Stowage/go
2
0
Fork 0
mirror of https://github.com/golang/go.git synced 2025-12-08 06:10:04 +00:00
Code Issues Projects Releases Packages Wiki Activity
go/src/crypto/x509/root_darwin_test.go

130 lines
4.3 KiB
Go
Raw Normal View History

crypto/x509: add missing copyright Change-Id: Ida3b431a06527f6cd604ab4af5ce517959c8619b Reviewed-on: https://go-review.googlesource.com/2306 Reviewed-by: Dave Cheney <dave@cheney.net>
2015-01-05 15:29:10 +09:00
// Copyright 2013 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045
2013-12-18 10:57:07 -05:00
package x509
crypto/x509: skip tests not made for darwin/arm Change-Id: I8b18dc840425b72d7172a35cb0ba004bd156492d Reviewed-on: https://go-review.googlesource.com/6252 Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com>
2015-02-27 09:08:35 -05:00
import (
crypto/x509: ignore 5 phantom 1024-bit roots in TestSystemRoots On macOS 10.11, but not 10.10 and 10.12, the C API returns 5 old root CAs which are not in SystemRootCertificates.keychain (but seem to be in X509Anchors and maybe SystemCACertificates.keychain, along with many others that the C API does not return). They all are moribund 1024-bit roots which are now gone from the Apple store. Since we can't seem to find a way to make the no-cgo code see them, ignore them rather than skipping the test. Fixes #21416 Change-Id: I24ff0461f71cec953b888a60b05b99bc37dad2ed Reviewed-on: https://go-review.googlesource.com/c/156329 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2019-01-04 19:09:01 -05:00
"crypto/rsa"
crypto/x509: re-enable TestSystemRoots Now that the cgo and no-cgo paths should be correct and equivalent, re-enable the TestSystemRoots test without any margin of error (which was tripping anyway when users had too many of a certain edge-case). As a last quirk, the verify-cert invocation will validate certificates that aren't roots, but are signed by valid roots. Ignore them. Fixes #24652 Change-Id: I6a8ff3c2282136d7122a4e7e387eb8014da0d28a Reviewed-on: https://go-review.googlesource.com/c/128117 TryBot-Result: Gobot Gobot <gobot@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
2018-08-06 18:38:38 -04:00
"os"
"os/exec"
"path/filepath"
crypto/x509: skip tests not made for darwin/arm Change-Id: I8b18dc840425b72d7172a35cb0ba004bd156492d Reviewed-on: https://go-review.googlesource.com/6252 Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com>
2015-02-27 09:08:35 -05:00
"runtime"
"testing"
crypto/x509: speed up and deflake non-cgo Darwin root cert discovery Piping into security verify-cert only worked on macOS Sierra, and was flaky for unknown reasons. Users reported that the number of trusted root certs stopped randomly jumping around once they switched to using verify-cert against files on disk instead of /dev/stdin. But even using "security verify-cert" on 150-200 certs took too long. It took 3.5 seconds on my machine. More than 4 goroutines hitting verify-cert didn't help much, and soon started to hurt instead. New strategy, from comments in the code: // 1. Run "security trust-settings-export" and "security // trust-settings-export -d" to discover the set of certs with some // user-tweaked trusy policy. We're too lazy to parse the XML (at // least at this stage of Go 1.8) to understand what the trust // policy actually is. We just learn that there is _some_ policy. // // 2. Run "security find-certificate" to dump the list of system root // CAs in PEM format. // // 3. For each dumped cert, conditionally verify it with "security // verify-cert" if that cert was in the set discovered in Step 1. // Without the Step 1 optimization, running "security verify-cert" // 150-200 times takes 3.5 seconds. With the optimization, the // whole process takes about 180 milliseconds with 1 untrusted root // CA. (Compared to 110ms in the cgo path) Fixes #18203 Change-Id: I4e9c11fa50d0273c615382e0d8f9fd03498d4cb4 Reviewed-on: https://go-review.googlesource.com/34389 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-by: Quentin Smith <quentin@golang.org>
2016-12-15 05:53:01 +00:00
"time"
crypto/x509: skip tests not made for darwin/arm Change-Id: I8b18dc840425b72d7172a35cb0ba004bd156492d Reviewed-on: https://go-review.googlesource.com/6252 Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com>
2015-02-27 09:08:35 -05:00
)
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045
2013-12-18 10:57:07 -05:00
func TestSystemRoots(t *testing.T) {
crypto/x509: skip arm64 tests limited by iOS Just like darwin/arm. Change-Id: Ib0438021bfe9eb105222b93e5bb375c282cc7b8c Reviewed-on: https://go-review.googlesource.com/8822 Reviewed-by: Minux Ma <minux@golang.org>
2015-04-11 19:30:37 -04:00
switch runtime.GOARCH {
all: remove scattered remnants of darwin/arm This removes all conditions and conditional code (that I could find) that depended on darwin/arm. Fixes #35439 (since that only happened on darwin/arm) Fixes #37611. Change-Id: Ia4c32a5a4368ed75231075832b0b5bfb1ad11986 Reviewed-on: https://go-review.googlesource.com/c/go/+/227198 Run-TryBot: Austin Clements <austin@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Cherry Zhang <cherryyz@google.com>
2020-04-03 12:22:27 -04:00
case "arm64":
crypto/x509: skip arm64 tests limited by iOS Just like darwin/arm. Change-Id: Ib0438021bfe9eb105222b93e5bb375c282cc7b8c Reviewed-on: https://go-review.googlesource.com/8822 Reviewed-by: Minux Ma <minux@golang.org>
2015-04-11 19:30:37 -04:00
t.Skipf("skipping on %s/%s, no system root", runtime.GOOS, runtime.GOARCH)
crypto/x509: skip tests not made for darwin/arm Change-Id: I8b18dc840425b72d7172a35cb0ba004bd156492d Reviewed-on: https://go-review.googlesource.com/6252 Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com>
2015-02-27 09:08:35 -05:00
}
crypto/x509: speed up and deflake non-cgo Darwin root cert discovery Piping into security verify-cert only worked on macOS Sierra, and was flaky for unknown reasons. Users reported that the number of trusted root certs stopped randomly jumping around once they switched to using verify-cert against files on disk instead of /dev/stdin. But even using "security verify-cert" on 150-200 certs took too long. It took 3.5 seconds on my machine. More than 4 goroutines hitting verify-cert didn't help much, and soon started to hurt instead. New strategy, from comments in the code: // 1. Run "security trust-settings-export" and "security // trust-settings-export -d" to discover the set of certs with some // user-tweaked trusy policy. We're too lazy to parse the XML (at // least at this stage of Go 1.8) to understand what the trust // policy actually is. We just learn that there is _some_ policy. // // 2. Run "security find-certificate" to dump the list of system root // CAs in PEM format. // // 3. For each dumped cert, conditionally verify it with "security // verify-cert" if that cert was in the set discovered in Step 1. // Without the Step 1 optimization, running "security verify-cert" // 150-200 times takes 3.5 seconds. With the optimization, the // whole process takes about 180 milliseconds with 1 untrusted root // CA. (Compared to 110ms in the cgo path) Fixes #18203 Change-Id: I4e9c11fa50d0273c615382e0d8f9fd03498d4cb4 Reviewed-on: https://go-review.googlesource.com/34389 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-by: Quentin Smith <quentin@golang.org>
2016-12-15 05:53:01 +00:00
t0 := time.Now()
sysRoots := systemRootsPool() // actual system roots
sysRootsDuration := time.Since(t0)
t1 := time.Now()
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045
2013-12-18 10:57:07 -05:00
execRoots, err := execSecurityRoots() // non-cgo roots
crypto/x509: speed up and deflake non-cgo Darwin root cert discovery Piping into security verify-cert only worked on macOS Sierra, and was flaky for unknown reasons. Users reported that the number of trusted root certs stopped randomly jumping around once they switched to using verify-cert against files on disk instead of /dev/stdin. But even using "security verify-cert" on 150-200 certs took too long. It took 3.5 seconds on my machine. More than 4 goroutines hitting verify-cert didn't help much, and soon started to hurt instead. New strategy, from comments in the code: // 1. Run "security trust-settings-export" and "security // trust-settings-export -d" to discover the set of certs with some // user-tweaked trusy policy. We're too lazy to parse the XML (at // least at this stage of Go 1.8) to understand what the trust // policy actually is. We just learn that there is _some_ policy. // // 2. Run "security find-certificate" to dump the list of system root // CAs in PEM format. // // 3. For each dumped cert, conditionally verify it with "security // verify-cert" if that cert was in the set discovered in Step 1. // Without the Step 1 optimization, running "security verify-cert" // 150-200 times takes 3.5 seconds. With the optimization, the // whole process takes about 180 milliseconds with 1 untrusted root // CA. (Compared to 110ms in the cgo path) Fixes #18203 Change-Id: I4e9c11fa50d0273c615382e0d8f9fd03498d4cb4 Reviewed-on: https://go-review.googlesource.com/34389 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-by: Quentin Smith <quentin@golang.org>
2016-12-15 05:53:01 +00:00
execSysRootsDuration := time.Since(t1)
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045
2013-12-18 10:57:07 -05:00
if err != nil {
t.Fatalf("failed to read system roots: %v", err)
}
crypto/x509: speed up and deflake non-cgo Darwin root cert discovery Piping into security verify-cert only worked on macOS Sierra, and was flaky for unknown reasons. Users reported that the number of trusted root certs stopped randomly jumping around once they switched to using verify-cert against files on disk instead of /dev/stdin. But even using "security verify-cert" on 150-200 certs took too long. It took 3.5 seconds on my machine. More than 4 goroutines hitting verify-cert didn't help much, and soon started to hurt instead. New strategy, from comments in the code: // 1. Run "security trust-settings-export" and "security // trust-settings-export -d" to discover the set of certs with some // user-tweaked trusy policy. We're too lazy to parse the XML (at // least at this stage of Go 1.8) to understand what the trust // policy actually is. We just learn that there is _some_ policy. // // 2. Run "security find-certificate" to dump the list of system root // CAs in PEM format. // // 3. For each dumped cert, conditionally verify it with "security // verify-cert" if that cert was in the set discovered in Step 1. // Without the Step 1 optimization, running "security verify-cert" // 150-200 times takes 3.5 seconds. With the optimization, the // whole process takes about 180 milliseconds with 1 untrusted root // CA. (Compared to 110ms in the cgo path) Fixes #18203 Change-Id: I4e9c11fa50d0273c615382e0d8f9fd03498d4cb4 Reviewed-on: https://go-review.googlesource.com/34389 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-by: Quentin Smith <quentin@golang.org>
2016-12-15 05:53:01 +00:00
t.Logf(" cgo sys roots: %v", sysRootsDuration)
t.Logf("non-cgo sys roots: %v", execSysRootsDuration)
crypto/x509: re-enable TestSystemRoots Now that the cgo and no-cgo paths should be correct and equivalent, re-enable the TestSystemRoots test without any margin of error (which was tripping anyway when users had too many of a certain edge-case). As a last quirk, the verify-cert invocation will validate certificates that aren't roots, but are signed by valid roots. Ignore them. Fixes #24652 Change-Id: I6a8ff3c2282136d7122a4e7e387eb8014da0d28a Reviewed-on: https://go-review.googlesource.com/c/128117 TryBot-Result: Gobot Gobot <gobot@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
2018-08-06 18:38:38 -04:00
// On Mavericks, there are 212 bundled certs, at least there was at
// one point in time on one machine. (Maybe it was a corp laptop
// with extra certs?) Other OS X users report 135, 142, 145...
// Let's try requiring at least 100, since this is just a sanity
// check.
if want, have := 100, len(sysRoots.certs); have < want {
t.Errorf("want at least %d system roots, have %d", want, have)
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045
2013-12-18 10:57:07 -05:00
}
crypto/x509: re-enable TestSystemRoots Now that the cgo and no-cgo paths should be correct and equivalent, re-enable the TestSystemRoots test without any margin of error (which was tripping anyway when users had too many of a certain edge-case). As a last quirk, the verify-cert invocation will validate certificates that aren't roots, but are signed by valid roots. Ignore them. Fixes #24652 Change-Id: I6a8ff3c2282136d7122a4e7e387eb8014da0d28a Reviewed-on: https://go-review.googlesource.com/c/128117 TryBot-Result: Gobot Gobot <gobot@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
2018-08-06 18:38:38 -04:00
// Fetch any intermediate certificate that verify-cert might be aware of.
out, err := exec.Command("/usr/bin/security", "find-certificate", "-a", "-p",
"/Library/Keychains/System.keychain",
filepath.Join(os.Getenv("HOME"), "/Library/Keychains/login.keychain"),
filepath.Join(os.Getenv("HOME"), "/Library/Keychains/login.keychain-db")).Output()
if err != nil {
t.Fatal(err)
}
allCerts := NewCertPool()
allCerts.AppendCertsFromPEM(out)
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045
2013-12-18 10:57:07 -05:00
crypto/x509: re-enable TestSystemRoots Now that the cgo and no-cgo paths should be correct and equivalent, re-enable the TestSystemRoots test without any margin of error (which was tripping anyway when users had too many of a certain edge-case). As a last quirk, the verify-cert invocation will validate certificates that aren't roots, but are signed by valid roots. Ignore them. Fixes #24652 Change-Id: I6a8ff3c2282136d7122a4e7e387eb8014da0d28a Reviewed-on: https://go-review.googlesource.com/c/128117 TryBot-Result: Gobot Gobot <gobot@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
2018-08-06 18:38:38 -04:00
// Check that the two cert pools are the same.
sysPool := make(map[string]*Certificate, len(sysRoots.certs))
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045
2013-12-18 10:57:07 -05:00
for _, c := range sysRoots.certs {
crypto/x509: re-enable TestSystemRoots Now that the cgo and no-cgo paths should be correct and equivalent, re-enable the TestSystemRoots test without any margin of error (which was tripping anyway when users had too many of a certain edge-case). As a last quirk, the verify-cert invocation will validate certificates that aren't roots, but are signed by valid roots. Ignore them. Fixes #24652 Change-Id: I6a8ff3c2282136d7122a4e7e387eb8014da0d28a Reviewed-on: https://go-review.googlesource.com/c/128117 TryBot-Result: Gobot Gobot <gobot@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
2018-08-06 18:38:38 -04:00
sysPool[string(c.Raw)] = c
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045
2013-12-18 10:57:07 -05:00
}
for _, c := range execRoots.certs {
crypto/x509: re-enable TestSystemRoots Now that the cgo and no-cgo paths should be correct and equivalent, re-enable the TestSystemRoots test without any margin of error (which was tripping anyway when users had too many of a certain edge-case). As a last quirk, the verify-cert invocation will validate certificates that aren't roots, but are signed by valid roots. Ignore them. Fixes #24652 Change-Id: I6a8ff3c2282136d7122a4e7e387eb8014da0d28a Reviewed-on: https://go-review.googlesource.com/c/128117 TryBot-Result: Gobot Gobot <gobot@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
2018-08-06 18:38:38 -04:00
if _, ok := sysPool[string(c.Raw)]; ok {
delete(sysPool, string(c.Raw))
} else {
crypto/x509: ignore harmless edge case in TestSystemRoots The no-cgo validation hack lets in certificates from the root store that are not marked as roots themselves, but are signed by a root; the cgo path correctly excludes them. When TestSystemRoots compares cgo and no-cgo results it tries to ignore them by ignoring certificates which pass validation, but expired certificates were failing validation. Letting through expired certs is harmless anyway because we will refuse to build chains to them. Fixes #29497 Change-Id: I341e50c0f3426de2763468672f9ba1d13ad6cfba Reviewed-on: https://go-review.googlesource.com/c/156330 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2019-01-04 19:27:08 -05:00
// verify-cert lets in certificates that are not trusted roots, but
// are signed by trusted roots. This is not great, but unavoidable
// until we parse real policies without cgo, so confirm that's the
// case and skip them.
crypto/x509: re-enable TestSystemRoots Now that the cgo and no-cgo paths should be correct and equivalent, re-enable the TestSystemRoots test without any margin of error (which was tripping anyway when users had too many of a certain edge-case). As a last quirk, the verify-cert invocation will validate certificates that aren't roots, but are signed by valid roots. Ignore them. Fixes #24652 Change-Id: I6a8ff3c2282136d7122a4e7e387eb8014da0d28a Reviewed-on: https://go-review.googlesource.com/c/128117 TryBot-Result: Gobot Gobot <gobot@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
2018-08-06 18:38:38 -04:00
if _, err := c.Verify(VerifyOptions{
Roots: sysRoots,
Intermediates: allCerts,
KeyUsages: []ExtKeyUsage{ExtKeyUsageAny},
crypto/x509: ignore harmless edge case in TestSystemRoots The no-cgo validation hack lets in certificates from the root store that are not marked as roots themselves, but are signed by a root; the cgo path correctly excludes them. When TestSystemRoots compares cgo and no-cgo results it tries to ignore them by ignoring certificates which pass validation, but expired certificates were failing validation. Letting through expired certs is harmless anyway because we will refuse to build chains to them. Fixes #29497 Change-Id: I341e50c0f3426de2763468672f9ba1d13ad6cfba Reviewed-on: https://go-review.googlesource.com/c/156330 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2019-01-04 19:27:08 -05:00
CurrentTime: c.NotBefore, // verify-cert does not check expiration
crypto/x509: re-enable TestSystemRoots Now that the cgo and no-cgo paths should be correct and equivalent, re-enable the TestSystemRoots test without any margin of error (which was tripping anyway when users had too many of a certain edge-case). As a last quirk, the verify-cert invocation will validate certificates that aren't roots, but are signed by valid roots. Ignore them. Fixes #24652 Change-Id: I6a8ff3c2282136d7122a4e7e387eb8014da0d28a Reviewed-on: https://go-review.googlesource.com/c/128117 TryBot-Result: Gobot Gobot <gobot@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
2018-08-06 18:38:38 -04:00
}); err != nil {
t.Errorf("certificate only present in non-cgo pool: %v (verify error: %v)", c.Subject, err)
} else {
t.Logf("signed certificate only present in non-cgo pool (acceptable): %v", c.Subject)
}
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045
2013-12-18 10:57:07 -05:00
}
}
crypto/x509: re-enable TestSystemRoots Now that the cgo and no-cgo paths should be correct and equivalent, re-enable the TestSystemRoots test without any margin of error (which was tripping anyway when users had too many of a certain edge-case). As a last quirk, the verify-cert invocation will validate certificates that aren't roots, but are signed by valid roots. Ignore them. Fixes #24652 Change-Id: I6a8ff3c2282136d7122a4e7e387eb8014da0d28a Reviewed-on: https://go-review.googlesource.com/c/128117 TryBot-Result: Gobot Gobot <gobot@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
2018-08-06 18:38:38 -04:00
for _, c := range sysPool {
// The nocgo codepath uses verify-cert with the ssl policy, which also
// happens to check EKUs, so some certificates will appear only in the
// cgo pool. We can't easily make them consistent because the EKU check
// is only applied to the certificates passed to verify-cert.
var ekuOk bool
for _, eku := range c.ExtKeyUsage {
if eku == ExtKeyUsageServerAuth || eku == ExtKeyUsageNetscapeServerGatedCrypto ||
eku == ExtKeyUsageMicrosoftServerGatedCrypto || eku == ExtKeyUsageAny {
ekuOk = true
}
}
if len(c.ExtKeyUsage) == 0 && len(c.UnknownExtKeyUsage) == 0 {
ekuOk = true
}
if !ekuOk {
t.Logf("off-EKU certificate only present in cgo pool (acceptable): %v", c.Subject)
continue
}
// Same for expired certificates. We don't chain to them anyway.
now := time.Now()
if now.Before(c.NotBefore) || now.After(c.NotAfter) {
t.Logf("expired certificate only present in cgo pool (acceptable): %v", c.Subject)
continue
}
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045
2013-12-18 10:57:07 -05:00
crypto/x509: ignore 5 phantom 1024-bit roots in TestSystemRoots On macOS 10.11, but not 10.10 and 10.12, the C API returns 5 old root CAs which are not in SystemRootCertificates.keychain (but seem to be in X509Anchors and maybe SystemCACertificates.keychain, along with many others that the C API does not return). They all are moribund 1024-bit roots which are now gone from the Apple store. Since we can't seem to find a way to make the no-cgo code see them, ignore them rather than skipping the test. Fixes #21416 Change-Id: I24ff0461f71cec953b888a60b05b99bc37dad2ed Reviewed-on: https://go-review.googlesource.com/c/156329 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2019-01-04 19:09:01 -05:00
// On 10.11 there are five unexplained roots that only show up from the
// C API. They have in common the fact that they are old, 1024-bit
// certificates. It's arguably better to ignore them anyway.
if key, ok := c.PublicKey.(*rsa.PublicKey); ok && key.N.BitLen() == 1024 {
t.Logf("1024-bit certificate only present in cgo pool (acceptable): %v", c.Subject)
continue
}
crypto/x509: re-enable TestSystemRoots Now that the cgo and no-cgo paths should be correct and equivalent, re-enable the TestSystemRoots test without any margin of error (which was tripping anyway when users had too many of a certain edge-case). As a last quirk, the verify-cert invocation will validate certificates that aren't roots, but are signed by valid roots. Ignore them. Fixes #24652 Change-Id: I6a8ff3c2282136d7122a4e7e387eb8014da0d28a Reviewed-on: https://go-review.googlesource.com/c/128117 TryBot-Result: Gobot Gobot <gobot@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
2018-08-06 18:38:38 -04:00
t.Errorf("certificate only present in cgo pool: %v", c.Subject)
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045
2013-12-18 10:57:07 -05:00
}
crypto/x509: re-enable TestSystemRoots Now that the cgo and no-cgo paths should be correct and equivalent, re-enable the TestSystemRoots test without any margin of error (which was tripping anyway when users had too many of a certain edge-case). As a last quirk, the verify-cert invocation will validate certificates that aren't roots, but are signed by valid roots. Ignore them. Fixes #24652 Change-Id: I6a8ff3c2282136d7122a4e7e387eb8014da0d28a Reviewed-on: https://go-review.googlesource.com/c/128117 TryBot-Result: Gobot Gobot <gobot@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
2018-08-06 18:38:38 -04:00
if t.Failed() && debugDarwinRoots {
cmd := exec.Command("security", "dump-trust-settings")
crypto/x509: fix and cleanup loadSystemRoots on macOS Note how untrustedData is never NULL, so loadSystemRoots was checking the wrong thing. Also, renamed the C function to CopyPEMRoots to follow the CoreFoundation naming convention on ownership. Finally, redirect all debug output to standard error. Change-Id: Ie80abefadf8974a75c0646aa02fcfcebcbe3bde8 Reviewed-on: https://go-review.googlesource.com/c/go/+/178538 Reviewed-by: Adam Langley <agl@golang.org>
2019-05-21 15:00:50 -04:00
cmd.Stdout, cmd.Stderr = os.Stderr, os.Stderr
crypto/x509: re-enable TestSystemRoots Now that the cgo and no-cgo paths should be correct and equivalent, re-enable the TestSystemRoots test without any margin of error (which was tripping anyway when users had too many of a certain edge-case). As a last quirk, the verify-cert invocation will validate certificates that aren't roots, but are signed by valid roots. Ignore them. Fixes #24652 Change-Id: I6a8ff3c2282136d7122a4e7e387eb8014da0d28a Reviewed-on: https://go-review.googlesource.com/c/128117 TryBot-Result: Gobot Gobot <gobot@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
2018-08-06 18:38:38 -04:00
cmd.Run()
cmd = exec.Command("security", "dump-trust-settings", "-d")
crypto/x509: fix and cleanup loadSystemRoots on macOS Note how untrustedData is never NULL, so loadSystemRoots was checking the wrong thing. Also, renamed the C function to CopyPEMRoots to follow the CoreFoundation naming convention on ownership. Finally, redirect all debug output to standard error. Change-Id: Ie80abefadf8974a75c0646aa02fcfcebcbe3bde8 Reviewed-on: https://go-review.googlesource.com/c/go/+/178538 Reviewed-by: Adam Langley <agl@golang.org>
2019-05-21 15:00:50 -04:00
cmd.Stdout, cmd.Stderr = os.Stderr, os.Stderr
crypto/x509: re-enable TestSystemRoots Now that the cgo and no-cgo paths should be correct and equivalent, re-enable the TestSystemRoots test without any margin of error (which was tripping anyway when users had too many of a certain edge-case). As a last quirk, the verify-cert invocation will validate certificates that aren't roots, but are signed by valid roots. Ignore them. Fixes #24652 Change-Id: I6a8ff3c2282136d7122a4e7e387eb8014da0d28a Reviewed-on: https://go-review.googlesource.com/c/128117 TryBot-Result: Gobot Gobot <gobot@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
2018-08-06 18:38:38 -04:00
cmd.Run()
crypto/x509: add non-cgo darwin system anchor certs The set of certs fetched via exec'ing `security` is not quite identical to the certs fetched via the cgo call. The cgo fetch includes any trusted root certs that the user may have added; exec does not. The exec fetch includes an Apple-specific root cert; the cgo fetch does not. Other than that, they appear to be the same. Unfortunately, os/exec depends on crypto/x509, via net/http. Break the circular dependency by moving the exec tests to their own package. This will not work in iOS; we'll cross that bridge when we get to it. R=golang-dev, minux.ma, agl CC=golang-dev https://golang.org/cl/22020045
2013-12-18 10:57:07 -05:00
}
}
Reference in a new issue Copy permalink