diff options
author | Filippo Valsorda <filippo@golang.org> | 2019-01-04 19:09:01 -0500 |
---|---|---|
committer | Filippo Valsorda <filippo@golang.org> | 2019-01-05 00:35:02 +0000 |
commit | 303a596d8cf2e96d27d60288fca690e1703c0dd9 (patch) | |
tree | e22ee35e8079b6e168e415f2bb01a0879bb197a0 | |
parent | 28fb8c69871ff3edecb0951e50f7caf38943ec5d (diff) | |
download | go-303a596d8cf2e96d27d60288fca690e1703c0dd9.tar.gz go-303a596d8cf2e96d27d60288fca690e1703c0dd9.zip |
crypto/x509: ignore 5 phantom 1024-bit roots in TestSystemRoots
On macOS 10.11, but not 10.10 and 10.12, the C API returns 5 old root
CAs which are not in SystemRootCertificates.keychain (but seem to be in
X509Anchors and maybe SystemCACertificates.keychain, along with many
others that the C API does not return). They all are moribund 1024-bit
roots which are now gone from the Apple store.
Since we can't seem to find a way to make the no-cgo code see them,
ignore them rather than skipping the test.
Fixes #21416
Change-Id: I24ff0461f71cec953b888a60b05b99bc37dad2ed
Reviewed-on: https://go-review.googlesource.com/c/156329
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
-rw-r--r-- | src/crypto/x509/root_darwin_test.go | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/crypto/x509/root_darwin_test.go b/src/crypto/x509/root_darwin_test.go index 2780653812..5ad19d72cd 100644 --- a/src/crypto/x509/root_darwin_test.go +++ b/src/crypto/x509/root_darwin_test.go @@ -5,6 +5,7 @@ package x509 import ( + "crypto/rsa" "os" "os/exec" "path/filepath" @@ -104,6 +105,14 @@ func TestSystemRoots(t *testing.T) { continue } + // On 10.11 there are five unexplained roots that only show up from the + // C API. They have in common the fact that they are old, 1024-bit + // certificates. It's arguably better to ignore them anyway. + if key, ok := c.PublicKey.(*rsa.PublicKey); ok && key.N.BitLen() == 1024 { + t.Logf("1024-bit certificate only present in cgo pool (acceptable): %v", c.Subject) + continue + } + t.Errorf("certificate only present in cgo pool: %v", c.Subject) } |