diff --git a/ssl_test.go b/ssl_test.go index 4c631b81..25a3f980 100644 --- a/ssl_test.go +++ b/ssl_test.go @@ -87,15 +87,7 @@ func TestSSLVerifyFull(t *testing.T) { if err == nil { t.Fatal("expected error") } - { - var x509err x509.UnknownAuthorityError - if !errors.As(err, &x509err) { - var x509err x509.HostnameError - if !errors.As(err, &x509err) { - t.Fatalf("expected x509.UnknownAuthorityError or x509.HostnameError, got %#+v", err) - } - } - } + assertInvalidCertificate(t, err) rootCertPath := filepath.Join(os.Getenv("PQSSLCERTTEST_PATH"), "root.crt") rootCert := "sslrootcert=" + rootCertPath + " " @@ -172,7 +164,7 @@ func TestSSLVerifyCA(t *testing.T) { { _, err := openSSLConn(t, "host=postgres sslmode=verify-ca user=pqgossltest") var x509err x509.UnknownAuthorityError - if !errors.As(err, &x509err) { + if !errors.As(err, &x509err) && err.Error() != errMacOsCertificateNotCompliant { t.Fatalf("expected %T, got %#+v", x509.UnknownAuthorityError{}, err) } } @@ -181,7 +173,7 @@ func TestSSLVerifyCA(t *testing.T) { { _, err := openSSLConn(t, "host=postgres sslmode=verify-ca user=pqgossltest sslrootcert=''") var x509err x509.UnknownAuthorityError - if !errors.As(err, &x509err) { + if !errors.As(err, &x509err) && err.Error() != errMacOsCertificateNotCompliant { t.Fatalf("expected %T, got %#+v", x509.UnknownAuthorityError{}, err) } } diff --git a/ssl_test_go20minus.go b/ssl_test_go20minus.go new file mode 100644 index 00000000..8878b8a5 --- /dev/null +++ b/ssl_test_go20minus.go @@ -0,0 +1,31 @@ +//go:build !go1.20 +// +build !go1.20 + +package pq + +import ( + "crypto/x509" + "testing" +) + +const ( + // Error specific to MacOS when certificate is missing SCT, see + // https://github.com/golang/go/issues/51991 + // Validating such certificate always results with this error first + errMacOsCertificateNotCompliant = `x509: “postgres” certificate is not standards compliant` +) + +func assertInvalidCertificate(t *testing.T, err error) { + if err.Error() == errMacOsCertificateNotCompliant { + return + } + + switch x := err.(type) { + case x509.UnknownAuthorityError: + break + case x509.HostnameError: + break + default: + t.Fatalf("expected x509.UnknownAuthorityError, x509.HostnameError, got %#+v", x) + } +} diff --git a/ssl_test_go20plus.go b/ssl_test_go20plus.go new file mode 100644 index 00000000..26729451 --- /dev/null +++ b/ssl_test_go20plus.go @@ -0,0 +1,30 @@ +//go:build go1.20 +// +build go1.20 + +package pq + +import ( + "crypto/tls" + "crypto/x509" + "testing" +) + +const ( + // Error specific to MacOS when certificate is missing SCT, see + // https://github.com/golang/go/issues/51991 + // Validating such certificate always results with this error first + errMacOsCertificateNotCompliant = `x509: “postgres” certificate is not standards compliant` +) + +func assertInvalidCertificate(t *testing.T, err error) { + switch x := err.(type) { + case x509.UnknownAuthorityError: + break + case x509.HostnameError: + break + case *tls.CertificateVerificationError: + break + default: + t.Fatalf("expected x509.UnknownAuthorityError, x509.HostnameError or tls.CertificateVerificationError (go 1.20+), got %#+v", x) + } +}