1
0
mirror of https://github.com/golang/go synced 2024-11-26 09:58:04 -07:00

crypto/x509: tolerate multiple matching chains in testVerify

Due to the semantics of roots, a root store may contain two valid roots
that have the same subject (but different SPKIs) at the asme time. As
such in testVerify it is possible that when we verify a certificate we
may get two chains that has the same stringified representation.

Rather than doing something fancy to include keys (which is just overly
complicated), tolerate multiple matches.

Fixes #60925

Change-Id: I5f51f7635801762865a536bcb20ec75f217a36ea
Reviewed-on: https://go-review.googlesource.com/c/go/+/505035
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
This commit is contained in:
Roland Shoemaker 2023-06-21 14:43:05 -07:00 committed by Gopher Robot
parent 78c3aba470
commit 20313660f5

View File

@ -512,22 +512,21 @@ func testVerify(t *testing.T, test verifyTest, useSystemRoots bool) {
return true
}
// Every expected chain should match 1 returned chain
// Every expected chain should match one (or more) returned chain. We tolerate multiple
// matches, as due to root store semantics it is plausible that (at least on the system
// verifiers) multiple identical (looking) chains may be returned when two roots with the
// same subject are present.
for _, expectedChain := range test.expectedChains {
nChainMatched := 0
var match bool
for _, chain := range chains {
if doesMatch(expectedChain, chain) {
nChainMatched++
match = true
break
}
}
if nChainMatched != 1 {
t.Errorf("Got %v matches instead of %v for expected chain %v", nChainMatched, 1, expectedChain)
for _, chain := range chains {
if doesMatch(expectedChain, chain) {
t.Errorf("\t matched %v", chainToDebugString(chain))
}
}
if !match {
t.Errorf("No match found for %v", expectedChain)
}
}