Left: | ||
Right: |
LEFT | RIGHT |
---|---|
(no file at all) | |
1 // Copyright 2011 The Go Authors. All rights reserved. | 1 // Copyright 2013 The Go Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style | 2 // Use of this source code is governed by a BSD-style |
3 // license that can be found in the LICENSE file. | 3 // license that can be found in the LICENSE file. |
4 | 4 |
5 package x509 | 5 package x509 |
6 | 6 |
7 /* | 7 import "os/exec" |
8 #cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060 | |
9 #cgo LDFLAGS: -framework CoreFoundation -framework Security | |
10 | |
11 #include <CoreFoundation/CoreFoundation.h> | |
12 #include <Security/Security.h> | |
13 | |
14 // FetchPEMRoots fetches the system's list of trusted X.509 root certificates. | |
15 // | |
16 // On success it returns 0 and fills pemRoots with a CFDataRef that contains the extracted root | |
17 // certificates of the system. On failure, the function returns -1. | |
18 // | |
19 // Note: The CFDataRef returned in pemRoots must be released (using CFRelease) a fter | |
20 // we've consumed its content. | |
21 int FetchPEMRoots(CFDataRef *pemRoots) { | |
22 » if (pemRoots == NULL) { | |
23 » » return -1; | |
24 » } | |
25 | |
26 » CFArrayRef certs = NULL; | |
27 » OSStatus err = SecTrustCopyAnchorCertificates(&certs); | |
28 » if (err != noErr) { | |
29 » » return -1; | |
30 » } | |
31 | |
32 » CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0); | |
33 » int i, ncerts = CFArrayGetCount(certs); | |
34 » for (i = 0; i < ncerts; i++) { | |
35 » » CFDataRef data = NULL; | |
36 » » SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtInd ex(certs, i); | |
37 » » if (cert == NULL) { | |
38 » » » continue; | |
39 » » } | |
40 | |
41 » » // Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport. | |
42 » » // Once we support weak imports via cgo we should prefer that, a nd fall back to this | |
43 » » // for older systems. | |
44 » » err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPe mArmour, NULL, &data); | |
45 » » if (err != noErr) { | |
46 » » » continue; | |
47 » » } | |
48 | |
49 » » if (data != NULL) { | |
50 » » » CFDataAppendBytes(combinedData, CFDataGetBytePtr(data), CFDataGetLength(data)); | |
51 » » » CFRelease(data); | |
52 » » } | |
53 » } | |
54 | |
55 » CFRelease(certs); | |
56 | |
57 » *pemRoots = combinedData; | |
58 » return 0; | |
59 } | |
60 */ | |
61 import "C" | |
62 import "unsafe" | |
63 | 8 |
64 func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate , err error) { | 9 func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate , err error) { |
agl1
2013/12/12 16:29:47
I don't think a common, darwin, .go file is justif
| |
65 return nil, nil | 10 return nil, nil |
66 } | 11 } |
67 | 12 |
68 func initSystemRoots() { | 13 func execSecurityRoots() (*CertPool, error) { |
agl1
2013/12/12 16:29:47
Why isn't this code in the nocgo_darwin file?
| |
69 » roots := NewCertPool() | 14 » cmd := exec.Command("/usr/bin/security", "find-certificate", "-a", "-p", "/System/Library/Keychains/SystemRootCertificates.keychain") |
70 | 15 » data, err := cmd.Output() |
71 » var data C.CFDataRef = nil | 16 » if err != nil { |
72 » err := C.FetchPEMRoots(&data) | 17 » » return nil, err |
73 » if err == -1 { | |
74 » » return | |
75 } | 18 } |
76 | 19 |
77 » defer C.CFRelease(C.CFTypeRef(data)) | 20 » roots := NewCertPool() |
78 » buf := C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(data)), C.int(C.CFDat aGetLength(data))) | 21 » roots.AppendCertsFromPEM(data) |
79 » roots.AppendCertsFromPEM(buf) | 22 » return roots, nil |
80 » systemRoots = roots | |
81 } | 23 } |
LEFT | RIGHT |