diff options
author | Brad Fitzpatrick <bradfitz@golang.org> | 2016-07-26 16:55:40 +0200 |
---|---|---|
committer | Brad Fitzpatrick <bradfitz@golang.org> | 2016-07-26 21:18:26 +0000 |
commit | ff60da6962f71871fac3dd6a5406686ea92de8dc (patch) | |
tree | 3d2b9bbf1aa4627683d05b31ad2c6799ba7ca72d | |
parent | 887606114902bd58c3838767ac2b66dadba27e5e (diff) | |
download | go-ff60da6962f71871fac3dd6a5406686ea92de8dc.tar.gz go-ff60da6962f71871fac3dd6a5406686ea92de8dc.zip |
crypto/x509: use Go 1.6 implementation for FetchPEMRoots for OS X 10.8
Conservative fix for the OS X 10.8 crash. We can unify them back together
during the Go 1.8 dev cycle.
Fixes #16473
Change-Id: If07228deb2be36093dd324b3b3bcb31c23a95035
Reviewed-on: https://go-review.googlesource.com/25233
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
-rw-r--r-- | src/crypto/x509/root_cgo_darwin.go | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/src/crypto/x509/root_cgo_darwin.go b/src/crypto/x509/root_cgo_darwin.go index 0e2fb357ee..83f83d8c16 100644 --- a/src/crypto/x509/root_cgo_darwin.go +++ b/src/crypto/x509/root_cgo_darwin.go @@ -13,6 +13,48 @@ package x509 #include <CoreFoundation/CoreFoundation.h> #include <Security/Security.h> +// FetchPEMRoots_MountainLion is the version of FetchPEMRoots from Go 1.6 +// which still works on OS X 10.8 (Mountain Lion). +// It lacks support for admin & user cert domains. +// See golang.org/issue/16473 +int FetchPEMRoots_MountainLion(CFDataRef *pemRoots) { + if (pemRoots == NULL) { + return -1; + } + CFArrayRef certs = NULL; + OSStatus err = SecTrustCopyAnchorCertificates(&certs); + if (err != noErr) { + return -1; + } + CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0); + int i, ncerts = CFArrayGetCount(certs); + for (i = 0; i < ncerts; i++) { + CFDataRef data = NULL; + SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, i); + if (cert == NULL) { + continue; + } + // Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport. + // Once we support weak imports via cgo we should prefer that, and fall back to this + // for older systems. + err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data); + if (err != noErr) { + continue; + } + if (data != NULL) { + CFDataAppendBytes(combinedData, CFDataGetBytePtr(data), CFDataGetLength(data)); + CFRelease(data); + } + } + CFRelease(certs); + *pemRoots = combinedData; + return 0; +} + +#ifndef kCFCoreFoundationVersionNumber10_9 +#define kCFCoreFoundationVersionNumber10_9 855.11 +#endif + // FetchPEMRoots fetches the system's list of trusted X.509 root certificates. // // On success it returns 0 and fills pemRoots with a CFDataRef that contains the extracted root @@ -21,6 +63,10 @@ package x509 // Note: The CFDataRef returned in pemRoots must be released (using CFRelease) after // we've consumed its content. int FetchPEMRoots(CFDataRef *pemRoots) { + if (kCFCoreFoundationVersionNumber < kCFCoreFoundationVersionNumber10_9) { + return FetchPEMRoots_MountainLion(pemRoots); + } + // Get certificates from all domains, not just System, this lets // the user add CAs to their "login" keychain, and Admins to add // to the "System" keychain |