[go/fixchain] updated x509 lib doesn't verify roots

daviddrysdale · daviddrysdale · commit 4db169c32e28 · 2017-03-06T07:09:54.000Z
The Go 1.8 library doesn't verify root certificates that have been explicitly included in the roots pool. golang/go@8ad70a5
diff --git a/go/fixchain/fix_and_log_test.go b/go/fixchain/fix_and_log_test.go
@@ -82,18 +82,15 @@ var newFixAndLogTests = []fixAndLogTest{
 	},
 	// Tests that add chains to the FixAndLog using QueueAllCertsInChain()
 	{ // Full chain successfully logged.
-		// Note:  Verifying a root to itself results in an error.
-		// This is not an issue as the root will already be known to the log, and chains
-		// aren't required to contain the root.
 		url:   "https://ct.googleapis.com/pilot",
 		chain: []string{googleLeaf, thawteIntermediate, verisignRoot},
 
 		function: "QueueAllCertsInChain",
 		expLoggedChains: [][]string{
 			{"Google", "Thawte", "VeriSign"},
 			{"Thawte", "VeriSign"},
+			{"VeriSign"},
 		},
-		expectedErrs: []errorType{VerifyFailed, FixFailed},
 	},
 	{
 		url:   "https://ct.googleapis.com/pilot",
@@ -155,10 +152,10 @@ var newFixAndLogTests = []fixAndLogTest{
 		expLoggedChains: [][]string{
 			{"Google", "Thawte", "VeriSign"},
 			{"Thawte", "VeriSign"},
+			{"VeriSign"},
 		},
 		expectedErrs: []errorType{
 			VerifyFailed, FixFailed,
-			VerifyFailed, FixFailed,
 		},
 	},
 	{ // Garbled chain (with a leaf that has a chain to our roots)
