diff options
author | Roland Shoemaker <roland@golang.org> | 2023-06-21 14:43:05 -0700 |
---|---|---|
committer | Gopher Robot <gobot@golang.org> | 2023-06-22 18:46:41 +0000 |
commit | bca817594cd189d564deda08f0ed401485ba89b3 (patch) | |
tree | 5a3c7c231a6176de16dc2f45109277605f688606 | |
parent | b8e67d1dddf0aad3ef997c3ffc10e97cc978b09b (diff) | |
download | go-bca817594cd189d564deda08f0ed401485ba89b3.tar.gz go-bca817594cd189d564deda08f0ed401485ba89b3.zip |
[release-branch.go1.20] crypto/x509: tolerate multiple matching chains in testVerify
Due to the semantics of roots, a root store may contain two valid roots
that have the same subject (but different SPKIs) at the asme time. As
such in testVerify it is possible that when we verify a certificate we
may get two chains that has the same stringified representation.
Rather than doing something fancy to include keys (which is just overly
complicated), tolerate multiple matches.
Updates #60925
Fixes #60947
Change-Id: I5f51f7635801762865a536bcb20ec75f217a36ea
Reviewed-on: https://go-review.googlesource.com/c/go/+/505035
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
(cherry picked from commit 20313660f5f3a87dfd9074c4061c521fa25fcd32)
Reviewed-on: https://go-review.googlesource.com/c/go/+/505275
Run-TryBot: Heschi Kreinick <heschi@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Heschi Kreinick <heschi@google.com>
-rw-r--r-- | src/crypto/x509/verify_test.go | 19 |
1 files changed, 9 insertions, 10 deletions
diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go index 164c47fd6d..d4cbb822c4 100644 --- a/src/crypto/x509/verify_test.go +++ b/src/crypto/x509/verify_test.go @@ -500,22 +500,21 @@ func testVerify(t *testing.T, test verifyTest, useSystemRoots bool) { return true } - // Every expected chain should match 1 returned chain + // Every expected chain should match one (or more) returned chain. We tolerate multiple + // matches, as due to root store semantics it is plausible that (at least on the system + // verifiers) multiple identical (looking) chains may be returned when two roots with the + // same subject are present. for _, expectedChain := range test.expectedChains { - nChainMatched := 0 + var match bool for _, chain := range chains { if doesMatch(expectedChain, chain) { - nChainMatched++ + match = true + break } } - if nChainMatched != 1 { - t.Errorf("Got %v matches instead of %v for expected chain %v", nChainMatched, 1, expectedChain) - for _, chain := range chains { - if doesMatch(expectedChain, chain) { - t.Errorf("\t matched %v", chainToDebugString(chain)) - } - } + if !match { + t.Errorf("No match found for %v", expectedChain) } } |