crypto/tls: add a test for running with broken certificates

Change-Id: Iaaa0bc449ce24c81f1052b89152c3b5a6a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/777880
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

src/crypto/tls/conn_test.go

@@ -124,6 +124,37 @@ func TestCertificateSelection(t *testing.T) {
 	}
 }
 
+// TestBrokenCertificateSkipped checks that a Certificate in Config.Certificates
+// whose leaf doesn't parse as X.509 doesn't prevent the next, valid certificate
+// from being selected. It exercises both the legacy BuildNameToCertificate path
+// and the SupportsCertificate-based selection.
+func TestBrokenCertificateSkipped(t *testing.T) {
+	brokenCert := Certificate{Certificate: [][]byte{[]byte("not a valid X.509 certificate")}}
+	for _, test := range []struct {
+		name       string
+		buildIndex bool
+	}{
+		{name: "BuildNameToCertificate", buildIndex: true},
+		{name: "SupportsCertificate", buildIndex: false},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			serverConfig := testConfigServer.Clone()
+			serverConfig.Certificates = []Certificate{brokenCert, testECDSAP256Cert}
+			if test.buildIndex {
+				serverConfig.BuildNameToCertificate()
+			}
+			clientConfig := testConfigClient.Clone()
+			_, cs, err := testHandshake(t, clientConfig, serverConfig)
+			if err != nil {
+				t.Fatalf("handshake failed: %v", err)
+			}
+			if !cs.PeerCertificates[0].Equal(testECDSAP256Cert.Leaf) {
+				t.Fatalf("handshake succeeded but wrong certificate was used")
+			}
+		})
+	}
+}
+
 // Run with multiple crypto configs to test the logic for computing TLS record overheads.
 func runDynamicRecordSizingTest(t *testing.T, serverConfig *Config) {
 	clientConn, serverConn := localPipe(t)