Cypherpunks repositories - gostls13.git/commit

author	Quentin Smith <quentin@golang.org>
	Wed, 30 Nov 2016 20:16:37 +0000 (15:16 -0500)
committer	Quentin Smith <quentin@golang.org>
	Thu, 1 Dec 2016 20:25:14 +0000 (20:25 +0000)
commit	26741a15f77ebea1d5b72ff6f7c34c8494812288
tree	7f64ff6b4a5e01a22c167c214d32f1c4f88cd9fb	tree
parent	fab76f07f54527cd5b0c7243bea96d9d3608582d	commit \| diff

[release-branch.go1.7] crypto/x509: read Darwin trust settings for root CAs

Darwin separately stores bits indicating whether a root certificate
should be trusted; this changes Go to read and use those when
initializing SystemCertPool.

Unfortunately, the trust API is very slow. To avoid a delay of up to
0.5s in initializing the system cert pool, we assume that
the trust settings found in kSecTrustSettingsDomainSystem will always
indicate trust. (That is, all root certs Apple distributes are trusted.)
This is not guaranteed by the API but is true in practice.

In the non-cgo codepath, we do not have that benefit, so we must check
the trust status of every certificate. This causes about 0.5s of delay
in initializing the SystemCertPool.

On OS X 10.11 and older, the "security" command requires a certificate
to be provided in a file and not on stdin, so the non-cgo codepath
creates temporary files for each certificate, further slowing initialization.

Updates #18141.

Change-Id: If681c514047afe5e1a68de6c9d40ceabbce54755
Reviewed-on: https://go-review.googlesource.com/33721
Run-TryBot: Quentin Smith <quentin@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-on: https://go-review.googlesource.com/33727

src/crypto/x509/cert_pool.go		diff \| blob \| history
src/crypto/x509/root_cgo_darwin.go		diff \| blob \| history
src/crypto/x509/root_darwin.go		diff \| blob \| history
src/crypto/x509/root_darwin_test.go		diff \| blob \| history