qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-23 17:00:07 -07:00
Code Releases Activity

crypto/x509: load all trusted certs on darwin (cgo)

Browse Source 
The current implementation ignores certs wherein the
Subject does not match the Issuer. An example of where
this causes issue is an enterprise environment with
intermediate CAs. In this case, the issuer is separate
(and may be loaded) but the intermediate is ignored.
A TLS handshake that does not include the intermediate
cert would then fail with an untrusted error in Go.

On other platforms (darwin-nocgo included), all trusted
certs are loaded and accepted reguardless of
Subject/Issuer names.

This change removes the Subject/Issuer name-matching
restriction of certificates when trustAsRoot is set,
allowing all trusted certs to be loaded on darwin (cgo).

Refs #16532

Change-Id: I451e929588f8911892be6bdc2143d0799363c5f8
Reviewed-on: https://go-review.googlesource.com/36942
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This commit is contained in:
Nathaniel Caza 2017-02-13 21:15:40 -06:00 committed by Brad Fitzpatrick
parent 26ec05cdbe
commit e7f95b3cca
1 changed files with 32 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
src/crypto/x509/root_cgo_darwin.go
View File

@ -119,7 +119,11 @@ int FetchPEMRoots(CFDataRef *pemRoots, CFDataRef *untrustedPemRoots) {
} }
// We only want trusted certs. // We only want trusted certs.
int untrusted = 0; int untrusted = 0;
if (i != 0) { int trustAsRoot = 0;
int trustRoot = 0;
if (i == 0) {
trustAsRoot = 1;
} else {
// Certs found in the system domain are always trusted. If the user // Certs found in the system domain are always trusted. If the user
// configures "Never Trust" on such a cert, it will also be found in the // configures "Never Trust" on such a cert, it will also be found in the
// admin or user domain, causing it to be added to untrustedPemRoots. The // admin or user domain, causing it to be added to untrustedPemRoots. The
@ -129,7 +133,7 @@ int FetchPEMRoots(CFDataRef *pemRoots, CFDataRef *untrustedPemRoots) {
// SecTrustServer.c, "user trust settings overrule admin trust settings", // SecTrustServer.c, "user trust settings overrule admin trust settings",
// so take the last trust settings array we find. // so take the last trust settings array we find.
// Skip the system domain since it is always trusted. // Skip the system domain since it is always trusted.
for (int k = 1; k < numDomains; k++) { for (int k = i; k < numDomains; k++) {
CFArrayRef domainTrustSettings = NULL; CFArrayRef domainTrustSettings = NULL;
err = SecTrustSettingsCopyTrustSettings(cert, domains[k], &domainTrustSettings); err = SecTrustSettingsCopyTrustSettings(cert, domains[k], &domainTrustSettings);
if (err == errSecSuccess && domainTrustSettings != NULL) { if (err == errSecSuccess && domainTrustSettings != NULL) {
@ -152,28 +156,35 @@ int FetchPEMRoots(CFDataRef *pemRoots, CFDataRef *untrustedPemRoots) {
// TODO: The rest of the dictionary specifies conditions for evaluation. // TODO: The rest of the dictionary specifies conditions for evaluation.
if (result == kSecTrustSettingsResultDeny) { if (result == kSecTrustSettingsResultDeny) {
untrusted = 1; untrusted = 1;
} else if (result == kSecTrustSettingsResultTrustAsRoot) {
trustAsRoot = 1;
} else if (result == kSecTrustSettingsResultTrustRoot) {
trustRoot = 1;
} }
} }
} }
CFRelease(trustSettings); CFRelease(trustSettings);
} }
// We only want to add Root CAs, so make sure Subject and Issuer Name match
CFDataRef subjectName = SecCertificateCopyNormalizedSubjectContent(cert, &errRef); if (trustRoot) {
if (errRef != NULL) { // We only want to add Root CAs, so make sure Subject and Issuer Name match
CFRelease(errRef); CFDataRef subjectName = SecCertificateCopyNormalizedSubjectContent(cert, &errRef);
continue; if (errRef != NULL) {
} CFRelease(errRef);
CFDataRef issuerName = SecCertificateCopyNormalizedIssuerContent(cert, &errRef); continue;
if (errRef != NULL) { }
CFDataRef issuerName = SecCertificateCopyNormalizedIssuerContent(cert, &errRef);
if (errRef != NULL) {
CFRelease(subjectName);
CFRelease(errRef);
continue;
}
Boolean equal = CFEqual(subjectName, issuerName);
CFRelease(subjectName); CFRelease(subjectName);
CFRelease(errRef); CFRelease(issuerName);
continue; if (!equal) {
} continue;
Boolean equal = CFEqual(subjectName, issuerName); }
CFRelease(subjectName);
CFRelease(issuerName);
if (!equal) {
continue;
} }
// Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport. // Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport.
@ -185,6 +196,9 @@ int FetchPEMRoots(CFDataRef *pemRoots, CFDataRef *untrustedPemRoots) {
} }
if (data != NULL) { if (data != NULL) {
if (!trustRoot && !trustAsRoot) {
untrusted = 1;
}
CFMutableDataRef appendTo = untrusted ? combinedUntrustedData : combinedData; CFMutableDataRef appendTo = untrusted ? combinedUntrustedData : combinedData;
CFDataAppendBytes(appendTo, CFDataGetBytePtr(data), CFDataGetLength(data)); CFDataAppendBytes(appendTo, CFDataGetBytePtr(data), CFDataGetLength(data));
CFRelease(data); CFRelease(data);