cybercyst/go
1
0
Fork 0
mirror of https://github.com/golang/go.git synced 2025-05-23 08:21:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

crypto/x509: ignore 5 phantom 1024-bit roots in TestSystemRoots

Browse Source 
On macOS 10.11, but not 10.10 and 10.12, the C API returns 5 old root
CAs which are not in SystemRootCertificates.keychain (but seem to be in
X509Anchors and maybe SystemCACertificates.keychain, along with many
others that the C API does not return). They all are moribund 1024-bit
roots which are now gone from the Apple store.

Since we can't seem to find a way to make the no-cgo code see them,
ignore them rather than skipping the test.

Fixes #21416

Change-Id: I24ff0461f71cec953b888a60b05b99bc37dad2ed
Reviewed-on: https://go-review.googlesource.com/c/156329
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This commit is contained in:
Filippo Valsorda 2019-01-04 19:09:01 -05:00
parent 28fb8c6987
commit 303a596d8c
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/crypto/x509/root_darwin_test.go
View File

@ -5,6 +5,7 @@
package x509 package x509
import ( import (
"crypto/rsa"
"os" "os"
"os/exec" "os/exec"
"path/filepath" "path/filepath"
@ -104,6 +105,14 @@ func TestSystemRoots(t *testing.T) {
continue continue
} }
// On 10.11 there are five unexplained roots that only show up from the
// C API. They have in common the fact that they are old, 1024-bit
// certificates. It's arguably better to ignore them anyway.
if key, ok := c.PublicKey.(*rsa.PublicKey); ok && key.N.BitLen() == 1024 {
t.Logf("1024-bit certificate only present in cgo pool (acceptable): %v", c.Subject)
continue
}
t.Errorf("certificate only present in cgo pool: %v", c.Subject) t.Errorf("certificate only present in cgo pool: %v", c.Subject)
} }