crypto/x509: return a better error when we fail to load system roots.

R=golang-dev, krautz, rsc CC=golang-dev https://golang.org/cl/7157044

crypto/x509: return a better error when we fail to load system roots.
R=golang-dev, krautz, rsc CC=golang-dev https://golang.org/cl/7157044
5b5d3efc · Adam Langley · 0fb6f5f2 · 5b5d3efc · 5b5d3efc · 5b5d3efc
Commit 5b5d3efc authored Jan 21, 2013 by Adam Langley
7 changed files
--- a/src/pkg/crypto/x509/root_darwin.go
+++ b/src/pkg/crypto/x509/root_darwin.go
@@ -70,11 +70,12 @@ func initSystemRoots() {
 	var data C.CFDataRef = nil
 	err := C.FetchPEMRoots(&data)
-	if err != -1 {
+	if err == -1 {
-		defer C.CFRelease(C.CFTypeRef(data))
+		return
-		buf := C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(data)), C.int(C.CFDataGetLength(data)))
-		roots.AppendCertsFromPEM(buf)
 	}
+	defer C.CFRelease(C.CFTypeRef(data))
+	buf := C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(data)), C.int(C.CFDataGetLength(data)))
+	roots.AppendCertsFromPEM(buf)
 	systemRoots = roots
 }
--- a/src/pkg/crypto/x509/root_plan9.go
+++ b/src/pkg/crypto/x509/root_plan9.go
@@ -23,9 +23,11 @@ func initSystemRoots() {
 		data, err := ioutil.ReadFile(file)
 		if err == nil {
 			roots.AppendCertsFromPEM(data)
-			break
+			systemRoots = roots
+			return
 		}
 	}
-	systemRoots = roots
+	// All of the files failed to load. systemRoots will be nil which will
+	// trigger a specific error at verification time.
 }
--- a/src/pkg/crypto/x509/root_stub.go
+++ b/src/pkg/crypto/x509/root_stub.go
@@ -11,5 +11,4 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
 }
 func initSystemRoots() {
-	systemRoots = NewCertPool()
 }
--- a/src/pkg/crypto/x509/root_unix.go
+++ b/src/pkg/crypto/x509/root_unix.go
@@ -27,9 +27,11 @@ func initSystemRoots() {
 		data, err := ioutil.ReadFile(file)
 		if err == nil {
 			roots.AppendCertsFromPEM(data)
-			break
+			systemRoots = roots
+			return
 		}
 	}
-	systemRoots = roots
+	// All of the files failed to load. systemRoots will be nil which will
+	// trigger a specific error at verification time.
 }
--- a/src/pkg/crypto/x509/root_windows.go
+++ b/src/pkg/crypto/x509/root_windows.go
@@ -226,5 +226,4 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
 }
 func initSystemRoots() {
-	systemRoots = NewCertPool()
 }
--- a/src/pkg/crypto/x509/verify.go
+++ b/src/pkg/crypto/x509/verify.go
@@ -82,6 +82,14 @@ func (e UnknownAuthorityError) Error() string {
 	return "x509: certificate signed by unknown authority"
 }
+// SystemRootsError results when we fail to load the system root certificates.
+type SystemRootsError struct {
+}
+func (e SystemRootsError) Error() string {
+	return "x509: failed to load system roots and no roots provided"
+}
 // VerifyOptions contains parameters for Certificate.Verify. It's a structure
 // because other PKIX verification APIs have ended up needing many options.
 type VerifyOptions struct {
@@ -170,6 +178,9 @@ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err e
 	if opts.Roots == nil {
 		opts.Roots = systemRootsPool()
+		if opts.Roots == nil {
+			return nil, SystemRootsError{}
+		}
 	}
 	err = c.isValid(leafCertificate, nil, &opts)

--- a/src/pkg/crypto/x509/verify_test.go
+++ b/src/pkg/crypto/x509/verify_test.go
@@ -15,19 +15,32 @@ import (
 )
 type verifyTest struct {
-	leaf          string
+	leaf                 string
-	intermediates []string
+	intermediates        []string
-	roots         []string
+	roots                []string
-	currentTime   int64
+	currentTime          int64
-	dnsName       string
+	dnsName              string
-	systemSkip    bool
+	systemSkip           bool
-	keyUsages     []ExtKeyUsage
+	keyUsages            []ExtKeyUsage
+	testSystemRootsError bool
 	errorCallback  func(*testing.T, int, error) bool
 	expectedChains [][]string
 }
 var verifyTests = []verifyTest{
+	{
+		leaf:                 googleLeaf,
+		intermediates:        []string{thawteIntermediate},
+		currentTime:          1302726541,
+		dnsName:              "www.google.com",
+		testSystemRootsError: true,
+		systemSkip:           true,
+		// Without any roots specified we should get a system roots
+		// error.
+		errorCallback: expectSystemRootsError,
+	},
 	{
 		leaf:          googleLeaf,
 		intermediates: []string{thawteIntermediate},
@@ -180,6 +193,14 @@ func expectAuthorityUnknown(t *testing.T, i int, err error) (ok bool) {
 	return true
 }
+func expectSystemRootsError(t *testing.T, i int, err error) bool {
+	if _, ok := err.(SystemRootsError); !ok {
+		t.Errorf("#%d: error was not SystemRootsError: %s", i, err)
+		return false
+	}
+	return true
+}
 func certificateFromPEM(pemBytes string) (*Certificate, error) {
 	block, _ := pem.Decode([]byte(pemBytes))
 	if block == nil {
@@ -226,8 +247,19 @@ func testVerify(t *testing.T, useSystemRoots bool) {
 			return
 		}
+		var oldSystemRoots *CertPool
+		if test.testSystemRootsError {
+			oldSystemRoots = systemRootsPool()
+			systemRoots = nil
+			opts.Roots = nil
+		}
 		chains, err := leaf.Verify(opts)
+		if test.testSystemRootsError {
+			systemRoots = oldSystemRoots
+		}
 		if test.errorCallback == nil && err != nil {
 			t.Errorf("#%d: unexpected error: %s", i, err)
 		}