crypto/x509: return better error when a certificate contains no names.

Currently, if a certificate contains no names (that we parsed),
verification will return the confusing error:
    x509: certificate is valid for , not example.com.

This change improves the error for that situation.

Fixes #16834.

Change-Id: I2ed9ed08298d7d50df758e503bdb55277449bf55
Reviewed-on: https://go-review.googlesource.com/30152
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index 4a6c952a964f826ed6736bbc4e9664b75ca7f713..484c951fc938304d9541e1fff86139d2d5d449c4 100644 (file)
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -87,6 +87,10 @@ func (h HostnameError) Error() string {
                        valid = c.Subject.CommonName
                }
        }
+
+       if len(valid) == 0 {
+               return "x509: certificate is not valid for any names, but wanted to match " + h.Host
+       }
        return "x509: certificate is valid for " + valid + ", not " + h.Host
 }