Cypherpunks repositories - gostls13.git/commit

author	Quentin Smith <quentin@golang.org>
	Wed, 30 Nov 2016 20:16:37 +0000 (15:16 -0500)
committer	Quentin Smith <quentin@golang.org>
	Thu, 1 Dec 2016 19:24:34 +0000 (19:24 +0000)
commit	7e5b2e0ec144d5f5b2923a7d5db0b9143f79a35a
tree	85dd9b13329242bb087dbde7cd41dcaa2a09513c	tree
parent	9fbfe7cca00a456541e9aa2b2cc1251d777f325b	commit \| diff

crypto/x509: read Darwin trust settings for root CAs

Darwin separately stores bits indicating whether a root certificate
should be trusted; this changes Go to read and use those when
initializing SystemCertPool.

Unfortunately, the trust API is very slow. To avoid a delay of up to
0.5s in initializing the system cert pool, we assume that
the trust settings found in kSecTrustSettingsDomainSystem will always
indicate trust. (That is, all root certs Apple distributes are trusted.)
This is not guaranteed by the API but is true in practice.

In the non-cgo codepath, we do not have that benefit, so we must check
the trust status of every certificate. This causes about 0.5s of delay
in initializing the SystemCertPool.

On OS X 10.11 and older, the "security" command requires a certificate
to be provided in a file and not on stdin, so the non-cgo codepath
creates temporary files for each certificate, further slowing initialization.

Updates #18141.

Change-Id: If681c514047afe5e1a68de6c9d40ceabbce54755
Reviewed-on: https://go-review.googlesource.com/33721
Run-TryBot: Quentin Smith <quentin@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>

src/crypto/x509/root_cgo_darwin.go		diff \| blob \| history
src/crypto/x509/root_darwin.go		diff \| blob \| history
src/crypto/x509/root_darwin_test.go		diff \| blob \| history