]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 303a596)
crypto/x509: ignore harmless edge case in TestSystemRoots
authorFilippo Valsorda <filippo@golang.org>
Sat, 5 Jan 2019 00:27:08 +0000 (19:27 -0500)
committerFilippo Valsorda <filippo@golang.org>
Sat, 5 Jan 2019 00:45:14 +0000 (00:45 +0000)
The no-cgo validation hack lets in certificates from the root store that
are not marked as roots themselves, but are signed by a root; the cgo
path correctly excludes them. When TestSystemRoots compares cgo and
no-cgo results it tries to ignore them by ignoring certificates which
pass validation, but expired certificates were failing validation.

Letting through expired certs is harmless anyway because we will refuse
to build chains to them.

Fixes #29497

Change-Id: I341e50c0f3426de2763468672f9ba1d13ad6cfba
Reviewed-on: https://go-review.googlesource.com/c/156330
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
src/crypto/x509/root_darwin_test.go patch | blob | history

diff --git a/src/crypto/x509/root_darwin_test.go b/src/crypto/x509/root_darwin_test.go
index 5ad19d72cd12a876be00d0fc51fe6f842097624d..1165a97e205b95ebe9616b4f62390bdd5608e321 100644 (file)
--- a/src/crypto/x509/root_darwin_test.go
+++ b/src/crypto/x509/root_darwin_test.go
@@ -64,13 +64,15 @@ func TestSystemRoots(t *testing.T) {
                if _, ok := sysPool[string(c.Raw)]; ok {
                        delete(sysPool, string(c.Raw))
                } else {
-                       // verify-cert lets in certificates that are not trusted roots, but are
-                       // signed by trusted roots. This should not be a problem, so confirm that's
-                       // the case and skip them.
+                       // verify-cert lets in certificates that are not trusted roots, but
+                       // are signed by trusted roots. This is not great, but unavoidable
+                       // until we parse real policies without cgo, so confirm that's the
+                       // case and skip them.
                        if _, err := c.Verify(VerifyOptions{
                                Roots:         sysRoots,
                                Intermediates: allCerts,
                                KeyUsages:     []ExtKeyUsage{ExtKeyUsageAny},
+                               CurrentTime:   c.NotBefore, // verify-cert does not check expiration
                        }); err != nil {
                                t.Errorf("certificate only present in non-cgo pool: %v (verify error: %v)", c.Subject, err)
                        } else {
Go GOST TLS 1.3