crypto/x509: don't return nil, nil from SystemCertPool

If there are no certs, return an empty pool, not nil.

Fixes #21405

Change-Id: Ib4ac9d5c4a8cef83dd53565b0707a63b73ba0a8b
Reviewed-on: https://go-review.googlesource.com/103596
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

src/crypto/x509/root_plan9.go

@@ -33,5 +33,8 @@ func loadSystemRoots() (*CertPool, error) {
 			bestErr = err
 		}
 	}
+	if bestErr == nil {
+		return roots, nil
+	}
 	return nil, bestErr
 }

src/crypto/x509/root_unix.go

@@ -80,7 +80,7 @@ func loadSystemRoots() (*CertPool, error) {
 		}
 	}
 
-	if len(roots.certs) > 0 {
+	if len(roots.certs) > 0 || firstErr == nil {
 		return roots, nil
 	}
 

src/crypto/x509/root_unix_test.go

@@ -103,10 +103,6 @@ func TestEnvVars(t *testing.T) {
 			}
 
 			if r == nil {
-				if tc.cns == nil {
-					// Expected nil
-					return
-				}
 				t.Fatal("nil roots")
 			}
 

src/crypto/x509/x509_test.go

@@ -1656,9 +1656,6 @@ func TestSystemCertPool(t *testing.T) {
 	if runtime.GOOS == "windows" {
 		t.Skip("not implemented on Windows; Issue 16736, 18609")
 	}
-	if runtime.GOOS == "nacl" {
-		t.Skip("not implemented on NaCl; Issue 24561")
-	}
 	a, err := SystemCertPool()
 	if err != nil {
 		t.Fatal(err)