Investigate why `TestConfigServerExclusiveRootPools` is broken on Windows / MacOS builds - Githubissues

docker / go-connections

Utility package to work with network connections

https://pkg.go.dev/github.com/docker/go-connections

Apache License 2.0

214 stars 101 forks source link

Investigate why `TestConfigServerExclusiveRootPools` is broken on Windows / MacOS builds #105

Open akerouanton opened 10 months ago

akerouanton commented 10 months ago

Related to https://github.com/docker/go-connections/pull/104
TestConfigServerExclusiveRootPools: see https://github.com/docker/go-connections/blob/5cc4da5c08cd0df3e0a45da21ebd07e131109bd2/tlsconfig/config_test.go#L202-L205
TestConfigClientExclusiveRootPools: see https://github.com/docker/go-connections/blob/5cc4da5c08cd0df3e0a45da21ebd07e131109bd2/tlsconfig/config_test.go#L566-L569

Both tests break with the following error:

Unable to verify certificate 1: x509: certificate signed by unknown authority

certificate 1 being systemRootTrustedCert: https://github.com/docker/go-connections/blob/5cc4da5c08cd0df3e0a45da21ebd07e131109bd2/tlsconfig/config_test.go#L20-L41

As noted in https://github.com/docker/go-connections/commit/d5807de501e8618bbfeacec1c7a5955df229c0f7 commit message:

The (*Certificate).Verify() method from crypto/x509 special-case windows, darwin and ios GOOS to use a OS-specific verification process. This process seems to consider root CAs as invalid for some unknown reasons.

So either the syscall made by Verify() to retrieve the system-wide cert bundle return an empty set, it's out-of-date, or something else happen.