crypto/x509: tolerate multiple matching chains in testVerify

Due to the semantics of roots, a root store may contain two valid roots
that have the same subject (but different SPKIs) at the asme time. As
such in testVerify it is possible that when we verify a certificate we
may get two chains that has the same stringified representation.

Rather than doing something fancy to include keys (which is just overly
complicated), tolerate multiple matches.

Fixes #60925

Change-Id: I5f51f7635801762865a536bcb20ec75f217a36ea
Reviewed-on: https://go-review.googlesource.com/c/go/+/505035
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>

diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go
index ce6605d9727ecb2d83dcc623aa6dd684cda3c755..3551b470ced3d304e095b36da3068c52ea2c1093 100644 (file)
--- a/src/crypto/x509/verify_test.go
+++ b/src/crypto/x509/verify_test.go
@@ -512,22 +512,21 @@ func testVerify(t *testing.T, test verifyTest, useSystemRoots bool) {
                return true
        }
 
-       // Every expected chain should match 1 returned chain
+       // Every expected chain should match one (or more) returned chain. We tolerate multiple
+       // matches, as due to root store semantics it is plausible that (at least on the system
+       // verifiers) multiple identical (looking) chains may be returned when two roots with the
+       // same subject are present.
        for _, expectedChain := range test.expectedChains {
-               nChainMatched := 0
+               var match bool
                for _, chain := range chains {
                        if doesMatch(expectedChain, chain) {
-                               nChainMatched++
+                               match = true
+                               break
                        }
                }
 
-               if nChainMatched != 1 {
-                       t.Errorf("Got %v matches instead of %v for expected chain %v", nChainMatched, 1, expectedChain)
-                       for _, chain := range chains {
-                               if doesMatch(expectedChain, chain) {
-                                       t.Errorf("\t matched %v", chainToDebugString(chain))
-                               }
-                       }
+               if !match {
+                       t.Errorf("No match found for %v", expectedChain)
                }
        }