Add fork of Go 1.15-dev's crypto/x509
Snapshotted from Go commit 619c7a48a38b28b521591b490fd14ccb7ea5e821 (https://go-review.googlesource.com/c/go/+/229762, "crypto/x509: add x509omitbundledroots build tag to not embed roots") With 975c01342a25899962969833d8b2873dc8856a4f (https://go-review.googlesource.com/c/go/+/220721) removed, because it depends on other stuff in Go std that doesn't yet exist in a Go release. Also, add a subset fork of Go's internal/testenv, for use by x509's tests.
This commit is contained in:
committed by
Brad Fitzpatrick
parent
2dac4f2b24
commit
3bab226299
@@ -0,0 +1,314 @@
|
||||
// Copyright 2011 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// +build cgo,!arm64,!ios
|
||||
|
||||
package x509
|
||||
|
||||
/*
|
||||
#cgo CFLAGS: -mmacosx-version-min=10.11
|
||||
#cgo LDFLAGS: -framework CoreFoundation -framework Security
|
||||
|
||||
#include <errno.h>
|
||||
#include <sys/sysctl.h>
|
||||
|
||||
#include <CoreFoundation/CoreFoundation.h>
|
||||
#include <Security/Security.h>
|
||||
|
||||
static Boolean isSSLPolicy(SecPolicyRef policyRef) {
|
||||
if (!policyRef) {
|
||||
return false;
|
||||
}
|
||||
CFDictionaryRef properties = SecPolicyCopyProperties(policyRef);
|
||||
if (properties == NULL) {
|
||||
return false;
|
||||
}
|
||||
Boolean isSSL = false;
|
||||
CFTypeRef value = NULL;
|
||||
if (CFDictionaryGetValueIfPresent(properties, kSecPolicyOid, (const void **)&value)) {
|
||||
isSSL = CFEqual(value, kSecPolicyAppleSSL);
|
||||
}
|
||||
CFRelease(properties);
|
||||
return isSSL;
|
||||
}
|
||||
|
||||
// sslTrustSettingsResult obtains the final kSecTrustSettingsResult value
|
||||
// for a certificate in the user or admin domain, combining usage constraints
|
||||
// for the SSL SecTrustSettingsPolicy, ignoring SecTrustSettingsKeyUsage and
|
||||
// kSecTrustSettingsAllowedError.
|
||||
// https://developer.apple.com/documentation/security/1400261-sectrustsettingscopytrustsetting
|
||||
static SInt32 sslTrustSettingsResult(SecCertificateRef cert) {
|
||||
CFArrayRef trustSettings = NULL;
|
||||
OSStatus err = SecTrustSettingsCopyTrustSettings(cert, kSecTrustSettingsDomainUser, &trustSettings);
|
||||
|
||||
// According to Apple's SecTrustServer.c, "user trust settings overrule admin trust settings",
|
||||
// but the rules of the override are unclear. Let's assume admin trust settings are applicable
|
||||
// if and only if user trust settings fail to load or are NULL.
|
||||
if (err != errSecSuccess || trustSettings == NULL) {
|
||||
if (trustSettings != NULL) CFRelease(trustSettings);
|
||||
err = SecTrustSettingsCopyTrustSettings(cert, kSecTrustSettingsDomainAdmin, &trustSettings);
|
||||
}
|
||||
|
||||
// > no trust settings [...] means "this certificate must be verified to a known trusted certificate”
|
||||
// (Should this cause a fallback from user to admin domain? It's unclear.)
|
||||
if (err != errSecSuccess || trustSettings == NULL) {
|
||||
if (trustSettings != NULL) CFRelease(trustSettings);
|
||||
return kSecTrustSettingsResultUnspecified;
|
||||
}
|
||||
|
||||
// > An empty trust settings array means "always trust this certificate” with an
|
||||
// > overall trust setting for the certificate of kSecTrustSettingsResultTrustRoot.
|
||||
if (CFArrayGetCount(trustSettings) == 0) {
|
||||
CFRelease(trustSettings);
|
||||
return kSecTrustSettingsResultTrustRoot;
|
||||
}
|
||||
|
||||
// kSecTrustSettingsResult is defined as CFSTR("kSecTrustSettingsResult"),
|
||||
// but the Go linker's internal linking mode can't handle CFSTR relocations.
|
||||
// Create our own dynamic string instead and release it below.
|
||||
CFStringRef _kSecTrustSettingsResult = CFStringCreateWithCString(
|
||||
NULL, "kSecTrustSettingsResult", kCFStringEncodingUTF8);
|
||||
CFStringRef _kSecTrustSettingsPolicy = CFStringCreateWithCString(
|
||||
NULL, "kSecTrustSettingsPolicy", kCFStringEncodingUTF8);
|
||||
CFStringRef _kSecTrustSettingsPolicyString = CFStringCreateWithCString(
|
||||
NULL, "kSecTrustSettingsPolicyString", kCFStringEncodingUTF8);
|
||||
|
||||
CFIndex m; SInt32 result = 0;
|
||||
for (m = 0; m < CFArrayGetCount(trustSettings); m++) {
|
||||
CFDictionaryRef tSetting = (CFDictionaryRef)CFArrayGetValueAtIndex(trustSettings, m);
|
||||
|
||||
// First, check if this trust setting is constrained to a non-SSL policy.
|
||||
SecPolicyRef policyRef;
|
||||
if (CFDictionaryGetValueIfPresent(tSetting, _kSecTrustSettingsPolicy, (const void**)&policyRef)) {
|
||||
if (!isSSLPolicy(policyRef)) {
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
if (CFDictionaryContainsKey(tSetting, _kSecTrustSettingsPolicyString)) {
|
||||
// Restricted to a hostname, not a root.
|
||||
continue;
|
||||
}
|
||||
|
||||
CFNumberRef cfNum;
|
||||
if (CFDictionaryGetValueIfPresent(tSetting, _kSecTrustSettingsResult, (const void**)&cfNum)) {
|
||||
CFNumberGetValue(cfNum, kCFNumberSInt32Type, &result);
|
||||
} else {
|
||||
// > If this key is not present, a default value of
|
||||
// > kSecTrustSettingsResultTrustRoot is assumed.
|
||||
result = kSecTrustSettingsResultTrustRoot;
|
||||
}
|
||||
|
||||
// If multiple dictionaries match, we are supposed to "OR" them,
|
||||
// the semantics of which are not clear. Since TrustRoot and TrustAsRoot
|
||||
// are mutually exclusive, Deny should probably override, and Invalid and
|
||||
// Unspecified be overridden, approximate this by stopping at the first
|
||||
// TrustRoot, TrustAsRoot or Deny.
|
||||
if (result == kSecTrustSettingsResultTrustRoot) {
|
||||
break;
|
||||
} else if (result == kSecTrustSettingsResultTrustAsRoot) {
|
||||
break;
|
||||
} else if (result == kSecTrustSettingsResultDeny) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
// If trust settings are present, but none of them match the policy...
|
||||
// the docs don't tell us what to do.
|
||||
//
|
||||
// "Trust settings for a given use apply if any of the dictionaries in the
|
||||
// certificate’s trust settings array satisfies the specified use." suggests
|
||||
// that it's as if there were no trust settings at all, so we should probably
|
||||
// fallback to the admin trust settings. TODO.
|
||||
if (result == 0) {
|
||||
result = kSecTrustSettingsResultUnspecified;
|
||||
}
|
||||
|
||||
CFRelease(_kSecTrustSettingsPolicy);
|
||||
CFRelease(_kSecTrustSettingsPolicyString);
|
||||
CFRelease(_kSecTrustSettingsResult);
|
||||
CFRelease(trustSettings);
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
// isRootCertificate reports whether Subject and Issuer match.
|
||||
static Boolean isRootCertificate(SecCertificateRef cert, CFErrorRef *errRef) {
|
||||
CFDataRef subjectName = SecCertificateCopyNormalizedSubjectContent(cert, errRef);
|
||||
if (*errRef != NULL) {
|
||||
return false;
|
||||
}
|
||||
CFDataRef issuerName = SecCertificateCopyNormalizedIssuerContent(cert, errRef);
|
||||
if (*errRef != NULL) {
|
||||
CFRelease(subjectName);
|
||||
return false;
|
||||
}
|
||||
Boolean equal = CFEqual(subjectName, issuerName);
|
||||
CFRelease(subjectName);
|
||||
CFRelease(issuerName);
|
||||
return equal;
|
||||
}
|
||||
|
||||
// CopyPEMRoots fetches the system's list of trusted X.509 root certificates
|
||||
// for the kSecTrustSettingsPolicy SSL.
|
||||
//
|
||||
// On success it returns 0 and fills pemRoots with a CFDataRef that contains the extracted root
|
||||
// certificates of the system. On failure, the function returns -1.
|
||||
// Additionally, it fills untrustedPemRoots with certs that must be removed from pemRoots.
|
||||
//
|
||||
// Note: The CFDataRef returned in pemRoots and untrustedPemRoots must
|
||||
// be released (using CFRelease) after we've consumed its content.
|
||||
static int CopyPEMRoots(CFDataRef *pemRoots, CFDataRef *untrustedPemRoots, bool debugDarwinRoots) {
|
||||
int i;
|
||||
|
||||
if (debugDarwinRoots) {
|
||||
fprintf(stderr, "crypto/x509: kSecTrustSettingsResultInvalid = %d\n", kSecTrustSettingsResultInvalid);
|
||||
fprintf(stderr, "crypto/x509: kSecTrustSettingsResultTrustRoot = %d\n", kSecTrustSettingsResultTrustRoot);
|
||||
fprintf(stderr, "crypto/x509: kSecTrustSettingsResultTrustAsRoot = %d\n", kSecTrustSettingsResultTrustAsRoot);
|
||||
fprintf(stderr, "crypto/x509: kSecTrustSettingsResultDeny = %d\n", kSecTrustSettingsResultDeny);
|
||||
fprintf(stderr, "crypto/x509: kSecTrustSettingsResultUnspecified = %d\n", kSecTrustSettingsResultUnspecified);
|
||||
}
|
||||
|
||||
// Get certificates from all domains, not just System, this lets
|
||||
// the user add CAs to their "login" keychain, and Admins to add
|
||||
// to the "System" keychain
|
||||
SecTrustSettingsDomain domains[] = { kSecTrustSettingsDomainSystem,
|
||||
kSecTrustSettingsDomainAdmin, kSecTrustSettingsDomainUser };
|
||||
|
||||
int numDomains = sizeof(domains)/sizeof(SecTrustSettingsDomain);
|
||||
if (pemRoots == NULL || untrustedPemRoots == NULL) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
|
||||
CFMutableDataRef combinedUntrustedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
|
||||
for (i = 0; i < numDomains; i++) {
|
||||
int j;
|
||||
CFArrayRef certs = NULL;
|
||||
OSStatus err = SecTrustSettingsCopyCertificates(domains[i], &certs);
|
||||
if (err != noErr) {
|
||||
continue;
|
||||
}
|
||||
|
||||
CFIndex numCerts = CFArrayGetCount(certs);
|
||||
for (j = 0; j < numCerts; j++) {
|
||||
SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, j);
|
||||
if (cert == NULL) {
|
||||
continue;
|
||||
}
|
||||
|
||||
SInt32 result;
|
||||
if (domains[i] == kSecTrustSettingsDomainSystem) {
|
||||
// Certs found in the system domain are always trusted. If the user
|
||||
// configures "Never Trust" on such a cert, it will also be found in the
|
||||
// admin or user domain, causing it to be added to untrustedPemRoots. The
|
||||
// Go code will then clean this up.
|
||||
result = kSecTrustSettingsResultTrustRoot;
|
||||
} else {
|
||||
result = sslTrustSettingsResult(cert);
|
||||
if (debugDarwinRoots) {
|
||||
CFErrorRef errRef = NULL;
|
||||
CFStringRef summary = SecCertificateCopyShortDescription(NULL, cert, &errRef);
|
||||
if (errRef != NULL) {
|
||||
fprintf(stderr, "crypto/x509: SecCertificateCopyShortDescription failed\n");
|
||||
CFRelease(errRef);
|
||||
continue;
|
||||
}
|
||||
|
||||
CFIndex length = CFStringGetLength(summary);
|
||||
CFIndex maxSize = CFStringGetMaximumSizeForEncoding(length, kCFStringEncodingUTF8) + 1;
|
||||
char *buffer = malloc(maxSize);
|
||||
if (CFStringGetCString(summary, buffer, maxSize, kCFStringEncodingUTF8)) {
|
||||
fprintf(stderr, "crypto/x509: %s returned %d\n", buffer, (int)result);
|
||||
}
|
||||
free(buffer);
|
||||
CFRelease(summary);
|
||||
}
|
||||
}
|
||||
|
||||
CFMutableDataRef appendTo;
|
||||
// > Note the distinction between the results kSecTrustSettingsResultTrustRoot
|
||||
// > and kSecTrustSettingsResultTrustAsRoot: The former can only be applied to
|
||||
// > root (self-signed) certificates; the latter can only be applied to
|
||||
// > non-root certificates.
|
||||
if (result == kSecTrustSettingsResultTrustRoot) {
|
||||
CFErrorRef errRef = NULL;
|
||||
if (!isRootCertificate(cert, &errRef) || errRef != NULL) {
|
||||
if (errRef != NULL) CFRelease(errRef);
|
||||
continue;
|
||||
}
|
||||
|
||||
appendTo = combinedData;
|
||||
} else if (result == kSecTrustSettingsResultTrustAsRoot) {
|
||||
CFErrorRef errRef = NULL;
|
||||
if (isRootCertificate(cert, &errRef) || errRef != NULL) {
|
||||
if (errRef != NULL) CFRelease(errRef);
|
||||
continue;
|
||||
}
|
||||
|
||||
appendTo = combinedData;
|
||||
} else if (result == kSecTrustSettingsResultDeny) {
|
||||
appendTo = combinedUntrustedData;
|
||||
} else if (result == kSecTrustSettingsResultUnspecified) {
|
||||
// Certificates with unspecified trust should probably be added to a pool of
|
||||
// intermediates for chain building, or checked for transitive trust and
|
||||
// added to the root pool (which is an imprecise approximation because it
|
||||
// cuts chains short) but we don't support either at the moment. TODO.
|
||||
continue;
|
||||
} else {
|
||||
continue;
|
||||
}
|
||||
|
||||
CFDataRef data = NULL;
|
||||
err = SecItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
|
||||
if (err != noErr) {
|
||||
continue;
|
||||
}
|
||||
if (data != NULL) {
|
||||
CFDataAppendBytes(appendTo, CFDataGetBytePtr(data), CFDataGetLength(data));
|
||||
CFRelease(data);
|
||||
}
|
||||
}
|
||||
CFRelease(certs);
|
||||
}
|
||||
*pemRoots = combinedData;
|
||||
*untrustedPemRoots = combinedUntrustedData;
|
||||
return 0;
|
||||
}
|
||||
*/
|
||||
import "C"
|
||||
import (
|
||||
"errors"
|
||||
"unsafe"
|
||||
)
|
||||
|
||||
func loadSystemRoots() (*CertPool, error) {
|
||||
var data, untrustedData C.CFDataRef
|
||||
err := C.CopyPEMRoots(&data, &untrustedData, C.bool(debugDarwinRoots))
|
||||
if err == -1 {
|
||||
return nil, errors.New("crypto/x509: failed to load darwin system roots with cgo")
|
||||
}
|
||||
defer C.CFRelease(C.CFTypeRef(data))
|
||||
defer C.CFRelease(C.CFTypeRef(untrustedData))
|
||||
|
||||
buf := C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(data)), C.int(C.CFDataGetLength(data)))
|
||||
roots := NewCertPool()
|
||||
roots.AppendCertsFromPEM(buf)
|
||||
|
||||
if C.CFDataGetLength(untrustedData) == 0 {
|
||||
return roots, nil
|
||||
}
|
||||
|
||||
buf = C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(untrustedData)), C.int(C.CFDataGetLength(untrustedData)))
|
||||
untrustedRoots := NewCertPool()
|
||||
untrustedRoots.AppendCertsFromPEM(buf)
|
||||
|
||||
trustedRoots := NewCertPool()
|
||||
for _, c := range roots.certs {
|
||||
if !untrustedRoots.contains(c) {
|
||||
trustedRoots.AddCert(c)
|
||||
}
|
||||
}
|
||||
return trustedRoots, nil
|
||||
}
|
||||
Reference in New Issue
Block a user