Commit 6cd698d7 authored by Lee Hinman's avatar Lee Hinman Committed by Russ Cox

crypto/x509: add Admin & User Keychains to FetchPEMRoots on Darwin

in root_cgo_darwin.go only certificates from the System Domain
were being used in FetchPEMRoots.  This patch adds support for
getting certificates from all three domains (System, Admin,
User).  Also it will only read trusted certificates from those
Keychains.  Because it is possible to trust a non Root certificate,
this patch also adds a checks to see if the Subject and Issuer
name are the same.

Fixes #14514

Change-Id: Ia03936d7a61d1e24e99f31c92f9927ae48b2b494
Reviewed-on: https://go-review.googlesource.com/20351Reviewed-by: default avatarRuss Cox <rsc@golang.org>
parent b30fcbc9
...@@ -21,41 +21,69 @@ package x509 ...@@ -21,41 +21,69 @@ package x509
// Note: The CFDataRef returned in pemRoots must be released (using CFRelease) after // Note: The CFDataRef returned in pemRoots must be released (using CFRelease) after
// we've consumed its content. // we've consumed its content.
int FetchPEMRoots(CFDataRef *pemRoots) { int FetchPEMRoots(CFDataRef *pemRoots) {
if (pemRoots == NULL) { // Get certificates from all domains, not just System, this lets
return -1; // the user add CAs to their "login" keychain, and Admins to add
} // to the "System" keychain
SecTrustSettingsDomain domains[] = { kSecTrustSettingsDomainSystem,
kSecTrustSettingsDomainAdmin,
kSecTrustSettingsDomainUser };
CFArrayRef certs = NULL; int numDomains = sizeof(domains)/sizeof(SecTrustSettingsDomain);
OSStatus err = SecTrustCopyAnchorCertificates(&certs); if (pemRoots == NULL) {
if (err != noErr) {
return -1; return -1;
} }
CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0); CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
int i, ncerts = CFArrayGetCount(certs); for (int i = 0; i < numDomains; i++) {
for (i = 0; i < ncerts; i++) { CFArrayRef certs = NULL;
CFDataRef data = NULL; // Only get certificates from domain that are trusted
SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, i); OSStatus err = SecTrustSettingsCopyCertificates(domains[i], &certs);
if (cert == NULL) {
continue;
}
// Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport.
// Once we support weak imports via cgo we should prefer that, and fall back to this
// for older systems.
err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
if (err != noErr) { if (err != noErr) {
continue; continue;
} }
if (data != NULL) { int numCerts = CFArrayGetCount(certs);
CFDataAppendBytes(combinedData, CFDataGetBytePtr(data), CFDataGetLength(data)); for (int j = 0; j < numCerts; j++) {
CFRelease(data); CFDataRef data = NULL;
} CFErrorRef errRef = NULL;
} SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, j);
if (cert == NULL) {
continue;
}
// We only want to add Root CAs, so make sure Subject and Issuer Name match
CFDataRef subjectName = SecCertificateCopyNormalizedSubjectContent(cert, &errRef);
if (errRef != NULL) {
CFRelease(errRef);
continue;
}
CFDataRef issuerName = SecCertificateCopyNormalizedIssuerContent(cert, &errRef);
if (errRef != NULL) {
CFRelease(subjectName);
CFRelease(errRef);
continue;
}
Boolean equal = CFEqual(subjectName, issuerName);
CFRelease(subjectName);
CFRelease(issuerName);
if (!equal) {
continue;
}
CFRelease(certs); // Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport.
// Once we support weak imports via cgo we should prefer that, and fall back to this
// for older systems.
err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
if (err != noErr) {
continue;
}
if (data != NULL) {
CFDataAppendBytes(combinedData, CFDataGetBytePtr(data), CFDataGetLength(data));
CFRelease(data);
}
}
CFRelease(certs);
}
*pemRoots = combinedData; *pemRoots = combinedData;
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment