From eac7cf0d78a4920a916d2eb7e9ced233544fdc08 Mon Sep 17 00:00:00 2001
From: Mateusz Poliwczak <mpoliwczak34@gmail.com>
Date: Sun, 25 May 2025 16:49:41 +0200
Subject: x509roots/fallback: move parsing code to a non-generated file

For golang/go#73691

Change-Id: I3e2b09055c39286d863fe70ca3bd72a839e25d0a
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/676215
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Sean Liao <sean@liao.dev>
Auto-Submit: Sean Liao <sean@liao.dev>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 x509roots/fallback/bundle.go     | 61 ----------------------------------------
 x509roots/fallback/fallback.go   | 61 ++++++++++++++++++++++++++++++++++++++--
 x509roots/gen_fallback_bundle.go | 61 ----------------------------------------
 3 files changed, 59 insertions(+), 124 deletions(-)

diff --git a/x509roots/fallback/bundle.go b/x509roots/fallback/bundle.go
index 8469cf1..81ad6e8 100644
--- a/x509roots/fallback/bundle.go
+++ b/x509roots/fallback/bundle.go
@@ -2,67 +2,6 @@
 
 package fallback
 
-import (
-	"crypto/x509"
-	"encoding/pem"
-	"fmt"
-	"time"
-)
-
-type unparsedCertificate struct {
-	cn         string
-	sha256Hash string
-	pem        string
-
-	// possible constraints
-	distrustAfter string
-}
-
-type parsedCertificate struct {
-	cert        *x509.Certificate
-	constraints []func([]*x509.Certificate) error
-}
-
-func mustParse(unparsedCerts []unparsedCertificate) []parsedCertificate {
-	var b []parsedCertificate
-	for _, unparsed := range unparsedCerts {
-		block, rest := pem.Decode([]byte(unparsed.pem))
-		if block == nil {
-			panic(fmt.Sprintf("unexpected nil PEM block for %q", unparsed.cn))
-		}
-		if len(rest) != 0 {
-			panic(fmt.Sprintf("unexpected trailing data in PEM for %q", unparsed.cn))
-		}
-		if block.Type != "CERTIFICATE" {
-			panic(fmt.Sprintf("unexpected PEM block type for %q: %s", unparsed.cn, block.Type))
-		}
-		cert, err := x509.ParseCertificate(block.Bytes)
-		if err != nil {
-			panic(err)
-		}
-		parsed := parsedCertificate{cert: cert}
-		// parse possible constraints, this should check all fields of unparsedCertificate.
-		if unparsed.distrustAfter != "" {
-			distrustAfter, err := time.Parse(time.RFC3339, unparsed.distrustAfter)
-			if err != nil {
-				panic(fmt.Sprintf("failed to parse distrustAfter %q: %s", unparsed.distrustAfter, err))
-			}
-			parsed.constraints = append(parsed.constraints, func(chain []*x509.Certificate) error {
-				for _, c := range chain {
-					if c.NotBefore.After(distrustAfter) {
-						return fmt.Errorf("certificate issued after distrust-after date %q", distrustAfter)
-					}
-				}
-				return nil
-			})
-		}
-		b = append(b, parsed)
-	}
-	return b
-}
-
-var parsedCertificates = mustParse(unparsedCertificates)
-
 var unparsedCertificates = []unparsedCertificate{
 	{
 		cn:         "CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS,OU=Ceres,O=FNMT-RCM,C=ES,2.5.4.97=#130f56415445532d51323832363030344a",
diff --git a/x509roots/fallback/fallback.go b/x509roots/fallback/fallback.go
index 3a60650..0f0e3a9 100644
--- a/x509roots/fallback/fallback.go
+++ b/x509roots/fallback/fallback.go
@@ -18,11 +18,16 @@
 // available.
 package fallback
 
-import "crypto/x509"
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"time"
+)
 
 func init() {
 	p := x509.NewCertPool()
-	for _, c := range parsedCertificates {
+	for _, c := range mustParse(unparsedCertificates) {
 		if len(c.constraints) == 0 {
 			p.AddCert(c.cert)
 		} else {
@@ -38,3 +43,55 @@ func init() {
 	}
 	x509.SetFallbackRoots(p)
 }
+
+type unparsedCertificate struct {
+	cn         string
+	sha256Hash string
+	pem        string
+
+	// possible constraints
+	distrustAfter string
+}
+
+type parsedCertificate struct {
+	cert        *x509.Certificate
+	constraints []func([]*x509.Certificate) error
+}
+
+func mustParse(unparsedCerts []unparsedCertificate) []parsedCertificate {
+	var b []parsedCertificate
+	for _, unparsed := range unparsedCerts {
+		block, rest := pem.Decode([]byte(unparsed.pem))
+		if block == nil {
+			panic(fmt.Sprintf("unexpected nil PEM block for %q", unparsed.cn))
+		}
+		if len(rest) != 0 {
+			panic(fmt.Sprintf("unexpected trailing data in PEM for %q", unparsed.cn))
+		}
+		if block.Type != "CERTIFICATE" {
+			panic(fmt.Sprintf("unexpected PEM block type for %q: %s", unparsed.cn, block.Type))
+		}
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			panic(err)
+		}
+		parsed := parsedCertificate{cert: cert}
+		// parse possible constraints, this should check all fields of unparsedCertificate.
+		if unparsed.distrustAfter != "" {
+			distrustAfter, err := time.Parse(time.RFC3339, unparsed.distrustAfter)
+			if err != nil {
+				panic(fmt.Sprintf("failed to parse distrustAfter %q: %s", unparsed.distrustAfter, err))
+			}
+			parsed.constraints = append(parsed.constraints, func(chain []*x509.Certificate) error {
+				for _, c := range chain {
+					if c.NotBefore.After(distrustAfter) {
+						return fmt.Errorf("certificate issued after distrust-after date %q", distrustAfter)
+					}
+				}
+				return nil
+			})
+		}
+		b = append(b, parsed)
+	}
+	return b
+}
diff --git a/x509roots/gen_fallback_bundle.go b/x509roots/gen_fallback_bundle.go
index 4c44616..1fe9022 100644
--- a/x509roots/gen_fallback_bundle.go
+++ b/x509roots/gen_fallback_bundle.go
@@ -30,67 +30,6 @@ const tmpl = `// Code generated by gen_fallback_bundle.go; DO NOT EDIT.
 
 package fallback
 
-import (
-	"crypto/x509"
-	"encoding/pem"
-	"fmt"
-	"time"
-)
-
-type unparsedCertificate struct {
-	cn         string
-	sha256Hash string
-	pem        string
-
-	// possible constraints
-	distrustAfter string
-}
-
-type parsedCertificate struct {
-	cert        *x509.Certificate
-	constraints []func([]*x509.Certificate) error
-}
-
-func mustParse(unparsedCerts []unparsedCertificate) []parsedCertificate {
-	var b []parsedCertificate
-	for _, unparsed := range unparsedCerts {
-		block, rest := pem.Decode([]byte(unparsed.pem))
-		if block == nil {
-			panic(fmt.Sprintf("unexpected nil PEM block for %q", unparsed.cn))
-		}
-		if len(rest) != 0 {
-			panic(fmt.Sprintf("unexpected trailing data in PEM for %q", unparsed.cn))
-		}
-		if block.Type != "CERTIFICATE" {
-			panic(fmt.Sprintf("unexpected PEM block type for %q: %s", unparsed.cn, block.Type))
-		}
-		cert, err := x509.ParseCertificate(block.Bytes)
-		if err != nil {
-			panic(err)
-		}
-		parsed := parsedCertificate{cert: cert}
-		// parse possible constraints, this should check all fields of unparsedCertificate.
-		if unparsed.distrustAfter != "" {
-			distrustAfter, err := time.Parse(time.RFC3339, unparsed.distrustAfter)
-			if err != nil {
-				panic(fmt.Sprintf("failed to parse distrustAfter %q: %s", unparsed.distrustAfter, err))
-			}
-			parsed.constraints = append(parsed.constraints, func(chain []*x509.Certificate) error {
-				for _, c := range chain {
-					if c.NotBefore.After(distrustAfter) {
-						return fmt.Errorf("certificate issued after distrust-after date %q", distrustAfter)
-					}
-				}
-				return nil
-			})
-		}
-		b = append(b, parsed)
-	}
-	return b
-}
-
-var parsedCertificates = mustParse(unparsedCertificates)
-
 var unparsedCertificates = []unparsedCertificate{
 `
 
-- 
cgit v1.3