crypto/x509: Certificate.Verify does not consistently return UnknownAuthorityError #58777
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
I made three certificates - root, intermediate, and leaf. The intermediate is already expired. I then ran
Certificate.Verify
on the leaf certificate.https://go.dev/play/p/WIWEm7L0Bel
What did you expect to see?
I expected to get back an
x509.CertificateInvalidError
wrapped inside anx509.UnknownAuthorityError
.What did you see instead?
I got back an unwrapped
x509.CertificateInvalidError
. Consequently, the resulting error message has insufficient context.This is due to a scoping/shadowing bug in
Certificate.buildChains
.go/src/crypto/x509/verify.go
Lines 926 to 933 in dd16258
That
err
is the named return value from the outer scope. So at the end of the function, because it is non-nil, it is never wrapped.go/src/crypto/x509/verify.go
Lines 955 to 957 in dd16258
The text was updated successfully, but these errors were encountered: