github.com/gocuntian/go@v0.0.0-20160610041250-fee02d270bf8/src/crypto/x509/root_cgo_darwin.go (about) 1 // Copyright 2011 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // +build cgo,!arm,!arm64,!ios 6 7 package x509 8 9 /* 10 #cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060 11 #cgo LDFLAGS: -framework CoreFoundation -framework Security 12 13 #include <CoreFoundation/CoreFoundation.h> 14 #include <Security/Security.h> 15 16 // FetchPEMRoots fetches the system's list of trusted X.509 root certificates. 17 // 18 // On success it returns 0 and fills pemRoots with a CFDataRef that contains the extracted root 19 // certificates of the system. On failure, the function returns -1. 20 // 21 // Note: The CFDataRef returned in pemRoots must be released (using CFRelease) after 22 // we've consumed its content. 23 int FetchPEMRoots(CFDataRef *pemRoots) { 24 // Get certificates from all domains, not just System, this lets 25 // the user add CAs to their "login" keychain, and Admins to add 26 // to the "System" keychain 27 SecTrustSettingsDomain domains[] = { kSecTrustSettingsDomainSystem, 28 kSecTrustSettingsDomainAdmin, 29 kSecTrustSettingsDomainUser }; 30 31 int numDomains = sizeof(domains)/sizeof(SecTrustSettingsDomain); 32 if (pemRoots == NULL) { 33 return -1; 34 } 35 36 CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0); 37 for (int i = 0; i < numDomains; i++) { 38 CFArrayRef certs = NULL; 39 // Only get certificates from domain that are trusted 40 OSStatus err = SecTrustSettingsCopyCertificates(domains[i], &certs); 41 if (err != noErr) { 42 continue; 43 } 44 45 int numCerts = CFArrayGetCount(certs); 46 for (int j = 0; j < numCerts; j++) { 47 CFDataRef data = NULL; 48 CFErrorRef errRef = NULL; 49 SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, j); 50 if (cert == NULL) { 51 continue; 52 } 53 // We only want to add Root CAs, so make sure Subject and Issuer Name match 54 CFDataRef subjectName = SecCertificateCopyNormalizedSubjectContent(cert, &errRef); 55 if (errRef != NULL) { 56 CFRelease(errRef); 57 continue; 58 } 59 CFDataRef issuerName = SecCertificateCopyNormalizedIssuerContent(cert, &errRef); 60 if (errRef != NULL) { 61 CFRelease(subjectName); 62 CFRelease(errRef); 63 continue; 64 } 65 Boolean equal = CFEqual(subjectName, issuerName); 66 CFRelease(subjectName); 67 CFRelease(issuerName); 68 if (!equal) { 69 continue; 70 } 71 72 // Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport. 73 // Once we support weak imports via cgo we should prefer that, and fall back to this 74 // for older systems. 75 err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data); 76 if (err != noErr) { 77 continue; 78 } 79 80 if (data != NULL) { 81 CFDataAppendBytes(combinedData, CFDataGetBytePtr(data), CFDataGetLength(data)); 82 CFRelease(data); 83 } 84 } 85 CFRelease(certs); 86 } 87 *pemRoots = combinedData; 88 return 0; 89 } 90 */ 91 import "C" 92 import ( 93 "errors" 94 "unsafe" 95 ) 96 97 func loadSystemRoots() (*CertPool, error) { 98 roots := NewCertPool() 99 100 var data C.CFDataRef = nil 101 err := C.FetchPEMRoots(&data) 102 if err == -1 { 103 // TODO: better error message 104 return nil, errors.New("crypto/x509: failed to load darwin system roots with cgo") 105 } 106 107 defer C.CFRelease(C.CFTypeRef(data)) 108 buf := C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(data)), C.int(C.CFDataGetLength(data))) 109 roots.AppendCertsFromPEM(buf) 110 return roots, nil 111 }