From 937368f84e545db15d3f39c2b33a267ba8ead4a4 Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Mon, 3 Mar 2025 16:27:36 -0800 Subject: [PATCH] crypto/x509: change how we retrieve chains on darwin Instead of using the deprecated SecTrustGetCertificateAtIndex and SecTrustGetCertificateCount method, use the SecTrustCopyCertificateChain method. This method require macOS 12+, which will be the minimum supported version in 1.25. Change-Id: I9a5ef75431cdb84f1cbe4eee47e6e9e2da4dea03 Reviewed-on: https://go-review.googlesource.com/c/go/+/654376 Reviewed-by: David Chase LUCI-TryBot-Result: Go LUCI Reviewed-by: Daniel McCarney --- src/crypto/x509/internal/macos/security.go | 30 ++++++++-------------- src/crypto/x509/internal/macos/security.s | 6 ++--- src/crypto/x509/root_darwin.go | 13 +++++----- 3 files changed, 20 insertions(+), 29 deletions(-) diff --git a/src/crypto/x509/internal/macos/security.go b/src/crypto/x509/internal/macos/security.go index 497ba6e824..f9f37b1666 100644 --- a/src/crypto/x509/internal/macos/security.go +++ b/src/crypto/x509/internal/macos/security.go @@ -122,25 +122,6 @@ func SecTrustEvaluateWithError(trustObj CFRef) (int, error) { } func x509_SecTrustEvaluateWithError_trampoline() -//go:cgo_import_dynamic x509_SecTrustGetCertificateCount SecTrustGetCertificateCount "/System/Library/Frameworks/Security.framework/Versions/A/Security" - -func SecTrustGetCertificateCount(trustObj CFRef) int { - ret := syscall(abi.FuncPCABI0(x509_SecTrustGetCertificateCount_trampoline), uintptr(trustObj), 0, 0, 0, 0, 0) - return int(ret) -} -func x509_SecTrustGetCertificateCount_trampoline() - -//go:cgo_import_dynamic x509_SecTrustGetCertificateAtIndex SecTrustGetCertificateAtIndex "/System/Library/Frameworks/Security.framework/Versions/A/Security" - -func SecTrustGetCertificateAtIndex(trustObj CFRef, i int) (CFRef, error) { - ret := syscall(abi.FuncPCABI0(x509_SecTrustGetCertificateAtIndex_trampoline), uintptr(trustObj), uintptr(i), 0, 0, 0, 0) - if ret == 0 { - return 0, OSStatus{"SecTrustGetCertificateAtIndex", int32(ret)} - } - return CFRef(ret), nil -} -func x509_SecTrustGetCertificateAtIndex_trampoline() - //go:cgo_import_dynamic x509_SecCertificateCopyData SecCertificateCopyData "/System/Library/Frameworks/Security.framework/Versions/A/Security" func SecCertificateCopyData(cert CFRef) ([]byte, error) { @@ -153,3 +134,14 @@ func SecCertificateCopyData(cert CFRef) ([]byte, error) { return b, nil } func x509_SecCertificateCopyData_trampoline() + +//go:cgo_import_dynamic x509_SecTrustCopyCertificateChain SecTrustCopyCertificateChain "/System/Library/Frameworks/Security.framework/Versions/A/Security" + +func SecTrustCopyCertificateChain(trustObj CFRef) (CFRef, error) { + ret := syscall(abi.FuncPCABI0(x509_SecTrustCopyCertificateChain_trampoline), uintptr(trustObj), 0, 0, 0, 0, 0) + if ret == 0 { + return 0, OSStatus{"SecTrustCopyCertificateChain", int32(ret)} + } + return CFRef(ret), nil +} +func x509_SecTrustCopyCertificateChain_trampoline() diff --git a/src/crypto/x509/internal/macos/security.s b/src/crypto/x509/internal/macos/security.s index dc630eccb7..ca5337c788 100644 --- a/src/crypto/x509/internal/macos/security.s +++ b/src/crypto/x509/internal/macos/security.s @@ -21,9 +21,7 @@ TEXT ·x509_SecTrustEvaluate_trampoline(SB),NOSPLIT,$0-0 JMP x509_SecTrustEvaluate(SB) TEXT ·x509_SecTrustEvaluateWithError_trampoline(SB),NOSPLIT,$0-0 JMP x509_SecTrustEvaluateWithError(SB) -TEXT ·x509_SecTrustGetCertificateCount_trampoline(SB),NOSPLIT,$0-0 - JMP x509_SecTrustGetCertificateCount(SB) -TEXT ·x509_SecTrustGetCertificateAtIndex_trampoline(SB),NOSPLIT,$0-0 - JMP x509_SecTrustGetCertificateAtIndex(SB) TEXT ·x509_SecCertificateCopyData_trampoline(SB),NOSPLIT,$0-0 JMP x509_SecCertificateCopyData(SB) +TEXT ·x509_SecTrustCopyCertificateChain_trampoline(SB),NOSPLIT,$0-0 + JMP x509_SecTrustCopyCertificateChain(SB) diff --git a/src/crypto/x509/root_darwin.go b/src/crypto/x509/root_darwin.go index 469e907a8e..b5d7b6350b 100644 --- a/src/crypto/x509/root_darwin.go +++ b/src/crypto/x509/root_darwin.go @@ -73,12 +73,13 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate } chain := [][]*Certificate{{}} - numCerts := macOS.SecTrustGetCertificateCount(trustObj) - for i := 0; i < numCerts; i++ { - certRef, err := macOS.SecTrustGetCertificateAtIndex(trustObj, i) - if err != nil { - return nil, err - } + chainRef, err := macOS.SecTrustCopyCertificateChain(trustObj) + if err != nil { + return nil, err + } + defer macOS.CFRelease(chainRef) + for i := 0; i < macOS.CFArrayGetCount(chainRef); i++ { + certRef := macOS.CFArrayGetValueAtIndex(chainRef, i) cert, err := exportCertificate(certRef) if err != nil { return nil, err -- 2.50.0