package x509
import (
- macOS "crypto/x509/internal/macos"
+ "crypto/x509/internal/macos"
"errors"
"fmt"
)
func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
- certs := macOS.CFArrayCreateMutable()
- defer macOS.ReleaseCFArray(certs)
- leaf, err := macOS.SecCertificateCreateWithData(c.Raw)
+ certs := macos.CFArrayCreateMutable()
+ defer macos.ReleaseCFArray(certs)
+ leaf, err := macos.SecCertificateCreateWithData(c.Raw)
if err != nil {
return nil, errors.New("invalid leaf certificate")
}
- macOS.CFArrayAppendValue(certs, leaf)
+ macos.CFArrayAppendValue(certs, leaf)
if opts.Intermediates != nil {
for _, lc := range opts.Intermediates.lazyCerts {
c, err := lc.getCert()
if err != nil {
return nil, err
}
- sc, err := macOS.SecCertificateCreateWithData(c.Raw)
+ sc, err := macos.SecCertificateCreateWithData(c.Raw)
if err != nil {
return nil, err
}
- macOS.CFArrayAppendValue(certs, sc)
+ macos.CFArrayAppendValue(certs, sc)
}
}
- policies := macOS.CFArrayCreateMutable()
- defer macOS.ReleaseCFArray(policies)
- sslPolicy, err := macOS.SecPolicyCreateSSL(opts.DNSName)
+ policies := macos.CFArrayCreateMutable()
+ defer macos.ReleaseCFArray(policies)
+ sslPolicy, err := macos.SecPolicyCreateSSL(opts.DNSName)
if err != nil {
return nil, err
}
- macOS.CFArrayAppendValue(policies, sslPolicy)
+ macos.CFArrayAppendValue(policies, sslPolicy)
- trustObj, err := macOS.SecTrustCreateWithCertificates(certs, policies)
+ trustObj, err := macos.SecTrustCreateWithCertificates(certs, policies)
if err != nil {
return nil, err
}
- defer macOS.CFRelease(trustObj)
+ defer macos.CFRelease(trustObj)
if !opts.CurrentTime.IsZero() {
- dateRef := macOS.TimeToCFDateRef(opts.CurrentTime)
- defer macOS.CFRelease(dateRef)
- if err := macOS.SecTrustSetVerifyDate(trustObj, dateRef); err != nil {
+ dateRef := macos.TimeToCFDateRef(opts.CurrentTime)
+ defer macos.CFRelease(dateRef)
+ if err := macos.SecTrustSetVerifyDate(trustObj, dateRef); err != nil {
return nil, err
}
}
// always enforce its SCT requirements, and there are still _some_ people
// using TLS or OCSP for that.
- if ret, err := macOS.SecTrustEvaluateWithError(trustObj); err != nil {
+ if ret, err := macos.SecTrustEvaluateWithError(trustObj); err != nil {
switch ret {
- case macOS.ErrSecCertificateExpired:
+ case macos.ErrSecCertificateExpired:
return nil, CertificateInvalidError{c, Expired, err.Error()}
- case macOS.ErrSecHostNameMismatch:
+ case macos.ErrSecHostNameMismatch:
return nil, HostnameError{c, opts.DNSName}
- case macOS.ErrSecNotTrusted:
+ case macos.ErrSecNotTrusted:
return nil, UnknownAuthorityError{Cert: c}
default:
return nil, fmt.Errorf("x509: %s", err)
}
chain := [][]*Certificate{{}}
- chainRef, err := macOS.SecTrustCopyCertificateChain(trustObj)
+ chainRef, err := macos.SecTrustCopyCertificateChain(trustObj)
if err != nil {
return nil, err
}
- defer macOS.CFRelease(chainRef)
- for i := 0; i < macOS.CFArrayGetCount(chainRef); i++ {
- certRef := macOS.CFArrayGetValueAtIndex(chainRef, i)
+ defer macos.CFRelease(chainRef)
+ for i := 0; i < macos.CFArrayGetCount(chainRef); i++ {
+ certRef := macos.CFArrayGetValueAtIndex(chainRef, i)
cert, err := exportCertificate(certRef)
if err != nil {
return nil, err
}
if len(chain[0]) == 0 {
// This should _never_ happen, but to be safe
- return nil, errors.New("x509: macOS certificate verification internal error")
+ return nil, errors.New("x509: macos certificate verification internal error")
}
if opts.DNSName != "" {
}
// exportCertificate returns a *Certificate for a SecCertificateRef.
-func exportCertificate(cert macOS.CFRef) (*Certificate, error) {
- data, err := macOS.SecCertificateCopyData(cert)
+func exportCertificate(cert macos.CFRef) (*Certificate, error) {
+ data, err := macos.SecCertificateCopyData(cert)
if err != nil {
return nil, err
}