Stowage/go
2
0
Fork 0
mirror of https://github.com/golang/go.git synced 2025-12-08 06:10:04 +00:00
Code Issues Projects Releases Packages Wiki Activity
go/src/crypto/x509/root_unix.go

120 lines
3.1 KiB
Go
Raw Normal View History

crypto/tls: fetch root certificates using Mac OS API Fixes #1009. R=adg, rsc CC=golang-dev https://golang.org/cl/5262041
2011-10-13 13:59:13 -04:00
// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
all: remove the nacl port (part 1) You were a useful port and you've served your purpose. Thanks for all the play. A subsequent CL will remove amd64p32 (including assembly files and toolchain bits) and remaining bits. The amd64p32 removal will be separated into its own CL in case we want to support the Linux x32 ABI in the future and want our old amd64p32 support as a starting point. Updates #30439 Change-Id: Ia3a0c7d49804adc87bf52a4dea7e3d3007f2b1cd Reviewed-on: https://go-review.googlesource.com/c/go/+/199499 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
2019-10-08 19:19:13 +00:00
// +build aix dragonfly freebsd js,wasm linux netbsd openbsd solaris
crypto/tls: make compatible with go/build R=golang-dev, r CC=golang-dev https://golang.org/cl/5484073
2011-12-14 10:25:48 -05:00
crypto/x509: new home for root fetchers; build chains using Windows API This moves the various CA root fetchers from crypto/tls into crypto/x509. The move was brought about by issue 2997. Windows doesn't ship with all its root certificates, but will instead download them as-needed when using CryptoAPI for certificate verification. This CL changes crypto/x509 to verify a certificate using the system root CAs when VerifyOptions.RootCAs == nil. On Windows, this verification is now implemented using Windows's CryptoAPI. All other root fetchers are unchanged, and still use Go's own verification code. The CL also fixes the hostname matching logic in crypto/tls/tls.go, in order to be able to test whether hostname mismatches are honored by the Windows verification code. The move to crypto/x509 also allows other packages to use the OS-provided root certificates, instead of hiding them inside the crypto/tls package. Fixes #2997. R=agl, golang-dev, alex.brainman, rsc, mikkel CC=golang-dev https://golang.org/cl/5700087
2012-03-07 13:12:35 -05:00
package x509
crypto/tls: fetch root certificates using Mac OS API Fixes #1009. R=adg, rsc CC=golang-dev https://golang.org/cl/5262041
2011-10-13 13:59:13 -04:00
crypto/x509: add SystemCertPool, refactor system cert pool loading This exports the system cert pool. The system cert loading was refactored to let it be run multiple times (so callers get a copy, and can't mutate global state), and also to not discard errors. SystemCertPool returns an error on Windows. Maybe it's fixable later, but so far we haven't used it, since the system verifies TLS. Fixes #13335 Change-Id: I3dfb4656a373f241bae8529076d24c5f532f113c Reviewed-on: https://go-review.googlesource.com/21293 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Andrew Gerrand <adg@golang.org>
2016-03-30 16:41:18 +11:00
import (
"io/ioutil"
"os"
crypto/x509: don't read symlinked root certs from disk twice On Linux distros at least, it's common for cert directories to have symlinks pointing to other certs or even other symlinks. An example from Debian stretch's /etc/ssl/certs directory: ... lrwxrwxrwx 1 root root 46 Aug 13 2018 106f3e4d.0 -> Entrust_Root_Certification_Authority_-_EC1.pem lrwxrwxrwx 1 root root 49 Aug 13 2018 116bf586.0 -> GeoTrust_Primary_Certification_Authority_-_G2.pem lrwxrwxrwx 1 root root 35 Aug 13 2018 128805a3.0 -> EE_Certification_Centre_Root_CA.pem lrwxrwxrwx 1 root root 26 Aug 13 2018 157753a5.0 -> AddTrust_External_Root.pem lrwxrwxrwx 1 root root 59 Aug 13 2018 1636090b.0 -> Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem lrwxrwxrwx 1 root root 23 Aug 13 2018 18856ac4.0 -> SecureSign_RootCA11.pem lrwxrwxrwx 1 root root 31 Aug 13 2018 1d3472b9.0 -> GlobalSign_ECC_Root_CA_-_R5.pem lrwxrwxrwx 1 root root 37 Aug 13 2018 1e08bfd1.0 -> IdenTrust_Public_Sector_Root_CA_1.pem lrwxrwxrwx 1 root root 35 Nov 8 21:13 773e07ad.0 -> OISTE_WISeKey_Global_Root_GC_CA.pem -rw-r--r-- 1 root root 200061 Nov 8 21:24 ca-certificates.crt lrwxrwxrwx 1 root root 27 Nov 8 21:13 dc4d6a89.0 -> GlobalSign_Root_CA_-_R6.pem lrwxrwxrwx 1 root root 62 Nov 8 21:13 GlobalSign_Root_CA_-_R6.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R6.crt drwxr-xr-x 2 root root 4096 Jan 26 2019 java lrwxrwxrwx 1 root root 70 Nov 8 21:13 OISTE_WISeKey_Global_Root_GC_CA.pem -> /usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt ... The root_unix.go code read those certs with same-directory twice before. This drops the number of files read from 258 to 130. Saves about 20 ms. Change-Id: I36a1b1e8bb8d89ed3dac8b6255f9048cb7f08fe8 Reviewed-on: https://go-review.googlesource.com/c/go/+/229918 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
2020-04-24 12:15:04 -07:00
"path/filepath"
crypto/x509: load roots from colon separated SSL_CERT_DIR in loadSystemRoots "SSL_CERT_DIR" is meant to hold more than one directory, when a colon is used as a delimiter. However, we assumed it'd be a single directory for all root certificates. OpenSSL and BoringSSL properly respected the colon separated "SSL_CERT_DIR", as per: * OpenSSL https://github.com/openssl/openssl/blob/12a765a5235f181c2f4992b615eb5f892c368e88/crypto/x509/by_dir.c#L153-L209 * BoringSSL https://github.com/google/boringssl/blob/3ba9586bc081f67903c89917f23e74a0662ba953/crypto/x509/by_dir.c#L194-L247 This change adds that parity to loadSystemRoots. RELNOTE=yes Fixes #35325 Change-Id: I0d554a00ccc34300a7f0529aa741ee7e2d5762f9 Reviewed-on: https://go-review.googlesource.com/c/go/+/205237 Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2019-11-04 09:19:59 -08:00
"strings"
crypto/x509: add SystemCertPool, refactor system cert pool loading This exports the system cert pool. The system cert loading was refactored to let it be run multiple times (so callers get a copy, and can't mutate global state), and also to not discard errors. SystemCertPool returns an error on Windows. Maybe it's fixable later, but so far we haven't used it, since the system verifies TLS. Fixes #13335 Change-Id: I3dfb4656a373f241bae8529076d24c5f532f113c Reviewed-on: https://go-review.googlesource.com/21293 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Andrew Gerrand <adg@golang.org>
2016-03-30 16:41:18 +11:00
)
crypto/tls: fetch root certificates using Mac OS API Fixes #1009. R=adg, rsc CC=golang-dev https://golang.org/cl/5262041
2011-10-13 13:59:13 -04:00
x509: add root certs for android. On android, root certificates appear to be stored in the folder /system/etc/security/cacerts, which has many certs in several different files. This change adds a new array of directories in which certs can be found. To test this, I simply tried making a request with the http library to an HTTPS URL on an android emulator and manually verified that it worked. LGTM=crawshaw R=golang-codereviews, gobot, crawshaw CC=golang-codereviews https://golang.org/cl/151800043
2014-09-30 09:51:49 +10:00
// Possible directories with certificate files; stop after successfully
// reading at least one file from a directory.
var certDirectories = []string{
crypto/x509: add /etc/ssl/certs to certificate directories Fixes #12139. Change-Id: Ied760ac37e2fc21ef951ae872136dc3bfd49bf9f Reviewed-on: https://go-review.googlesource.com/16671 Reviewed-by: Ian Lance Taylor <iant@golang.org>
2015-11-04 21:20:33 -05:00
"/etc/ssl/certs", // SLES10/SLES11, https://golang.org/issue/12139
x509: add root certs for android. On android, root certificates appear to be stored in the folder /system/etc/security/cacerts, which has many certs in several different files. This change adds a new array of directories in which certs can be found. To test this, I simply tried making a request with the http library to an HTTPS URL on an android emulator and manually verified that it worked. LGTM=crawshaw R=golang-codereviews, gobot, crawshaw CC=golang-codereviews https://golang.org/cl/151800043
2014-09-30 09:51:49 +10:00
"/system/etc/security/cacerts", // Android
crypto/x509: load certs from env vars + extra locations Add the ability to override the default file and directory from which certificates are loaded by setting the OpenSSL compatible environment variables: SSL_CERT_FILE, SSL_CERT_DIR. If the variables are set the default locations are not checked. Added new default file "/usr/local/etc/ssl/cert.pem" for FreeBSD. Certificates in the first valid location found for both file and directory are added, instead of only the first file location if a valid one was found, which is consistent with OpenSSL. Fixes #3905 Fixes #14022 Fixes #14311 Fixes #16920 Fixes #18813 - If user sets SSL_CERT_FILE. Change-Id: Ia24fb7c1c2ffff4338b4cf214bd040326ce27bb0 Reviewed-on: https://go-review.googlesource.com/36093 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-02-02 00:34:06 +00:00
"/usr/local/share/certs", // FreeBSD
"/etc/pki/tls/certs", // Fedora/RHEL
"/etc/openssl/certs", // NetBSD
crypto: add AIX operating system This commit adds AIX operating system to crypto package for ppc64 architecture. Updates: #25893 Change-Id: I20047ff2fef0051b8b235ec15b064c4a95c2b9c3 Reviewed-on: https://go-review.googlesource.com/c/138722 Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
2018-09-28 15:42:19 +02:00
"/var/ssl/certs", // AIX
x509: add root certs for android. On android, root certificates appear to be stored in the folder /system/etc/security/cacerts, which has many certs in several different files. This change adds a new array of directories in which certs can be found. To test this, I simply tried making a request with the http library to an HTTPS URL on an android emulator and manually verified that it worked. LGTM=crawshaw R=golang-codereviews, gobot, crawshaw CC=golang-codereviews https://golang.org/cl/151800043
2014-09-30 09:51:49 +10:00
}
crypto/x509: load certs from env vars + extra locations Add the ability to override the default file and directory from which certificates are loaded by setting the OpenSSL compatible environment variables: SSL_CERT_FILE, SSL_CERT_DIR. If the variables are set the default locations are not checked. Added new default file "/usr/local/etc/ssl/cert.pem" for FreeBSD. Certificates in the first valid location found for both file and directory are added, instead of only the first file location if a valid one was found, which is consistent with OpenSSL. Fixes #3905 Fixes #14022 Fixes #14311 Fixes #16920 Fixes #18813 - If user sets SSL_CERT_FILE. Change-Id: Ia24fb7c1c2ffff4338b4cf214bd040326ce27bb0 Reviewed-on: https://go-review.googlesource.com/36093 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-02-02 00:34:06 +00:00
const (
// certFileEnv is the environment variable which identifies where to locate
// the SSL certificate file. If set this overrides the system default.
certFileEnv = "SSL_CERT_FILE"
// certDirEnv is the environment variable which identifies which directory
// to check for SSL certificate files. If set this overrides the system default.
crypto/x509: load roots from colon separated SSL_CERT_DIR in loadSystemRoots "SSL_CERT_DIR" is meant to hold more than one directory, when a colon is used as a delimiter. However, we assumed it'd be a single directory for all root certificates. OpenSSL and BoringSSL properly respected the colon separated "SSL_CERT_DIR", as per: * OpenSSL https://github.com/openssl/openssl/blob/12a765a5235f181c2f4992b615eb5f892c368e88/crypto/x509/by_dir.c#L153-L209 * BoringSSL https://github.com/google/boringssl/blob/3ba9586bc081f67903c89917f23e74a0662ba953/crypto/x509/by_dir.c#L194-L247 This change adds that parity to loadSystemRoots. RELNOTE=yes Fixes #35325 Change-Id: I0d554a00ccc34300a7f0529aa741ee7e2d5762f9 Reviewed-on: https://go-review.googlesource.com/c/go/+/205237 Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2019-11-04 09:19:59 -08:00
// It is a colon separated list of directories.
// See https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html.
crypto/x509: load certs from env vars + extra locations Add the ability to override the default file and directory from which certificates are loaded by setting the OpenSSL compatible environment variables: SSL_CERT_FILE, SSL_CERT_DIR. If the variables are set the default locations are not checked. Added new default file "/usr/local/etc/ssl/cert.pem" for FreeBSD. Certificates in the first valid location found for both file and directory are added, instead of only the first file location if a valid one was found, which is consistent with OpenSSL. Fixes #3905 Fixes #14022 Fixes #14311 Fixes #16920 Fixes #18813 - If user sets SSL_CERT_FILE. Change-Id: Ia24fb7c1c2ffff4338b4cf214bd040326ce27bb0 Reviewed-on: https://go-review.googlesource.com/36093 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-02-02 00:34:06 +00:00
certDirEnv = "SSL_CERT_DIR"
)
crypto/x509: new home for root fetchers; build chains using Windows API This moves the various CA root fetchers from crypto/tls into crypto/x509. The move was brought about by issue 2997. Windows doesn't ship with all its root certificates, but will instead download them as-needed when using CryptoAPI for certificate verification. This CL changes crypto/x509 to verify a certificate using the system root CAs when VerifyOptions.RootCAs == nil. On Windows, this verification is now implemented using Windows's CryptoAPI. All other root fetchers are unchanged, and still use Go's own verification code. The CL also fixes the hostname matching logic in crypto/tls/tls.go, in order to be able to test whether hostname mismatches are honored by the Windows verification code. The move to crypto/x509 also allows other packages to use the OS-provided root certificates, instead of hiding them inside the crypto/tls package. Fixes #2997. R=agl, golang-dev, alex.brainman, rsc, mikkel CC=golang-dev https://golang.org/cl/5700087
2012-03-07 13:12:35 -05:00
func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
return nil, nil
}
crypto/x509: add SystemCertPool, refactor system cert pool loading This exports the system cert pool. The system cert loading was refactored to let it be run multiple times (so callers get a copy, and can't mutate global state), and also to not discard errors. SystemCertPool returns an error on Windows. Maybe it's fixable later, but so far we haven't used it, since the system verifies TLS. Fixes #13335 Change-Id: I3dfb4656a373f241bae8529076d24c5f532f113c Reviewed-on: https://go-review.googlesource.com/21293 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Andrew Gerrand <adg@golang.org>
2016-03-30 16:41:18 +11:00
func loadSystemRoots() (*CertPool, error) {
crypto/x509: new home for root fetchers; build chains using Windows API This moves the various CA root fetchers from crypto/tls into crypto/x509. The move was brought about by issue 2997. Windows doesn't ship with all its root certificates, but will instead download them as-needed when using CryptoAPI for certificate verification. This CL changes crypto/x509 to verify a certificate using the system root CAs when VerifyOptions.RootCAs == nil. On Windows, this verification is now implemented using Windows's CryptoAPI. All other root fetchers are unchanged, and still use Go's own verification code. The CL also fixes the hostname matching logic in crypto/tls/tls.go, in order to be able to test whether hostname mismatches are honored by the Windows verification code. The move to crypto/x509 also allows other packages to use the OS-provided root certificates, instead of hiding them inside the crypto/tls package. Fixes #2997. R=agl, golang-dev, alex.brainman, rsc, mikkel CC=golang-dev https://golang.org/cl/5700087
2012-03-07 13:12:35 -05:00
roots := NewCertPool()
crypto/x509: load certs from env vars + extra locations Add the ability to override the default file and directory from which certificates are loaded by setting the OpenSSL compatible environment variables: SSL_CERT_FILE, SSL_CERT_DIR. If the variables are set the default locations are not checked. Added new default file "/usr/local/etc/ssl/cert.pem" for FreeBSD. Certificates in the first valid location found for both file and directory are added, instead of only the first file location if a valid one was found, which is consistent with OpenSSL. Fixes #3905 Fixes #14022 Fixes #14311 Fixes #16920 Fixes #18813 - If user sets SSL_CERT_FILE. Change-Id: Ia24fb7c1c2ffff4338b4cf214bd040326ce27bb0 Reviewed-on: https://go-review.googlesource.com/36093 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-02-02 00:34:06 +00:00
files := certFiles
if f := os.Getenv(certFileEnv); f != "" {
files = []string{f}
}
crypto/x509: add SystemCertPool, refactor system cert pool loading This exports the system cert pool. The system cert loading was refactored to let it be run multiple times (so callers get a copy, and can't mutate global state), and also to not discard errors. SystemCertPool returns an error on Windows. Maybe it's fixable later, but so far we haven't used it, since the system verifies TLS. Fixes #13335 Change-Id: I3dfb4656a373f241bae8529076d24c5f532f113c Reviewed-on: https://go-review.googlesource.com/21293 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Andrew Gerrand <adg@golang.org>
2016-03-30 16:41:18 +11:00
var firstErr error
crypto/x509: load certs from env vars + extra locations Add the ability to override the default file and directory from which certificates are loaded by setting the OpenSSL compatible environment variables: SSL_CERT_FILE, SSL_CERT_DIR. If the variables are set the default locations are not checked. Added new default file "/usr/local/etc/ssl/cert.pem" for FreeBSD. Certificates in the first valid location found for both file and directory are added, instead of only the first file location if a valid one was found, which is consistent with OpenSSL. Fixes #3905 Fixes #14022 Fixes #14311 Fixes #16920 Fixes #18813 - If user sets SSL_CERT_FILE. Change-Id: Ia24fb7c1c2ffff4338b4cf214bd040326ce27bb0 Reviewed-on: https://go-review.googlesource.com/36093 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-02-02 00:34:06 +00:00
for _, file := range files {
crypto/tls: fetch root certificates using Mac OS API Fixes #1009. R=adg, rsc CC=golang-dev https://golang.org/cl/5262041
2011-10-13 13:59:13 -04:00
data, err := ioutil.ReadFile(file)
if err == nil {
roots.AppendCertsFromPEM(data)
crypto/x509: load certs from env vars + extra locations Add the ability to override the default file and directory from which certificates are loaded by setting the OpenSSL compatible environment variables: SSL_CERT_FILE, SSL_CERT_DIR. If the variables are set the default locations are not checked. Added new default file "/usr/local/etc/ssl/cert.pem" for FreeBSD. Certificates in the first valid location found for both file and directory are added, instead of only the first file location if a valid one was found, which is consistent with OpenSSL. Fixes #3905 Fixes #14022 Fixes #14311 Fixes #16920 Fixes #18813 - If user sets SSL_CERT_FILE. Change-Id: Ia24fb7c1c2ffff4338b4cf214bd040326ce27bb0 Reviewed-on: https://go-review.googlesource.com/36093 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-02-02 00:34:06 +00:00
break
crypto/x509: add SystemCertPool, refactor system cert pool loading This exports the system cert pool. The system cert loading was refactored to let it be run multiple times (so callers get a copy, and can't mutate global state), and also to not discard errors. SystemCertPool returns an error on Windows. Maybe it's fixable later, but so far we haven't used it, since the system verifies TLS. Fixes #13335 Change-Id: I3dfb4656a373f241bae8529076d24c5f532f113c Reviewed-on: https://go-review.googlesource.com/21293 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Andrew Gerrand <adg@golang.org>
2016-03-30 16:41:18 +11:00
}
if firstErr == nil && !os.IsNotExist(err) {
firstErr = err
crypto/tls: fetch root certificates using Mac OS API Fixes #1009. R=adg, rsc CC=golang-dev https://golang.org/cl/5262041
2011-10-13 13:59:13 -04:00
}
}
crypto/x509: new home for root fetchers; build chains using Windows API This moves the various CA root fetchers from crypto/tls into crypto/x509. The move was brought about by issue 2997. Windows doesn't ship with all its root certificates, but will instead download them as-needed when using CryptoAPI for certificate verification. This CL changes crypto/x509 to verify a certificate using the system root CAs when VerifyOptions.RootCAs == nil. On Windows, this verification is now implemented using Windows's CryptoAPI. All other root fetchers are unchanged, and still use Go's own verification code. The CL also fixes the hostname matching logic in crypto/tls/tls.go, in order to be able to test whether hostname mismatches are honored by the Windows verification code. The move to crypto/x509 also allows other packages to use the OS-provided root certificates, instead of hiding them inside the crypto/tls package. Fixes #2997. R=agl, golang-dev, alex.brainman, rsc, mikkel CC=golang-dev https://golang.org/cl/5700087
2012-03-07 13:12:35 -05:00
crypto/x509: load certs from env vars + extra locations Add the ability to override the default file and directory from which certificates are loaded by setting the OpenSSL compatible environment variables: SSL_CERT_FILE, SSL_CERT_DIR. If the variables are set the default locations are not checked. Added new default file "/usr/local/etc/ssl/cert.pem" for FreeBSD. Certificates in the first valid location found for both file and directory are added, instead of only the first file location if a valid one was found, which is consistent with OpenSSL. Fixes #3905 Fixes #14022 Fixes #14311 Fixes #16920 Fixes #18813 - If user sets SSL_CERT_FILE. Change-Id: Ia24fb7c1c2ffff4338b4cf214bd040326ce27bb0 Reviewed-on: https://go-review.googlesource.com/36093 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-02-02 00:34:06 +00:00
dirs := certDirectories
if d := os.Getenv(certDirEnv); d != "" {
crypto/x509: load roots from colon separated SSL_CERT_DIR in loadSystemRoots "SSL_CERT_DIR" is meant to hold more than one directory, when a colon is used as a delimiter. However, we assumed it'd be a single directory for all root certificates. OpenSSL and BoringSSL properly respected the colon separated "SSL_CERT_DIR", as per: * OpenSSL https://github.com/openssl/openssl/blob/12a765a5235f181c2f4992b615eb5f892c368e88/crypto/x509/by_dir.c#L153-L209 * BoringSSL https://github.com/google/boringssl/blob/3ba9586bc081f67903c89917f23e74a0662ba953/crypto/x509/by_dir.c#L194-L247 This change adds that parity to loadSystemRoots. RELNOTE=yes Fixes #35325 Change-Id: I0d554a00ccc34300a7f0529aa741ee7e2d5762f9 Reviewed-on: https://go-review.googlesource.com/c/go/+/205237 Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2019-11-04 09:19:59 -08:00
// OpenSSL and BoringSSL both use ":" as the SSL_CERT_DIR separator.
// See:
// * https://golang.org/issue/35325
// * https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html
dirs = strings.Split(d, ":")
crypto/x509: load certs from env vars + extra locations Add the ability to override the default file and directory from which certificates are loaded by setting the OpenSSL compatible environment variables: SSL_CERT_FILE, SSL_CERT_DIR. If the variables are set the default locations are not checked. Added new default file "/usr/local/etc/ssl/cert.pem" for FreeBSD. Certificates in the first valid location found for both file and directory are added, instead of only the first file location if a valid one was found, which is consistent with OpenSSL. Fixes #3905 Fixes #14022 Fixes #14311 Fixes #16920 Fixes #18813 - If user sets SSL_CERT_FILE. Change-Id: Ia24fb7c1c2ffff4338b4cf214bd040326ce27bb0 Reviewed-on: https://go-review.googlesource.com/36093 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-02-02 00:34:06 +00:00
}
for _, directory := range dirs {
crypto/x509: don't read symlinked root certs from disk twice On Linux distros at least, it's common for cert directories to have symlinks pointing to other certs or even other symlinks. An example from Debian stretch's /etc/ssl/certs directory: ... lrwxrwxrwx 1 root root 46 Aug 13 2018 106f3e4d.0 -> Entrust_Root_Certification_Authority_-_EC1.pem lrwxrwxrwx 1 root root 49 Aug 13 2018 116bf586.0 -> GeoTrust_Primary_Certification_Authority_-_G2.pem lrwxrwxrwx 1 root root 35 Aug 13 2018 128805a3.0 -> EE_Certification_Centre_Root_CA.pem lrwxrwxrwx 1 root root 26 Aug 13 2018 157753a5.0 -> AddTrust_External_Root.pem lrwxrwxrwx 1 root root 59 Aug 13 2018 1636090b.0 -> Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem lrwxrwxrwx 1 root root 23 Aug 13 2018 18856ac4.0 -> SecureSign_RootCA11.pem lrwxrwxrwx 1 root root 31 Aug 13 2018 1d3472b9.0 -> GlobalSign_ECC_Root_CA_-_R5.pem lrwxrwxrwx 1 root root 37 Aug 13 2018 1e08bfd1.0 -> IdenTrust_Public_Sector_Root_CA_1.pem lrwxrwxrwx 1 root root 35 Nov 8 21:13 773e07ad.0 -> OISTE_WISeKey_Global_Root_GC_CA.pem -rw-r--r-- 1 root root 200061 Nov 8 21:24 ca-certificates.crt lrwxrwxrwx 1 root root 27 Nov 8 21:13 dc4d6a89.0 -> GlobalSign_Root_CA_-_R6.pem lrwxrwxrwx 1 root root 62 Nov 8 21:13 GlobalSign_Root_CA_-_R6.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R6.crt drwxr-xr-x 2 root root 4096 Jan 26 2019 java lrwxrwxrwx 1 root root 70 Nov 8 21:13 OISTE_WISeKey_Global_Root_GC_CA.pem -> /usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt ... The root_unix.go code read those certs with same-directory twice before. This drops the number of files read from 258 to 130. Saves about 20 ms. Change-Id: I36a1b1e8bb8d89ed3dac8b6255f9048cb7f08fe8 Reviewed-on: https://go-review.googlesource.com/c/go/+/229918 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
2020-04-24 12:15:04 -07:00
fis, err := readUniqueDirectoryEntries(directory)
x509: add root certs for android. On android, root certificates appear to be stored in the folder /system/etc/security/cacerts, which has many certs in several different files. This change adds a new array of directories in which certs can be found. To test this, I simply tried making a request with the http library to an HTTPS URL on an android emulator and manually verified that it worked. LGTM=crawshaw R=golang-codereviews, gobot, crawshaw CC=golang-codereviews https://golang.org/cl/151800043
2014-09-30 09:51:49 +10:00
if err != nil {
crypto/x509: add SystemCertPool, refactor system cert pool loading This exports the system cert pool. The system cert loading was refactored to let it be run multiple times (so callers get a copy, and can't mutate global state), and also to not discard errors. SystemCertPool returns an error on Windows. Maybe it's fixable later, but so far we haven't used it, since the system verifies TLS. Fixes #13335 Change-Id: I3dfb4656a373f241bae8529076d24c5f532f113c Reviewed-on: https://go-review.googlesource.com/21293 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Andrew Gerrand <adg@golang.org>
2016-03-30 16:41:18 +11:00
if firstErr == nil && !os.IsNotExist(err) {
firstErr = err
}
x509: add root certs for android. On android, root certificates appear to be stored in the folder /system/etc/security/cacerts, which has many certs in several different files. This change adds a new array of directories in which certs can be found. To test this, I simply tried making a request with the http library to an HTTPS URL on an android emulator and manually verified that it worked. LGTM=crawshaw R=golang-codereviews, gobot, crawshaw CC=golang-codereviews https://golang.org/cl/151800043
2014-09-30 09:51:49 +10:00
continue
}
for _, fi := range fis {
data, err := ioutil.ReadFile(directory + "/" + fi.Name())
crypto/x509: load roots from colon separated SSL_CERT_DIR in loadSystemRoots "SSL_CERT_DIR" is meant to hold more than one directory, when a colon is used as a delimiter. However, we assumed it'd be a single directory for all root certificates. OpenSSL and BoringSSL properly respected the colon separated "SSL_CERT_DIR", as per: * OpenSSL https://github.com/openssl/openssl/blob/12a765a5235f181c2f4992b615eb5f892c368e88/crypto/x509/by_dir.c#L153-L209 * BoringSSL https://github.com/google/boringssl/blob/3ba9586bc081f67903c89917f23e74a0662ba953/crypto/x509/by_dir.c#L194-L247 This change adds that parity to loadSystemRoots. RELNOTE=yes Fixes #35325 Change-Id: I0d554a00ccc34300a7f0529aa741ee7e2d5762f9 Reviewed-on: https://go-review.googlesource.com/c/go/+/205237 Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2019-11-04 09:19:59 -08:00
if err == nil {
roots.AppendCertsFromPEM(data)
x509: add root certs for android. On android, root certificates appear to be stored in the folder /system/etc/security/cacerts, which has many certs in several different files. This change adds a new array of directories in which certs can be found. To test this, I simply tried making a request with the http library to an HTTPS URL on an android emulator and manually verified that it worked. LGTM=crawshaw R=golang-codereviews, gobot, crawshaw CC=golang-codereviews https://golang.org/cl/151800043
2014-09-30 09:51:49 +10:00
}
}
}
crypto/x509: don't return nil, nil from SystemCertPool If there are no certs, return an empty pool, not nil. Fixes #21405 Change-Id: Ib4ac9d5c4a8cef83dd53565b0707a63b73ba0a8b Reviewed-on: https://go-review.googlesource.com/103596 Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-03-29 17:55:59 -07:00
if len(roots.certs) > 0 || firstErr == nil {
crypto/x509: load certs from env vars + extra locations Add the ability to override the default file and directory from which certificates are loaded by setting the OpenSSL compatible environment variables: SSL_CERT_FILE, SSL_CERT_DIR. If the variables are set the default locations are not checked. Added new default file "/usr/local/etc/ssl/cert.pem" for FreeBSD. Certificates in the first valid location found for both file and directory are added, instead of only the first file location if a valid one was found, which is consistent with OpenSSL. Fixes #3905 Fixes #14022 Fixes #14311 Fixes #16920 Fixes #18813 - If user sets SSL_CERT_FILE. Change-Id: Ia24fb7c1c2ffff4338b4cf214bd040326ce27bb0 Reviewed-on: https://go-review.googlesource.com/36093 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-02-02 00:34:06 +00:00
return roots, nil
}
crypto/x509: add SystemCertPool, refactor system cert pool loading This exports the system cert pool. The system cert loading was refactored to let it be run multiple times (so callers get a copy, and can't mutate global state), and also to not discard errors. SystemCertPool returns an error on Windows. Maybe it's fixable later, but so far we haven't used it, since the system verifies TLS. Fixes #13335 Change-Id: I3dfb4656a373f241bae8529076d24c5f532f113c Reviewed-on: https://go-review.googlesource.com/21293 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Andrew Gerrand <adg@golang.org>
2016-03-30 16:41:18 +11:00
return nil, firstErr
crypto/tls: fetch root certificates using Mac OS API Fixes #1009. R=adg, rsc CC=golang-dev https://golang.org/cl/5262041
2011-10-13 13:59:13 -04:00
}
crypto/x509: don't read symlinked root certs from disk twice On Linux distros at least, it's common for cert directories to have symlinks pointing to other certs or even other symlinks. An example from Debian stretch's /etc/ssl/certs directory: ... lrwxrwxrwx 1 root root 46 Aug 13 2018 106f3e4d.0 -> Entrust_Root_Certification_Authority_-_EC1.pem lrwxrwxrwx 1 root root 49 Aug 13 2018 116bf586.0 -> GeoTrust_Primary_Certification_Authority_-_G2.pem lrwxrwxrwx 1 root root 35 Aug 13 2018 128805a3.0 -> EE_Certification_Centre_Root_CA.pem lrwxrwxrwx 1 root root 26 Aug 13 2018 157753a5.0 -> AddTrust_External_Root.pem lrwxrwxrwx 1 root root 59 Aug 13 2018 1636090b.0 -> Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem lrwxrwxrwx 1 root root 23 Aug 13 2018 18856ac4.0 -> SecureSign_RootCA11.pem lrwxrwxrwx 1 root root 31 Aug 13 2018 1d3472b9.0 -> GlobalSign_ECC_Root_CA_-_R5.pem lrwxrwxrwx 1 root root 37 Aug 13 2018 1e08bfd1.0 -> IdenTrust_Public_Sector_Root_CA_1.pem lrwxrwxrwx 1 root root 35 Nov 8 21:13 773e07ad.0 -> OISTE_WISeKey_Global_Root_GC_CA.pem -rw-r--r-- 1 root root 200061 Nov 8 21:24 ca-certificates.crt lrwxrwxrwx 1 root root 27 Nov 8 21:13 dc4d6a89.0 -> GlobalSign_Root_CA_-_R6.pem lrwxrwxrwx 1 root root 62 Nov 8 21:13 GlobalSign_Root_CA_-_R6.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R6.crt drwxr-xr-x 2 root root 4096 Jan 26 2019 java lrwxrwxrwx 1 root root 70 Nov 8 21:13 OISTE_WISeKey_Global_Root_GC_CA.pem -> /usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt ... The root_unix.go code read those certs with same-directory twice before. This drops the number of files read from 258 to 130. Saves about 20 ms. Change-Id: I36a1b1e8bb8d89ed3dac8b6255f9048cb7f08fe8 Reviewed-on: https://go-review.googlesource.com/c/go/+/229918 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
2020-04-24 12:15:04 -07:00
// readUniqueDirectoryEntries is like ioutil.ReadDir but omits
// symlinks that point within the directory.
func readUniqueDirectoryEntries(dir string) ([]os.FileInfo, error) {
fis, err := ioutil.ReadDir(dir)
if err != nil {
return nil, err
}
uniq := fis[:0]
for _, fi := range fis {
if !isSameDirSymlink(fi, dir) {
uniq = append(uniq, fi)
}
}
return uniq, nil
}
// isSameDirSymlink reports whether fi in dir is a symlink with a
// target not containing a slash.
func isSameDirSymlink(fi os.FileInfo, dir string) bool {
if fi.Mode()&os.ModeSymlink == 0 {
return false
}
target, err := os.Readlink(filepath.Join(dir, fi.Name()))
return err == nil && !strings.Contains(target, "/")
}
Reference in a new issue Copy permalink