Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: TestSystemRoots failing when keychain contains expired or untrusted certificates #29497

akamensky opened this issue Jan 2, 2019 · 2 comments


Copy link

@akamensky akamensky commented Jan 2, 2019

What version of Go are you using (go version)?

go version devel +204a8f5 Tue Jan 1 20:15:48 2019 +0000 darwin/amd64

Does this issue reproduce with the latest release?

reproduced using git tip

What operating system and processor architecture are you using (go env)?

macos 10.14.2
with expired certificate in keychain (certificate comes from corporate wi-fi network that requires their cert deployed to machine

What did you do?

1. Get source code $ git clone
2. Build and test code $ cd go/src && ./all.bash

What did you expect to see?

All tests passed

What did you see instead?

crypto/x509 test fails, although those certificates should not be affecting tests... At least I would imagine they should not affect that.

--- FAIL: TestSystemRoots (1.31s)
    root_darwin_test.go:34:     cgo sys roots: 680.554535ms
    root_darwin_test.go:35: non-cgo sys roots: 563.203215ms
    root_darwin_test.go:74: certificate only present in non-cgo pool:,OU=IT Center,O=China Vanke,L=Shen Zhen,ST=Guang Dong,C=CN (verify error: x509: certificate has expired or is not yet valid)
    root_darwin_test.go:76: signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
FAIL	crypto/x509	3.412s

Deleting failed certificates from keychain passes the test.

@FiloSottile FiloSottile changed the title Tests failing when keychain contains expired or untrusted certificates crypto/x509: TestSystemRoots failing when keychain contains expired or untrusted certificates Jan 2, 2019
@FiloSottile FiloSottile self-assigned this Jan 2, 2019
@FiloSottile FiloSottile added the NeedsFix label Jan 2, 2019
@FiloSottile FiloSottile added this to the Go1.12 milestone Jan 2, 2019
Copy link

@FiloSottile FiloSottile commented Jan 2, 2019

Thanks for reporting this.

The problem here is a compound issue: the no-cgo path lets in certificates that are in the root store, not marked as roots themselves, and signed by a root (because the hack we use to validate roots does not allow us to distinguish them from real roots); the cgo path correctly excludes them. The test which compares cgo and no-cgo results tries to ignore them by ignoring certificates which pass validation, but being expired breaks that.

I will try again to think about how to fix the underlying issue, and otherwise add hacks to the test.

Copy link

@gopherbot gopherbot commented Jan 5, 2019

Change mentions this issue: crypto/x509: ignore harmless edge case in TestSystemRoots

@gopherbot gopherbot closed this in 35f4ec1 Jan 5, 2019
@golang golang locked and limited conversation to collaborators Jan 5, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.