trust_config: fix typo and improve test case comments

tianyuan129 · tianyuan129 · commit 750dfadb6fc2 · 2026-01-09T13:13:56.000-08:00
diff --git a/std/security/trust_config.go b/std/security/trust_config.go
@@ -455,7 +455,7 @@ func (tc *TrustConfig) handleSelfSignedCert(args TrustConfigValidateArgs, keyLoc
 		return
 	}
 
-	// If already an trust anchor
+	// If already a trust anchor
 	if tc.isTrustedAnchorKey(anchorKeyName) {
 		args.Callback(true, nil)
 		return
@@ -592,7 +592,7 @@ func (tc *TrustConfig) processCertList(args certListArgs, listData ndn.Data, lis
 
 func (tc *TrustConfig) tryListedCerts(args certListArgs, names []enc.Name, idx int) {
 	if idx >= len(names) {
-		args.args.Callback(false, fmt.Errorf("no chain to trusted anchor"))
+		args.args.Callback(false, fmt.Errorf("no chain to trusted anchor %s (tried %d certs from CertList)", args.anchorKey, len(names)))
 		return
 	}
 
diff --git a/std/security/trust_config_test.go b/std/security/trust_config_test.go
@@ -449,22 +449,22 @@ func testTrustConfigIntra(t *testing.T, schema ndn.TrustSchema) {
 		name:   "/test/alice/data4",
 		signer: mAliceSigner,
 	}))
-	require.Equal(t, 6, tcTestFetchCount) // invalid cert not in store (+ CertList)
+	require.Equal(t, 6, tcTestFetchCount) // invalid cert not in store: 3 more fetches (includes CertList)
 	require.False(t, validateSync(ValidateSyncOptions{
 		name:   "/test/alice/data3",
 		signer: malloryRootSigner,
 	}))
-	require.Equal(t, 7, tcTestFetchCount) // fetch 1x mallory cert (+ CertList)
+	require.Equal(t, 7, tcTestFetchCount) // fetch 1x mallory cert
 	require.False(t, validateSync(ValidateSyncOptions{
 		name:   "/test/alice/data/extra",
 		signer: mallorySigner,
 	}))
-	require.Equal(t, 8, tcTestFetchCount) // don't bother fetching mallory root because of schema miss (+ CertList)
+	require.Equal(t, 8, tcTestFetchCount) // only CertList fetched; mallory root skipped by schema
 	require.False(t, validateSync(ValidateSyncOptions{
 		name:   "/test/mallory/data4",
 		signer: mallorySigner,
 	}))
-	require.Equal(t, 11, tcTestFetchCount) // schema hit, fetch 2x mallory certs (+ CertList)
+	require.Equal(t, 11, tcTestFetchCount) // schema hit, 3 fetches: 2x mallory certs + 1x CertList
 
 	// Sign with mallory's malicious keys (root 2)
 	// In this case the root certificate name is the same, so that cert should not be fetched

Original file line number	Diff line number	Diff line change
`@@ -455,7 +455,7 @@ func (tc *TrustConfig) handleSelfSignedCert(args TrustConfigValidateArgs, keyLoc`
`455`	`455`	`return`
`456`	`456`	`}`
`457`	`457`
`458`		`- // If already an trust anchor`
	`458`	`+ // If already a trust anchor`
`459`	`459`	`if tc.isTrustedAnchorKey(anchorKeyName) {`
`460`	`460`	`args.Callback(true, nil)`
`461`	`461`	`return`
`@@ -592,7 +592,7 @@ func (tc *TrustConfig) processCertList(args certListArgs, listData ndn.Data, lis`
`592`	`592`
`593`	`593`	`func (tc *TrustConfig) tryListedCerts(args certListArgs, names []enc.Name, idx int) {`
`594`	`594`	`if idx >= len(names) {`
`595`		`- args.args.Callback(false, fmt.Errorf("no chain to trusted anchor"))`
	`595`	`+ args.args.Callback(false, fmt.Errorf("no chain to trusted anchor %s (tried %d certs from CertList)", args.anchorKey, len(names)))`
`596`	`596`	`return`
`597`	`597`	`}`
`598`	`598`