]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3b456ff)
crypto/x509: change how we retrieve chains on darwin
authorRoland Shoemaker <roland@golang.org>
Tue, 4 Mar 2025 00:27:36 +0000 (16:27 -0800)
committerRoland Shoemaker <roland@golang.org>
Thu, 13 Mar 2025 23:44:25 +0000 (16:44 -0700)
Instead of using the deprecated SecTrustGetCertificateAtIndex and
SecTrustGetCertificateCount method, use the SecTrustCopyCertificateChain
method.

This method require macOS 12+, which will be the minimum supported
version in 1.25.

Change-Id: I9a5ef75431cdb84f1cbe4eee47e6e9e2da4dea03
Reviewed-on: https://go-review.googlesource.com/c/go/+/654376
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
src/crypto/x509/internal/macos/security.go patch | blob | history
src/crypto/x509/internal/macos/security.s patch | blob | history
src/crypto/x509/root_darwin.go patch | blob | history

diff --git a/src/crypto/x509/internal/macos/security.go b/src/crypto/x509/internal/macos/security.go
index 497ba6e824cd935d867cc3706c0ba084eec832aa..f9f37b16664002a0e2533a06c54b5c7d6205d738 100644 (file)
--- a/src/crypto/x509/internal/macos/security.go
+++ b/src/crypto/x509/internal/macos/security.go
@@ -122,25 +122,6 @@ func SecTrustEvaluateWithError(trustObj CFRef) (int, error) {
 }
 func x509_SecTrustEvaluateWithError_trampoline()
 
-//go:cgo_import_dynamic x509_SecTrustGetCertificateCount SecTrustGetCertificateCount "/System/Library/Frameworks/Security.framework/Versions/A/Security"
-
-func SecTrustGetCertificateCount(trustObj CFRef) int {
-       ret := syscall(abi.FuncPCABI0(x509_SecTrustGetCertificateCount_trampoline), uintptr(trustObj), 0, 0, 0, 0, 0)
-       return int(ret)
-}
-func x509_SecTrustGetCertificateCount_trampoline()
-
-//go:cgo_import_dynamic x509_SecTrustGetCertificateAtIndex SecTrustGetCertificateAtIndex "/System/Library/Frameworks/Security.framework/Versions/A/Security"
-
-func SecTrustGetCertificateAtIndex(trustObj CFRef, i int) (CFRef, error) {
-       ret := syscall(abi.FuncPCABI0(x509_SecTrustGetCertificateAtIndex_trampoline), uintptr(trustObj), uintptr(i), 0, 0, 0, 0)
-       if ret == 0 {
-               return 0, OSStatus{"SecTrustGetCertificateAtIndex", int32(ret)}
-       }
-       return CFRef(ret), nil
-}
-func x509_SecTrustGetCertificateAtIndex_trampoline()
-
 //go:cgo_import_dynamic x509_SecCertificateCopyData SecCertificateCopyData "/System/Library/Frameworks/Security.framework/Versions/A/Security"
 
 func SecCertificateCopyData(cert CFRef) ([]byte, error) {
@@ -153,3 +134,14 @@ func SecCertificateCopyData(cert CFRef) ([]byte, error) {
        return b, nil
 }
 func x509_SecCertificateCopyData_trampoline()
+
+//go:cgo_import_dynamic x509_SecTrustCopyCertificateChain SecTrustCopyCertificateChain "/System/Library/Frameworks/Security.framework/Versions/A/Security"
+
+func SecTrustCopyCertificateChain(trustObj CFRef) (CFRef, error) {
+       ret := syscall(abi.FuncPCABI0(x509_SecTrustCopyCertificateChain_trampoline), uintptr(trustObj), 0, 0, 0, 0, 0)
+       if ret == 0 {
+               return 0, OSStatus{"SecTrustCopyCertificateChain", int32(ret)}
+       }
+       return CFRef(ret), nil
+}
+func x509_SecTrustCopyCertificateChain_trampoline()
diff --git a/src/crypto/x509/internal/macos/security.s b/src/crypto/x509/internal/macos/security.s
index dc630eccb7fe41a1f704bfb42362a4145a97b14b..ca5337c788d67310f9baa12144beb11de2647cfa 100644 (file)
--- a/src/crypto/x509/internal/macos/security.s
+++ b/src/crypto/x509/internal/macos/security.s
@@ -21,9 +21,7 @@ TEXT ·x509_SecTrustEvaluate_trampoline(SB),NOSPLIT,$0-0
        JMP x509_SecTrustEvaluate(SB)
 TEXT ·x509_SecTrustEvaluateWithError_trampoline(SB),NOSPLIT,$0-0
        JMP x509_SecTrustEvaluateWithError(SB)
-TEXT ·x509_SecTrustGetCertificateCount_trampoline(SB),NOSPLIT,$0-0
-       JMP x509_SecTrustGetCertificateCount(SB)
-TEXT ·x509_SecTrustGetCertificateAtIndex_trampoline(SB),NOSPLIT,$0-0
-       JMP x509_SecTrustGetCertificateAtIndex(SB)
 TEXT ·x509_SecCertificateCopyData_trampoline(SB),NOSPLIT,$0-0
        JMP x509_SecCertificateCopyData(SB)
+TEXT ·x509_SecTrustCopyCertificateChain_trampoline(SB),NOSPLIT,$0-0
+       JMP x509_SecTrustCopyCertificateChain(SB)
diff --git a/src/crypto/x509/root_darwin.go b/src/crypto/x509/root_darwin.go
index 469e907a8e154ea946bbfe1c2785b03495810ea3..b5d7b6350bf05d62ff1687d70ed618ce78d0f6e6 100644 (file)
--- a/src/crypto/x509/root_darwin.go
+++ b/src/crypto/x509/root_darwin.go
@@ -73,12 +73,13 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
        }
 
        chain := [][]*Certificate{{}}
-       numCerts := macOS.SecTrustGetCertificateCount(trustObj)
-       for i := 0; i < numCerts; i++ {
-               certRef, err := macOS.SecTrustGetCertificateAtIndex(trustObj, i)
-               if err != nil {
-                       return nil, err
-               }
+       chainRef, err := macOS.SecTrustCopyCertificateChain(trustObj)
+       if err != nil {
+               return nil, err
+       }
+       defer macOS.CFRelease(chainRef)
+       for i := 0; i < macOS.CFArrayGetCount(chainRef); i++ {
+               certRef := macOS.CFArrayGetValueAtIndex(chainRef, i)
                cert, err := exportCertificate(certRef)
                if err != nil {
                        return nil, err
Go GOST TLS 1.3