crypto/x509: prevent chain cycles in Verify
It's possible to include a self-signed root certificate as an
intermediate and push Verify into a loop.
I already had a test for this so I thought that it was ok, but it
turns out that the test was void because the Verisign root certificate
doesn't contain the "IsCA" flag and so it wasn't an acceptable
intermediate certificate for that reason.
R=bradfitz
CC=golang-dev
https://golang.org/cl/4657080
diff --git a/src/pkg/crypto/x509/verify_test.go b/src/pkg/crypto/x509/verify_test.go
index 7a63118..111f60e 100644
--- a/src/pkg/crypto/x509/verify_test.go
+++ b/src/pkg/crypto/x509/verify_test.go
@@ -72,16 +72,6 @@
},
},
{
- leaf: googleLeaf,
- intermediates: []string{verisignRoot, thawteIntermediate},
- roots: []string{verisignRoot},
- currentTime: 1302726541,
-
- expectedChains: [][]string{
- []string{"Google", "Thawte", "VeriSign"},
- },
- },
- {
leaf: dnssecExpLeaf,
intermediates: []string{startComIntermediate},
roots: []string{startComRoot},
@@ -91,6 +81,17 @@
[]string{"dnssec-exp", "StartCom Class 1", "StartCom Certification Authority"},
},
},
+ {
+ leaf: dnssecExpLeaf,
+ intermediates: []string{startComIntermediate, startComRoot},
+ roots: []string{startComRoot},
+ currentTime: 1302726541,
+
+ expectedChains: [][]string{
+ []string{"dnssec-exp", "StartCom Class 1", "StartCom Certification Authority"},
+ []string{"dnssec-exp", "StartCom Class 1", "StartCom Certification Authority", "StartCom Certification Authority"},
+ },
+ },
}
func expectHostnameError(t *testing.T, i int, err os.Error) (ok bool) {
