mirror of
https://github.com/golang/go.git
synced 2025-12-08 06:10:04 +00:00
7a03d79498
"SSL_CERT_DIR" is meant to hold more than one directory, when a colon is used as a delimiter. However, we assumed it'd be a single directory for all root certificates. OpenSSL and BoringSSL properly respected the colon separated "SSL_CERT_DIR", as per: * OpenSSL12a765a523/crypto/x509/by_dir.c (L153-L209)* BoringSSL3ba9586bc0/crypto/x509/by_dir.c (L194-L247)This change adds that parity to loadSystemRoots. RELNOTE=yes Fixes #35325 Change-Id: I0d554a00ccc34300a7f0529aa741ee7e2d5762f9 Reviewed-on: https://go-review.googlesource.com/c/go/+/205237 Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
92 lines
2.4 KiB
Go
92 lines
2.4 KiB
Go
// Copyright 2011 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// +build aix dragonfly freebsd js,wasm linux netbsd openbsd solaris
|
|
|
|
package x509
|
|
|
|
import (
|
|
"io/ioutil"
|
|
"os"
|
|
"strings"
|
|
)
|
|
|
|
// Possible directories with certificate files; stop after successfully
|
|
// reading at least one file from a directory.
|
|
var certDirectories = []string{
|
|
"/etc/ssl/certs", // SLES10/SLES11, https://golang.org/issue/12139
|
|
"/system/etc/security/cacerts", // Android
|
|
"/usr/local/share/certs", // FreeBSD
|
|
"/etc/pki/tls/certs", // Fedora/RHEL
|
|
"/etc/openssl/certs", // NetBSD
|
|
"/var/ssl/certs", // AIX
|
|
}
|
|
|
|
const (
|
|
// certFileEnv is the environment variable which identifies where to locate
|
|
// the SSL certificate file. If set this overrides the system default.
|
|
certFileEnv = "SSL_CERT_FILE"
|
|
|
|
// certDirEnv is the environment variable which identifies which directory
|
|
// to check for SSL certificate files. If set this overrides the system default.
|
|
// It is a colon separated list of directories.
|
|
// See https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html.
|
|
certDirEnv = "SSL_CERT_DIR"
|
|
)
|
|
|
|
func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
|
|
return nil, nil
|
|
}
|
|
|
|
func loadSystemRoots() (*CertPool, error) {
|
|
roots := NewCertPool()
|
|
|
|
files := certFiles
|
|
if f := os.Getenv(certFileEnv); f != "" {
|
|
files = []string{f}
|
|
}
|
|
|
|
var firstErr error
|
|
for _, file := range files {
|
|
data, err := ioutil.ReadFile(file)
|
|
if err == nil {
|
|
roots.AppendCertsFromPEM(data)
|
|
break
|
|
}
|
|
if firstErr == nil && !os.IsNotExist(err) {
|
|
firstErr = err
|
|
}
|
|
}
|
|
|
|
dirs := certDirectories
|
|
if d := os.Getenv(certDirEnv); d != "" {
|
|
// OpenSSL and BoringSSL both use ":" as the SSL_CERT_DIR separator.
|
|
// See:
|
|
// * https://golang.org/issue/35325
|
|
// * https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html
|
|
dirs = strings.Split(d, ":")
|
|
}
|
|
|
|
for _, directory := range dirs {
|
|
fis, err := ioutil.ReadDir(directory)
|
|
if err != nil {
|
|
if firstErr == nil && !os.IsNotExist(err) {
|
|
firstErr = err
|
|
}
|
|
continue
|
|
}
|
|
for _, fi := range fis {
|
|
data, err := ioutil.ReadFile(directory + "/" + fi.Name())
|
|
if err == nil {
|
|
roots.AppendCertsFromPEM(data)
|
|
}
|
|
}
|
|
}
|
|
|
|
if len(roots.certs) > 0 || firstErr == nil {
|
|
return roots, nil
|
|
}
|
|
|
|
return nil, firstErr
|
|
}
|