1 files changed, 14 insertions, 5 deletions

diff --git a/src/crypto/x509/internal/macos/security.go b/src/crypto/x509/internal/macos/security.go
index ef64bda49f..0b7958eaa2 100644
--- a/src/crypto/x509/internal/macos/security.go
+++ b/src/crypto/x509/internal/macos/security.go
@@ -8,7 +8,6 @@ package macOS
 
 import (
 	"errors"
-	"fmt"
 	"internal/abi"
 	"strconv"
 	"unsafe"
@@ -51,6 +50,15 @@ const (
 	SecTrustSettingsDomainSystem
 )
 
+const (
+	// various macOS error codes that can be returned from
+	// SecTrustEvaluateWithError that we can map to Go cert
+	// verification error types.
+	ErrSecCertificateExpired = -67818
+	ErrSecHostNameMismatch   = -67602
+	ErrSecNotTrusted         = -67843
+)
+
 type OSStatus struct {
 	call   string
 	status int32
@@ -190,17 +198,18 @@ func x509_SecTrustGetResult_trampoline()
 
 //go:cgo_import_dynamic x509_SecTrustEvaluateWithError SecTrustEvaluateWithError "/System/Library/Frameworks/Security.framework/Versions/A/Security"
 
-func SecTrustEvaluateWithError(trustObj CFRef) error {
+func SecTrustEvaluateWithError(trustObj CFRef) (int, error) {
 	var errRef CFRef
 	ret := syscall(abi.FuncPCABI0(x509_SecTrustEvaluateWithError_trampoline), uintptr(trustObj), uintptr(unsafe.Pointer(&errRef)), 0, 0, 0, 0)
 	if int32(ret) != 1 {
 		errStr := CFErrorCopyDescription(errRef)
-		err := fmt.Errorf("x509: %s", CFStringToString(errStr))
+		err := errors.New(CFStringToString(errStr))
+		errCode := CFErrorGetCode(errRef)
 		CFRelease(errRef)
 		CFRelease(errStr)
-		return err
+		return errCode, err
 	}
-	return nil
+	return 0, nil
 }
 func x509_SecTrustEvaluateWithError_trampoline()