: Ok(()),
         other_error: no_error!(),
     },
     // Same as above but without stapled OCSP.
-    my_1password_com_valid_no_stapled => TestCase {
-        reference_id: MY_1PASSWORD_COM,
-        chain: VALID_1PASSWORD_COM_CHAIN,
+    aws_amazon_com_valid_no_stapled => TestCase {
+        reference_id: AWS_AMAZON_COM,
+        chain: VALID_AWS_AMAZON_COM_CHAIN,
         stapled_ocsp: None,
         verification_time: verification_time(),
         expected_result: Ok(()),
         other_error: no_error!(),
     },
-    // Valid also for 1password.com (no subdomain).
-    _1password_com_valid => TestCase {
-        reference_id: "1password.com",
-        chain: VALID_1PASSWORD_COM_CHAIN,
+    // Valid also for www.amazon.amazon.com (extra subdomain).
+    _aws_amazon_com_valid => TestCase {
+        reference_id: "www.aws.amazon.com",
+        chain: VALID_AWS_AMAZON_COM_CHAIN,
         stapled_ocsp: None,
         verification_time: verification_time(),
         expected_result: Ok(()),
         other_error: no_error!(),
     },
     // The certificate isn't valid for an unrelated subdomain.
     unrelated_domain_invalid => TestCase {
-        reference_id: VALID_UNRELATED_DOMAIN,
-        chain: VALID_1PASSWORD_COM_CHAIN,
+        reference_id: VALID_UNRELATED_SUBDOMAIN,
+        chain: VALID_AWS_AMAZON_COM_CHAIN,
         stapled_ocsp: None,
         verification_time: verification_time(),
         #[cfg(not(any(target_vendor = "apple", windows)))]
         expected_result: Err(TlsError::InvalidCertificate(CertificateError::NotValidForNameContext {
-            expected: ServerName::DnsName(DnsName::try_from("agilebits.com").unwrap()),
-            presented: vec!["DnsName(\"*.1password.com\")".to_owned(), "DnsName(\"1password.com\")".to_owned()],
+            expected: ServerName::DnsName(DnsName::try_from(VALID_UNRELATED_SUBDOMAIN).unwrap()),
+            presented: valid_aws_chain_names(),
         })),
         #[cfg(any(target_vendor = "apple", windows))]
         expected_result: Err(TlsError::InvalidCertificate(CertificateError::NotValidForName)),
@@ -212,14 +232,14 @@ real_world_test_cases! {
     // The certificate chain for the unrelated domain is not valid for
     // my.1password.com.
     unrelated_chain_not_valid_for_my_1password_com => TestCase {
-        reference_id: MY_1PASSWORD_COM,
-        chain: VALID_UNRELATED_CHAIN,
+        reference_id: VALID_UNRELATED_DOMAIN,
+        chain: VALID_AWS_AMAZON_COM_CHAIN,
         stapled_ocsp: None,
         verification_time: verification_time(),
         #[cfg(not(any(target_vendor = "apple", windows)))]
         expected_result: Err(TlsError::InvalidCertificate(CertificateError::NotValidForNameContext {
-            expected: ServerName::DnsName(DnsName::try_from("my.1password.com").unwrap()),
-            presented: vec!["DnsName(\"agilebits.com\")".to_owned(), "DnsName(\"www.agilebits.com\")".to_owned()],
+            expected: ServerName::DnsName(DnsName::try_from(VALID_UNRELATED_DOMAIN).unwrap()),
+            presented: valid_aws_chain_names(),
         })),
         #[cfg(any(target_vendor = "apple", windows))]
         expected_result: Err(TlsError::InvalidCertificate(CertificateError::NotValidForName)),