From 6b255b8a08a95dd30debd6cd5fb49b30fe8fdc71 Mon Sep 17 00:00:00 2001 From: Zoran Regvart Date: Thu, 5 Jun 2025 14:44:02 +0200 Subject: [PATCH] fix TLS tests on newer go versions and MacOS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The TLS tests in `ssl_test.go` assert that specific errors are reported for specific situations. This fails on newer (1.20+) versions of go since `tls.CertificateVerificationError` is returned instead of the expected, contrary to older versions where `x509.UnknownAuthorityError` or `x509.HostnameError` would be returned. This maintains the same assertions on go < 1.20, and allows for the new error on go >= 1.20. In addition to that, on MacOS the error string `x509: “postgres” certificate is not standards compliant` is returned instead of any of these, this seems to be due to the version of OpenSSL provided by MacOS, see https://github.com/golang/go/issues/51991 for details. --- ssl_test.go | 14 +++----------- ssl_test_go20minus.go | 31 +++++++++++++++++++++++++++++++ ssl_test_go20plus.go | 30 ++++++++++++++++++++++++++++++ 3 files changed, 64 insertions(+), 11 deletions(-) create mode 100644 ssl_test_go20minus.go create mode 100644 ssl_test_go20plus.go diff --git a/ssl_test.go b/ssl_test.go index 4c631b81..25a3f980 100644 --- a/ssl_test.go +++ b/ssl_test.go @@ -87,15 +87,7 @@ func TestSSLVerifyFull(t *testing.T) { if err == nil { t.Fatal("expected error") } - { - var x509err x509.UnknownAuthorityError - if !errors.As(err, &x509err) { - var x509err x509.HostnameError - if !errors.As(err, &x509err) { - t.Fatalf("expected x509.UnknownAuthorityError or x509.HostnameError, got %#+v", err) - } - } - } + assertInvalidCertificate(t, err) rootCertPath := filepath.Join(os.Getenv("PQSSLCERTTEST_PATH"), "root.crt") rootCert := "sslrootcert=" + rootCertPath + " " @@ -172,7 +164,7 @@ func TestSSLVerifyCA(t *testing.T) { { _, err := openSSLConn(t, "host=postgres sslmode=verify-ca user=pqgossltest") var x509err x509.UnknownAuthorityError - if !errors.As(err, &x509err) { + if !errors.As(err, &x509err) && err.Error() != errMacOsCertificateNotCompliant { t.Fatalf("expected %T, got %#+v", x509.UnknownAuthorityError{}, err) } } @@ -181,7 +173,7 @@ func TestSSLVerifyCA(t *testing.T) { { _, err := openSSLConn(t, "host=postgres sslmode=verify-ca user=pqgossltest sslrootcert=''") var x509err x509.UnknownAuthorityError - if !errors.As(err, &x509err) { + if !errors.As(err, &x509err) && err.Error() != errMacOsCertificateNotCompliant { t.Fatalf("expected %T, got %#+v", x509.UnknownAuthorityError{}, err) } } diff --git a/ssl_test_go20minus.go b/ssl_test_go20minus.go new file mode 100644 index 00000000..8878b8a5 --- /dev/null +++ b/ssl_test_go20minus.go @@ -0,0 +1,31 @@ +//go:build !go1.20 +// +build !go1.20 + +package pq + +import ( + "crypto/x509" + "testing" +) + +const ( + // Error specific to MacOS when certificate is missing SCT, see + // https://github.com/golang/go/issues/51991 + // Validating such certificate always results with this error first + errMacOsCertificateNotCompliant = `x509: “postgres” certificate is not standards compliant` +) + +func assertInvalidCertificate(t *testing.T, err error) { + if err.Error() == errMacOsCertificateNotCompliant { + return + } + + switch x := err.(type) { + case x509.UnknownAuthorityError: + break + case x509.HostnameError: + break + default: + t.Fatalf("expected x509.UnknownAuthorityError, x509.HostnameError, got %#+v", x) + } +} diff --git a/ssl_test_go20plus.go b/ssl_test_go20plus.go new file mode 100644 index 00000000..26729451 --- /dev/null +++ b/ssl_test_go20plus.go @@ -0,0 +1,30 @@ +//go:build go1.20 +// +build go1.20 + +package pq + +import ( + "crypto/tls" + "crypto/x509" + "testing" +) + +const ( + // Error specific to MacOS when certificate is missing SCT, see + // https://github.com/golang/go/issues/51991 + // Validating such certificate always results with this error first + errMacOsCertificateNotCompliant = `x509: “postgres” certificate is not standards compliant` +) + +func assertInvalidCertificate(t *testing.T, err error) { + switch x := err.(type) { + case x509.UnknownAuthorityError: + break + case x509.HostnameError: + break + case *tls.CertificateVerificationError: + break + default: + t.Fatalf("expected x509.UnknownAuthorityError, x509.HostnameError or tls.CertificateVerificationError (go 1.20+), got %#+v", x) + } +}