crypto/x509: use SecItemExport instead of deprecated SecKeychainItemExport

SecKeychainItemExport is deprecated as of macOS 10.7. The minimum
supported version is macOS 10.10, so use SecItemExport instead.

While at it also bump macosx-version-min to 10.10 and
__MAC_OS_X_VERSION_MAX_ALLOWED to 101300 (for macOS 10.13).

Tested on macOS 10.10, 10.11 and 10.12.

Updates #23122

Change-Id: Id4cd6a5cea93315791253dc248e40e5615760a6c
Reviewed-on: https://go-review.googlesource.com/116396
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/src/crypto/x509/root_cgo_darwin.go b/src/crypto/x509/root_cgo_darwin.go
index 11515b82d00e9e3489f76794543f86037b0bfc20..a02ac3cfe8364fce00c0524fb1a0b36ebeef06ce 100644 (file)
--- a/src/crypto/x509/root_cgo_darwin.go
+++ b/src/crypto/x509/root_cgo_darwin.go
@@ -7,7 +7,7 @@
 package x509
 
 /*
-#cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1080
+#cgo CFLAGS: -mmacosx-version-min=10.10 -D__MAC_OS_X_VERSION_MAX_ALLOWED=101300
 #cgo LDFLAGS: -framework CoreFoundation -framework Security
 
 #include <errno.h>
@@ -136,10 +136,7 @@ int FetchPEMRoots(CFDataRef *pemRoots, CFDataRef *untrustedPemRoots) {
                                }
                        }
 
-                       // Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport.
-                       // Once we support weak imports via cgo we should prefer that, and fall back to this
-                       // for older systems.
-                       err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
+                       err = SecItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
                        if (err != noErr) {
                                continue;
                        }