From 2d4ccbfe51c3a51cf59c91ac384a37aa3d427176 Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Thu, 29 Mar 2018 17:55:59 -0700
Subject: [PATCH] crypto/x509: don't return nil, nil from SystemCertPool

If there are no certs, return an empty pool, not nil.

Fixes #21405

Change-Id: Ib4ac9d5c4a8cef83dd53565b0707a63b73ba0a8b
Reviewed-on: https://go-review.googlesource.com/103596
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
---
 src/crypto/x509/root_plan9.go     | 3 +++
 src/crypto/x509/root_unix.go      | 2 +-
 src/crypto/x509/root_unix_test.go | 4 ----
 src/crypto/x509/x509_test.go      | 3 ---
 4 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/src/crypto/x509/root_plan9.go b/src/crypto/x509/root_plan9.go
index ebeb7dfccd..09f0e23033 100644
--- a/src/crypto/x509/root_plan9.go
+++ b/src/crypto/x509/root_plan9.go
@@ -33,5 +33,8 @@ func loadSystemRoots() (*CertPool, error) {
 			bestErr = err
 		}
 	}
+	if bestErr == nil {
+		return roots, nil
+	}
 	return nil, bestErr
 }
diff --git a/src/crypto/x509/root_unix.go b/src/crypto/x509/root_unix.go
index 65b5a5fdbc..115af6b2f7 100644
--- a/src/crypto/x509/root_unix.go
+++ b/src/crypto/x509/root_unix.go
@@ -80,7 +80,7 @@ func loadSystemRoots() (*CertPool, error) {
 		}
 	}
 
-	if len(roots.certs) > 0 {
+	if len(roots.certs) > 0 || firstErr == nil {
 		return roots, nil
 	}
 
diff --git a/src/crypto/x509/root_unix_test.go b/src/crypto/x509/root_unix_test.go
index 03f935d4e8..9e220192b9 100644
--- a/src/crypto/x509/root_unix_test.go
+++ b/src/crypto/x509/root_unix_test.go
@@ -103,10 +103,6 @@ func TestEnvVars(t *testing.T) {
 			}
 
 			if r == nil {
-				if tc.cns == nil {
-					// Expected nil
-					return
-				}
 				t.Fatal("nil roots")
 			}
 
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
index 085b12c001..388156e209 100644
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -1656,9 +1656,6 @@ func TestSystemCertPool(t *testing.T) {
 	if runtime.GOOS == "windows" {
 		t.Skip("not implemented on Windows; Issue 16736, 18609")
 	}
-	if runtime.GOOS == "nacl" {
-		t.Skip("not implemented on NaCl; Issue 24561")
-	}
 	a, err := SystemCertPool()
 	if err != nil {
 		t.Fatal(err)
-- 
2.50.0