Stowage/go
2
0
Fork 0
mirror of https://github.com/golang/go.git synced 2025-12-08 06:10:04 +00:00
Code Issues Projects Releases Packages Wiki Activity

crypto/x509: load roots from colon separated SSL_CERT_DIR in loadSystemRoots

Browse source 
"SSL_CERT_DIR" is meant to hold more than one directory, when a colon
is used as a delimiter. However, we assumed it'd be a single directory
for all root certificates.
OpenSSL and BoringSSL properly respected the colon separated
"SSL_CERT_DIR", as per:
* OpenSSL 12a765a523/crypto/x509/by_dir.c (L153-L209)
* BoringSSL 3ba9586bc0/crypto/x509/by_dir.c (L194-L247)

This change adds that parity to loadSystemRoots.

RELNOTE=yes

Fixes #35325

Change-Id: I0d554a00ccc34300a7f0529aa741ee7e2d5762f9
Reviewed-on: https://go-review.googlesource.com/c/go/+/205237
Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This commit is contained in:
Emmanuel T Odeke 2019-11-04 09:19:59 -08:00 committed by Emmanuel Odeke
parent 6052838bc3
commit 7a03d79498
2 changed files with 91 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

17
src/crypto/x509/root_unix.go
View file

@ -9,6 +9,7 @@ package x509
import (
"io/ioutil"
"os"
"strings"
)
// Possible directories with certificate files; stop after successfully
@ -29,6 +30,8 @@ const (
// certDirEnv is the environment variable which identifies which directory
// to check for SSL certificate files. If set this overrides the system default.
// It is a colon separated list of directories.
// See https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html.
certDirEnv = "SSL_CERT_DIR"
)
@ -58,7 +61,11 @@ func loadSystemRoots() (*CertPool, error) {
dirs := certDirectories
if d := os.Getenv(certDirEnv); d != "" {
dirs = []string{d}
// OpenSSL and BoringSSL both use ":" as the SSL_CERT_DIR separator.
// See:
// * https://golang.org/issue/35325
// * https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html
dirs = strings.Split(d, ":")
}
for _, directory := range dirs {
@ -69,16 +76,12 @@ func loadSystemRoots() (*CertPool, error) {
}
continue
}
rootsAdded := false
for _, fi := range fis {
data, err := ioutil.ReadFile(directory + "/" + fi.Name())
if err == nil && roots.AppendCertsFromPEM(data) {
rootsAdded = true
if err == nil {
roots.AppendCertsFromPEM(data)
}
}
if rootsAdded {
return roots, nil
}
}
if len(roots.certs) > 0 || firstErr == nil {