[release-branch.go1.19] crypto/x509: fix broken tests

Convert TestUnknownAuthorityError to use subtests, avoiding continuing
the test after an unrecoverable failure.

Skip TestIssue51759 on pre-macOS 11 builders, which don't enforce the
behavior we were testing for. Also only enable the test on builders.

Updates #58791
Updates #58812
Fixes #58810

Change-Id: I4e3e5bc371aa139d38052184c8232f8cb564138f
Reviewed-on: https://go-review.googlesource.com/c/go/+/472496
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
(cherry picked from commit cf3d0655f8ca2de555549f6e8a91bf8654da7e6c)
Reviewed-on: https://go-review.googlesource.com/c/go/+/472617
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>

1 files changed, 34 insertions, 24 deletions

diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go
index cd9f6a8788..164c47fd6d 100644
--- a/src/crypto/x509/verify_test.go
+++ b/src/crypto/x509/verify_test.go
@@ -1481,33 +1481,36 @@ ePBQCV1F9sE2q4ZrnsT9TZoNrSe/bMDjzA==
 -----END CERTIFICATE-----`
 
 var unknownAuthorityErrorTests = []struct {
+	name     string
 	cert     string
 	expected string
 }{
-	{selfSignedWithCommonName, "x509: certificate signed by unknown authority (possibly because of \"empty\" while trying to verify candidate authority certificate \"test\")"},
-	{selfSignedNoCommonNameWithOrgName, "x509: certificate signed by unknown authority (possibly because of \"empty\" while trying to verify candidate authority certificate \"ca\")"},
-	{selfSignedNoCommonNameNoOrgName, "x509: certificate signed by unknown authority (possibly because of \"empty\" while trying to verify candidate authority certificate \"serial:0\")"},
+	{"self-signed, cn", selfSignedWithCommonName, "x509: certificate signed by unknown authority (possibly because of \"empty\" while trying to verify candidate authority certificate \"test\")"},
+	{"self-signed, no cn, org", selfSignedNoCommonNameWithOrgName, "x509: certificate signed by unknown authority (possibly because of \"empty\" while trying to verify candidate authority certificate \"ca\")"},
+	{"self-signed, no cn, no org", selfSignedNoCommonNameNoOrgName, "x509: certificate signed by unknown authority (possibly because of \"empty\" while trying to verify candidate authority certificate \"serial:0\")"},
 }
 
 func TestUnknownAuthorityError(t *testing.T) {
 	for i, tt := range unknownAuthorityErrorTests {
-		der, _ := pem.Decode([]byte(tt.cert))
-		if der == nil {
-			t.Errorf("#%d: Unable to decode PEM block", i)
-		}
-		c, err := ParseCertificate(der.Bytes)
-		if err != nil {
-			t.Errorf("#%d: Unable to parse certificate -> %v", i, err)
-		}
-		uae := &UnknownAuthorityError{
-			Cert:     c,
-			hintErr:  fmt.Errorf("empty"),
-			hintCert: c,
-		}
-		actual := uae.Error()
-		if actual != tt.expected {
-			t.Errorf("#%d: UnknownAuthorityError.Error() response invalid actual: %s expected: %s", i, actual, tt.expected)
-		}
+		t.Run(tt.name, func(t *testing.T) {
+			der, _ := pem.Decode([]byte(tt.cert))
+			if der == nil {
+				t.Fatalf("#%d: Unable to decode PEM block", i)
+			}
+			c, err := ParseCertificate(der.Bytes)
+			if err != nil {
+				t.Fatalf("#%d: Unable to parse certificate -> %v", i, err)
+			}
+			uae := &UnknownAuthorityError{
+				Cert:     c,
+				hintErr:  fmt.Errorf("empty"),
+				hintCert: c,
+			}
+			actual := uae.Error()
+			if actual != tt.expected {
+				t.Errorf("#%d: UnknownAuthorityError.Error() response invalid actual: %s expected: %s", i, actual, tt.expected)
+			}
+		})
 	}
 }
 
@@ -1857,6 +1860,13 @@ func TestIssue51759(t *testing.T) {
 	if runtime.GOOS != "darwin" {
 		t.Skip("only affects darwin")
 	}
+	builder := testenv.Builder()
+	if builder == "" {
+		t.Skip("only run this test on the builders, as we have no reasonable way to gate tests on macOS versions elsewhere")
+	}
+	if builder == "darwin-amd64-10_14" || builder == "darwin-amd64-10_15" {
+		t.Skip("behavior only enforced in macOS 11 and after")
+	}
 	// badCertData contains a cert that we parse as valid
 	// but that macOS SecCertificateCreateWithData rejects.
 	const badCertData = "0\x82\x01U0\x82\x01\a\xa0\x03\x02\x01\x02\x02\x01\x020\x05\x06\x03+ep0R1P0N\x06\x03U\x04\x03\x13Gderpkey8dc58100b2493614ee1692831a461f3f4dd3f9b3b088e244f887f81b4906ac260\x1e\x17\r220112235755Z\x17\r220313235755Z0R1P0N\x06\x03U\x04\x03\x13Gderpkey8dc58100b2493614ee1692831a461f3f4dd3f9b3b088e244f887f81b4906ac260*0\x05\x06\x03+ep\x03!\x00bA\xd8e\xadW\xcb\xefZ\x89\xb5\"\x1eR\x9d\xba\x0e:\x1042Q@\u007f\xbd\xfb{ks\x04\xd1£\x020\x000\x05\x06\x03+ep\x03A\x00[\xa7\x06y\x86(\x94\x97\x9eLwA\x00\x01x\xaa\xbc\xbd Ê]\n(΅!ف0\xf5\x9a%I\x19<\xffo\xf1\xeaaf@\xb1\xa7\xaf\xfd\xe9R\xc7\x0f\x8d&\xd5\xfc\x0f;Ϙ\x82\x84a\xbc\r"
@@ -1867,9 +1877,9 @@ func TestIssue51759(t *testing.T) {
 
 	t.Run("leaf", func(t *testing.T) {
 		opts := VerifyOptions{}
-		expectedErr := errors.New("invalid leaf certificate")
+		expectedErr := "invalid leaf certificate"
 		_, err = badCert.Verify(opts)
-		if err.Error() != expectedErr.Error() {
+		if err == nil || err.Error() != expectedErr {
 			t.Fatalf("unexpected error: want %q, got %q", expectedErr, err)
 		}
 	})
@@ -1884,9 +1894,9 @@ func TestIssue51759(t *testing.T) {
 			Intermediates: NewCertPool(),
 		}
 		opts.Intermediates.AddCert(badCert)
-		expectedErr := errors.New("SecCertificateCreateWithData: invalid certificate")
+		expectedErr := "SecCertificateCreateWithData: invalid certificate"
 		_, err = goodCert.Verify(opts)
-		if err.Error() != expectedErr.Error() {
+		if err == nil || err.Error() != expectedErr {
 			t.Fatalf("unexpected error: want %q, got %q", expectedErr, err)
 		}
 	})