crypto/x509: don't crash with nil receiver in accessor method

Fixes #2600

R=golang-dev, agl, rsc
CC=golang-dev
https://golang.org/cl/5500064

src/pkg/crypto/x509/cert_pool.go

@@ -28,6 +28,9 @@ func NewCertPool() *CertPool {
 // given certificate. If no such certificate can be found or the signature
 // doesn't match, it returns nil.
 func (s *CertPool) findVerifiedParents(cert *Certificate) (parents []int) {
+	if s == nil {
+		return
+	}
 	var candidates []int
 
 	if len(cert.AuthorityKeyId) > 0 {

src/pkg/crypto/x509/verify_test.go

@@ -19,6 +19,7 @@ type verifyTest struct {
 	roots         []string
 	currentTime   int64
 	dnsName       string
+	nilRoots      bool
 
 	errorCallback  func(*testing.T, int, error) bool
 	expectedChains [][]string
@@ -45,6 +46,14 @@ var verifyTests = []verifyTest{
 
 		errorCallback: expectHostnameError,
 	},
+	{
+		leaf:          googleLeaf,
+		intermediates: []string{thawteIntermediate},
+		nilRoots:      true, // verifies that we don't crash
+		currentTime:   1302726541,
+		dnsName:       "www.google.com",
+		errorCallback: expectAuthorityUnknown,
+	},
 	{
 		leaf:          googleLeaf,
 		intermediates: []string{thawteIntermediate},
@@ -136,6 +145,9 @@ func TestVerify(t *testing.T) {
 			DNSName:       test.dnsName,
 			CurrentTime:   time.Unix(test.currentTime, 0),
 		}
+		if test.nilRoots {
+			opts.Roots = nil
+		}
 
 		for j, root := range test.roots {
 			ok := opts.Roots.AppendCertsFromPEM([]byte(root))