From d796a47ddac4b2c74bd7ec4f871dbd786d3da828 Mon Sep 17 00:00:00 2001
From: Phil Pennock <phil@pennock-tech.com>
Date: Fri, 5 Jan 2024 00:32:59 -0500
Subject: [PATCH] add handling for nil possible on some platforms

Spotted by an audit-tool I was using at the time.  (Belated commit)
---
 dane.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/dane.go b/dane.go
index 666b0cd..9d45787 100644
--- a/dane.go
+++ b/dane.go
@@ -131,7 +131,12 @@ func (vc *validationContext) chainValid(eeCert, anchorCert *x509.Certificate, ca
 		vOpts.DNSName = tryHostname
 		chains, err := eeCert.Verify(vOpts)
 		if err != nil {
-			vc.Wafflef("no valid TA chains for hostname %q", tryHostname)
+			vc.Wafflef("no valid TA chains for hostname %q [%v]", tryHostname, err)
+			continue
+		}
+		// On some non-Unix platforms, the system verifier can be called, and there's a mode where that returns nil,nil
+		if chains == nil {
+			vc.Wafflef("when asking for TA chains for hostname %q we got a nil response without error", tryHostname)
 			continue
 		}