]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a005a8d)
crypto/x509: load all trusted certs on darwin (nocgo)
authorNathaniel Caza <mastercactapus@gmail.com>
Tue, 14 Feb 2017 03:00:06 +0000 (21:00 -0600)
committerBrad Fitzpatrick <bradfitz@golang.org>
Fri, 14 Jul 2017 18:47:10 +0000 (18:47 +0000)
The current implementation ignores certificates that exist
in the login and System keychains.

This change adds the missing System and login keychain
files to the `/usr/bin/security` command in
`execSecurityRoots`. If the current user cannot be
obtained, the login keychain is ignored.

Refs #16532

Change-Id: I8594a6b8940c58df8a8015b274fa45c39e18862c
Reviewed-on: https://go-review.googlesource.com/36941
Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
src/crypto/x509/root_darwin.go patch | blob | history
src/go/build/deps_test.go patch | blob | history

diff --git a/src/crypto/x509/root_darwin.go b/src/crypto/x509/root_darwin.go
index 66cdb5ea261f0d2535224bbce4fa186872291f8f..bc35a1cf212e5e0faa9e7754f48c4bd8d8c8ec88 100644 (file)
--- a/src/crypto/x509/root_darwin.go
+++ b/src/crypto/x509/root_darwin.go
@@ -16,6 +16,7 @@ import (
        "io/ioutil"
        "os"
        "os/exec"
+       "os/user"
        "path/filepath"
        "strings"
        "sync"
@@ -61,7 +62,26 @@ func execSecurityRoots() (*CertPool, error) {
                println(fmt.Sprintf("crypto/x509: %d certs have a trust policy", len(hasPolicy)))
        }
 
-       cmd := exec.Command("/usr/bin/security", "find-certificate", "-a", "-p", "/System/Library/Keychains/SystemRootCertificates.keychain")
+       args := []string{"find-certificate", "-a", "-p",
+               "/System/Library/Keychains/SystemRootCertificates.keychain",
+               "/Library/Keychains/System.keychain",
+       }
+
+       u, err := user.Current()
+       if err != nil {
+               if debugExecDarwinRoots {
+                       println(fmt.Sprintf("crypto/x509: get current user: %v", err))
+               }
+       } else {
+               args = append(args,
+                       filepath.Join(u.HomeDir, "/Library/Keychains/login.keychain"),
+
+                       // Fresh installs of Sierra use a slightly different path for the login keychain
+                       filepath.Join(u.HomeDir, "/Library/Keychains/login.keychain-db"),
+               )
+       }
+
+       cmd := exec.Command("/usr/bin/security", args...)
        data, err := cmd.Output()
        if err != nil {
                return nil, err
diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
index ec8dd0678811fa3393f36cb6e2da73431e50c756..87abfba9219db3c3f79162dd8b3dcecdddd98a55 100644 (file)
--- a/src/go/build/deps_test.go
+++ b/src/go/build/deps_test.go
@@ -377,7 +377,7 @@ var pkgDeps = map[string][]string{
        },
        "crypto/x509": {
                "L4", "CRYPTO-MATH", "OS", "CGO",
-               "crypto/x509/pkix", "encoding/pem", "encoding/hex", "net", "syscall",
+               "crypto/x509/pkix", "encoding/pem", "encoding/hex", "net", "os/user", "syscall",
        },
        "crypto/x509/pkix": {"L4", "CRYPTO-MATH"},
 
Go GOST TLS 1.3