|
- // Copyright 2011 The Go Authors. All rights reserved.
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
- package tls
-
- /*
- // Note: We disable -Werror here because the code in this file uses a deprecated API to stay
- // compatible with both Mac OS X 10.6 and 10.7. Using a deprecated function on Darwin generates
- // a warning.
- #cgo CFLAGS: -Wno-error -Wno-deprecated-declarations
- #cgo LDFLAGS: -framework CoreFoundation -framework Security
- #include <CoreFoundation/CoreFoundation.h>
- #include <Security/Security.h>
-
- // FetchPEMRoots fetches the system's list of trusted X.509 root certificates.
- //
- // On success it returns 0 and fills pemRoots with a CFDataRef that contains the extracted root
- // certificates of the system. On failure, the function returns -1.
- //
- // Note: The CFDataRef returned in pemRoots must be released (using CFRelease) after
- // we've consumed its content.
- int FetchPEMRoots(CFDataRef *pemRoots) {
- if (pemRoots == NULL) {
- return -1;
- }
-
- CFArrayRef certs = NULL;
- OSStatus err = SecTrustCopyAnchorCertificates(&certs);
- if (err != noErr) {
- return -1;
- }
-
- CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
- int i, ncerts = CFArrayGetCount(certs);
- for (i = 0; i < ncerts; i++) {
- CFDataRef data = NULL;
- SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, i);
- if (cert == NULL) {
- continue;
- }
-
- // SecKeychainImportExport is deprecated in >= OS X 10.7, and has been replaced by
- // SecItemExport. If we're built on a host with a Lion SDK, this code gets conditionally
- // included in the output, also for binaries meant for 10.6.
- //
- // To make sure that we run on both Mac OS X 10.6 and 10.7 we use weak linking
- // and check whether SecItemExport is available before we attempt to call it. On
- // 10.6, this won't be the case, and we'll fall back to calling SecKeychainItemExport.
- #if __MAC_OS_X_VERSION_MAX_ALLOWED >= 1070
- if (SecItemExport) {
- err = SecItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
- if (err != noErr) {
- continue;
- }
- } else
- #endif
- if (data == NULL) {
- err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
- if (err != noErr) {
- continue;
- }
- }
-
- if (data != NULL) {
- CFDataAppendBytes(combinedData, CFDataGetBytePtr(data), CFDataGetLength(data));
- CFRelease(data);
- }
- }
-
- CFRelease(certs);
-
- *pemRoots = combinedData;
- return 0;
- }
- */
- import "C"
- import (
- "crypto/x509"
- "unsafe"
- )
-
- func initDefaultRoots() {
- roots := x509.NewCertPool()
-
- var data C.CFDataRef = nil
- err := C.FetchPEMRoots(&data)
- if err != -1 {
- defer C.CFRelease(C.CFTypeRef(data))
- buf := C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(data)), C.int(C.CFDataGetLength(data)))
- roots.AppendCertsFromPEM(buf)
- }
-
- varDefaultRoots = roots
- }
|