diff options
| author | Roland Shoemaker <roland@golang.org> | 2023-06-21 14:43:05 -0700 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2023-06-22 16:47:24 +0000 |
| commit | 20313660f5f3a87dfd9074c4061c521fa25fcd32 (patch) | |
| tree | 30c3e5298f981d4251206b1ac84e61dd49b5fb57 | |
| parent | 78c3aba4704c86874c36e61224966e7e07706bc0 (diff) | |
| download | go-20313660f5f3a87dfd9074c4061c521fa25fcd32.tar.gz go-20313660f5f3a87dfd9074c4061c521fa25fcd32.zip | |
crypto/x509: tolerate multiple matching chains in testVerify
Due to the semantics of roots, a root store may contain two valid roots
that have the same subject (but different SPKIs) at the asme time. As
such in testVerify it is possible that when we verify a certificate we
may get two chains that has the same stringified representation.
Rather than doing something fancy to include keys (which is just overly
complicated), tolerate multiple matches.
Fixes #60925
Change-Id: I5f51f7635801762865a536bcb20ec75f217a36ea
Reviewed-on: https://go-review.googlesource.com/c/go/+/505035
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
| -rw-r--r-- | src/crypto/x509/verify_test.go | 19 |
1 files changed, 9 insertions, 10 deletions
diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go index ce6605d972..3551b470ce 100644 --- a/src/crypto/x509/verify_test.go +++ b/src/crypto/x509/verify_test.go @@ -512,22 +512,21 @@ func testVerify(t *testing.T, test verifyTest, useSystemRoots bool) { return true } - // Every expected chain should match 1 returned chain + // Every expected chain should match one (or more) returned chain. We tolerate multiple + // matches, as due to root store semantics it is plausible that (at least on the system + // verifiers) multiple identical (looking) chains may be returned when two roots with the + // same subject are present. for _, expectedChain := range test.expectedChains { - nChainMatched := 0 + var match bool for _, chain := range chains { if doesMatch(expectedChain, chain) { - nChainMatched++ + match = true + break } } - if nChainMatched != 1 { - t.Errorf("Got %v matches instead of %v for expected chain %v", nChainMatched, 1, expectedChain) - for _, chain := range chains { - if doesMatch(expectedChain, chain) { - t.Errorf("\t matched %v", chainToDebugString(chain)) - } - } + if !match { + t.Errorf("No match found for %v", expectedChain) } } |