diff options
| author | Roland Shoemaker <roland@golang.org> | 2025-03-03 16:27:36 -0800 |
|---|---|---|
| committer | Roland Shoemaker <roland@golang.org> | 2025-03-13 16:44:25 -0700 |
| commit | 937368f84e545db15d3f39c2b33a267ba8ead4a4 (patch) | |
| tree | 35ade0dbd589cc8e89d51ce608eb1aaa5ab86dea /src | |
| parent | 3b456ff42137df2b89295ede29c915d43c10b538 (diff) | |
| download | go-937368f84e545db15d3f39c2b33a267ba8ead4a4.tar.xz | |
crypto/x509: change how we retrieve chains on darwin
Instead of using the deprecated SecTrustGetCertificateAtIndex and
SecTrustGetCertificateCount method, use the SecTrustCopyCertificateChain
method.
This method require macOS 12+, which will be the minimum supported
version in 1.25.
Change-Id: I9a5ef75431cdb84f1cbe4eee47e6e9e2da4dea03
Reviewed-on: https://go-review.googlesource.com/c/go/+/654376
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Diffstat (limited to 'src')
| -rw-r--r-- | src/crypto/x509/internal/macos/security.go | 30 | ||||
| -rw-r--r-- | src/crypto/x509/internal/macos/security.s | 6 | ||||
| -rw-r--r-- | src/crypto/x509/root_darwin.go | 13 |
3 files changed, 20 insertions, 29 deletions
diff --git a/src/crypto/x509/internal/macos/security.go b/src/crypto/x509/internal/macos/security.go index 497ba6e824..f9f37b1666 100644 --- a/src/crypto/x509/internal/macos/security.go +++ b/src/crypto/x509/internal/macos/security.go @@ -122,25 +122,6 @@ func SecTrustEvaluateWithError(trustObj CFRef) (int, error) { } func x509_SecTrustEvaluateWithError_trampoline() -//go:cgo_import_dynamic x509_SecTrustGetCertificateCount SecTrustGetCertificateCount "/System/Library/Frameworks/Security.framework/Versions/A/Security" - -func SecTrustGetCertificateCount(trustObj CFRef) int { - ret := syscall(abi.FuncPCABI0(x509_SecTrustGetCertificateCount_trampoline), uintptr(trustObj), 0, 0, 0, 0, 0) - return int(ret) -} -func x509_SecTrustGetCertificateCount_trampoline() - -//go:cgo_import_dynamic x509_SecTrustGetCertificateAtIndex SecTrustGetCertificateAtIndex "/System/Library/Frameworks/Security.framework/Versions/A/Security" - -func SecTrustGetCertificateAtIndex(trustObj CFRef, i int) (CFRef, error) { - ret := syscall(abi.FuncPCABI0(x509_SecTrustGetCertificateAtIndex_trampoline), uintptr(trustObj), uintptr(i), 0, 0, 0, 0) - if ret == 0 { - return 0, OSStatus{"SecTrustGetCertificateAtIndex", int32(ret)} - } - return CFRef(ret), nil -} -func x509_SecTrustGetCertificateAtIndex_trampoline() - //go:cgo_import_dynamic x509_SecCertificateCopyData SecCertificateCopyData "/System/Library/Frameworks/Security.framework/Versions/A/Security" func SecCertificateCopyData(cert CFRef) ([]byte, error) { @@ -153,3 +134,14 @@ func SecCertificateCopyData(cert CFRef) ([]byte, error) { return b, nil } func x509_SecCertificateCopyData_trampoline() + +//go:cgo_import_dynamic x509_SecTrustCopyCertificateChain SecTrustCopyCertificateChain "/System/Library/Frameworks/Security.framework/Versions/A/Security" + +func SecTrustCopyCertificateChain(trustObj CFRef) (CFRef, error) { + ret := syscall(abi.FuncPCABI0(x509_SecTrustCopyCertificateChain_trampoline), uintptr(trustObj), 0, 0, 0, 0, 0) + if ret == 0 { + return 0, OSStatus{"SecTrustCopyCertificateChain", int32(ret)} + } + return CFRef(ret), nil +} +func x509_SecTrustCopyCertificateChain_trampoline() diff --git a/src/crypto/x509/internal/macos/security.s b/src/crypto/x509/internal/macos/security.s index dc630eccb7..ca5337c788 100644 --- a/src/crypto/x509/internal/macos/security.s +++ b/src/crypto/x509/internal/macos/security.s @@ -21,9 +21,7 @@ TEXT ·x509_SecTrustEvaluate_trampoline(SB),NOSPLIT,$0-0 JMP x509_SecTrustEvaluate(SB) TEXT ·x509_SecTrustEvaluateWithError_trampoline(SB),NOSPLIT,$0-0 JMP x509_SecTrustEvaluateWithError(SB) -TEXT ·x509_SecTrustGetCertificateCount_trampoline(SB),NOSPLIT,$0-0 - JMP x509_SecTrustGetCertificateCount(SB) -TEXT ·x509_SecTrustGetCertificateAtIndex_trampoline(SB),NOSPLIT,$0-0 - JMP x509_SecTrustGetCertificateAtIndex(SB) TEXT ·x509_SecCertificateCopyData_trampoline(SB),NOSPLIT,$0-0 JMP x509_SecCertificateCopyData(SB) +TEXT ·x509_SecTrustCopyCertificateChain_trampoline(SB),NOSPLIT,$0-0 + JMP x509_SecTrustCopyCertificateChain(SB) diff --git a/src/crypto/x509/root_darwin.go b/src/crypto/x509/root_darwin.go index 469e907a8e..b5d7b6350b 100644 --- a/src/crypto/x509/root_darwin.go +++ b/src/crypto/x509/root_darwin.go @@ -73,12 +73,13 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate } chain := [][]*Certificate{{}} - numCerts := macOS.SecTrustGetCertificateCount(trustObj) - for i := 0; i < numCerts; i++ { - certRef, err := macOS.SecTrustGetCertificateAtIndex(trustObj, i) - if err != nil { - return nil, err - } + chainRef, err := macOS.SecTrustCopyCertificateChain(trustObj) + if err != nil { + return nil, err + } + defer macOS.CFRelease(chainRef) + for i := 0; i < macOS.CFArrayGetCount(chainRef); i++ { + certRef := macOS.CFArrayGetValueAtIndex(chainRef, i) cert, err := exportCertificate(certRef) if err != nil { return nil, err |