Skip to content

Commit

Permalink
crypto/x509: load all trusted certs on darwin (nocgo)
Browse files Browse the repository at this point in the history 
The current implementation ignores certificates that exist
in the login and System keychains.

This change adds the missing System and login keychain
files to the `/usr/bin/security` command in
`execSecurityRoots`. If the current user cannot be
obtained, the login keychain is ignored.

Refs #16532

Change-Id: I8594a6b8940c58df8a8015b274fa45c39e18862c
Reviewed-on: https://go-review.googlesource.com/36941
Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
  • Loading branch information
@mastercactapus @bradfitz
mastercactapus authored and bradfitz committed Jul 14, 2017
1 parent a005a8d commit 4dbcacd
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 2 deletions.
22 changes: 21 additions & 1 deletion src/crypto/x509/root_darwin.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"io/ioutil"
"os"
"os/exec"
"os/user"
"path/filepath"
"strings"
"sync"
Expand Down Expand Up @@ -61,7 +62,26 @@ func execSecurityRoots() (*CertPool, error) {
println(fmt.Sprintf("crypto/x509: %d certs have a trust policy", len(hasPolicy)))
}

cmd := exec.Command("/usr/bin/security", "find-certificate", "-a", "-p", "/System/Library/Keychains/SystemRootCertificates.keychain")
args := []string{"find-certificate", "-a", "-p",
"/System/Library/Keychains/SystemRootCertificates.keychain",
"/Library/Keychains/System.keychain",
}

u, err := user.Current()
if err != nil {
if debugExecDarwinRoots {
println(fmt.Sprintf("crypto/x509: get current user: %v", err))
}
} else {
args = append(args,
filepath.Join(u.HomeDir, "/Library/Keychains/login.keychain"),

// Fresh installs of Sierra use a slightly different path for the login keychain
filepath.Join(u.HomeDir, "/Library/Keychains/login.keychain-db"),
)
}

cmd := exec.Command("/usr/bin/security", args...)
data, err := cmd.Output()
if err != nil {
return nil, err
Expand Down
2 changes: 1 addition & 1 deletion src/go/build/deps_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -377,7 +377,7 @@ var pkgDeps = map[string][]string{
},
"crypto/x509": {
"L4", "CRYPTO-MATH", "OS", "CGO",
"crypto/x509/pkix", "encoding/pem", "encoding/hex", "net", "syscall",
"crypto/x509/pkix", "encoding/pem", "encoding/hex", "net", "os/user", "syscall",
},
"crypto/x509/pkix": {"L4", "CRYPTO-MATH"},

Expand Down

0 comments on commit 4dbcacd

Please sign in to comment.