// Copyright 2011 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package tls /* // Note: We disable -Werror here because the code in this file uses a deprecated API to stay // compatible with both Mac OS X 10.6 and 10.7. Using a deprecated function on Darwin generates // a warning. #cgo CFLAGS: -Wno-error -Wno-deprecated-declarations #cgo LDFLAGS: -framework CoreFoundation -framework Security #include #include // FetchPEMRoots fetches the system's list of trusted X.509 root certificates. // // On success it returns 0 and fills pemRoots with a CFDataRef that contains the extracted root // certificates of the system. On failure, the function returns -1. // // Note: The CFDataRef returned in pemRoots must be released (using CFRelease) after // we've consumed its content. int FetchPEMRoots(CFDataRef *pemRoots) { if (pemRoots == NULL) { return -1; } CFArrayRef certs = NULL; OSStatus err = SecTrustCopyAnchorCertificates(&certs); if (err != noErr) { return -1; } CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0); int i, ncerts = CFArrayGetCount(certs); for (i = 0; i < ncerts; i++) { CFDataRef data = NULL; SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, i); if (cert == NULL) { continue; } // SecKeychainImportExport is deprecated in >= OS X 10.7, and has been replaced by // SecItemExport. If we're built on a host with a Lion SDK, this code gets conditionally // included in the output, also for binaries meant for 10.6. // // To make sure that we run on both Mac OS X 10.6 and 10.7 we use weak linking // and check whether SecItemExport is available before we attempt to call it. On // 10.6, this won't be the case, and we'll fall back to calling SecKeychainItemExport. #if __MAC_OS_X_VERSION_MAX_ALLOWED >= 1070 if (SecItemExport) { err = SecItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data); if (err != noErr) { continue; } } else #endif if (data == NULL) { err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data); if (err != noErr) { continue; } } if (data != NULL) { CFDataAppendBytes(combinedData, CFDataGetBytePtr(data), CFDataGetLength(data)); CFRelease(data); } } CFRelease(certs); *pemRoots = combinedData; return 0; } */ import "C" import ( "crypto/x509" "unsafe" ) func initDefaultRoots() { roots := x509.NewCertPool() var data C.CFDataRef = nil err := C.FetchPEMRoots(&data) if err != -1 { defer C.CFRelease(C.CFTypeRef(data)) buf := C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(data)), C.int(C.CFDataGetLength(data))) roots.AppendCertsFromPEM(buf) } varDefaultRoots = roots }