crypto/x509: ignore harmless edge case in TestSystemRoots

The no-cgo validation hack lets in certificates from the root store that
are not marked as roots themselves, but are signed by a root; the cgo
path correctly excludes them. When TestSystemRoots compares cgo and
no-cgo results it tries to ignore them by ignoring certificates which
pass validation, but expired certificates were failing validation.

Letting through expired certs is harmless anyway because we will refuse
to build chains to them.

Fixes #29497

Change-Id: I341e50c0f3426de2763468672f9ba1d13ad6cfba
Reviewed-on: https://go-review.googlesource.com/c/156330
Reviewed-by: Brad Fitzpatrick <[email protected]>

Author: FiloSottile

src/crypto/x509/root_darwin_test.go

@@ -64,13 +64,15 @@ func TestSystemRoots(t *testing.T) {
 		if _, ok := sysPool[string(c.Raw)]; ok {
 			delete(sysPool, string(c.Raw))
 		} else {
-			// verify-cert lets in certificates that are not trusted roots, but are
-			// signed by trusted roots. This should not be a problem, so confirm that's
-			// the case and skip them.
+			// verify-cert lets in certificates that are not trusted roots, but
+			// are signed by trusted roots. This is not great, but unavoidable
+			// until we parse real policies without cgo, so confirm that's the
+			// case and skip them.
 			if _, err := c.Verify(VerifyOptions{
 				Roots:         sysRoots,
 				Intermediates: allCerts,
 				KeyUsages:     []ExtKeyUsage{ExtKeyUsageAny},
+				CurrentTime:   c.NotBefore, // verify-cert does not check expiration
 			}); err != nil {
 				t.Errorf("certificate only present in non-cgo pool: %v (verify error: %v)", c.Subject, err)
 			} else {