mirror of
https://github.com/golang/go.git
synced 2025-12-08 06:10:04 +00:00
9b189686a5
On Linux distros at least, it's common for cert directories to have symlinks pointing to other certs or even other symlinks. An example from Debian stretch's /etc/ssl/certs directory: ... lrwxrwxrwx 1 root root 46 Aug 13 2018 106f3e4d.0 -> Entrust_Root_Certification_Authority_-_EC1.pem lrwxrwxrwx 1 root root 49 Aug 13 2018 116bf586.0 -> GeoTrust_Primary_Certification_Authority_-_G2.pem lrwxrwxrwx 1 root root 35 Aug 13 2018 128805a3.0 -> EE_Certification_Centre_Root_CA.pem lrwxrwxrwx 1 root root 26 Aug 13 2018 157753a5.0 -> AddTrust_External_Root.pem lrwxrwxrwx 1 root root 59 Aug 13 2018 1636090b.0 -> Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem lrwxrwxrwx 1 root root 23 Aug 13 2018 18856ac4.0 -> SecureSign_RootCA11.pem lrwxrwxrwx 1 root root 31 Aug 13 2018 1d3472b9.0 -> GlobalSign_ECC_Root_CA_-_R5.pem lrwxrwxrwx 1 root root 37 Aug 13 2018 1e08bfd1.0 -> IdenTrust_Public_Sector_Root_CA_1.pem lrwxrwxrwx 1 root root 35 Nov 8 21:13 773e07ad.0 -> OISTE_WISeKey_Global_Root_GC_CA.pem -rw-r--r-- 1 root root 200061 Nov 8 21:24 ca-certificates.crt lrwxrwxrwx 1 root root 27 Nov 8 21:13 dc4d6a89.0 -> GlobalSign_Root_CA_-_R6.pem lrwxrwxrwx 1 root root 62 Nov 8 21:13 GlobalSign_Root_CA_-_R6.pem -> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R6.crt drwxr-xr-x 2 root root 4096 Jan 26 2019 java lrwxrwxrwx 1 root root 70 Nov 8 21:13 OISTE_WISeKey_Global_Root_GC_CA.pem -> /usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt ... The root_unix.go code read those certs with same-directory twice before. This drops the number of files read from 258 to 130. Saves about 20 ms. Change-Id: I36a1b1e8bb8d89ed3dac8b6255f9048cb7f08fe8 Reviewed-on: https://go-review.googlesource.com/c/go/+/229918 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
119 lines
3.1 KiB
Go
119 lines
3.1 KiB
Go
// Copyright 2011 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// +build aix dragonfly freebsd js,wasm linux netbsd openbsd solaris
|
|
|
|
package x509
|
|
|
|
import (
|
|
"io/ioutil"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
)
|
|
|
|
// Possible directories with certificate files; stop after successfully
|
|
// reading at least one file from a directory.
|
|
var certDirectories = []string{
|
|
"/etc/ssl/certs", // SLES10/SLES11, https://golang.org/issue/12139
|
|
"/system/etc/security/cacerts", // Android
|
|
"/usr/local/share/certs", // FreeBSD
|
|
"/etc/pki/tls/certs", // Fedora/RHEL
|
|
"/etc/openssl/certs", // NetBSD
|
|
"/var/ssl/certs", // AIX
|
|
}
|
|
|
|
const (
|
|
// certFileEnv is the environment variable which identifies where to locate
|
|
// the SSL certificate file. If set this overrides the system default.
|
|
certFileEnv = "SSL_CERT_FILE"
|
|
|
|
// certDirEnv is the environment variable which identifies which directory
|
|
// to check for SSL certificate files. If set this overrides the system default.
|
|
// It is a colon separated list of directories.
|
|
// See https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html.
|
|
certDirEnv = "SSL_CERT_DIR"
|
|
)
|
|
|
|
func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
|
|
return nil, nil
|
|
}
|
|
|
|
func loadSystemRoots() (*CertPool, error) {
|
|
roots := NewCertPool()
|
|
|
|
files := certFiles
|
|
if f := os.Getenv(certFileEnv); f != "" {
|
|
files = []string{f}
|
|
}
|
|
|
|
var firstErr error
|
|
for _, file := range files {
|
|
data, err := ioutil.ReadFile(file)
|
|
if err == nil {
|
|
roots.AppendCertsFromPEM(data)
|
|
break
|
|
}
|
|
if firstErr == nil && !os.IsNotExist(err) {
|
|
firstErr = err
|
|
}
|
|
}
|
|
|
|
dirs := certDirectories
|
|
if d := os.Getenv(certDirEnv); d != "" {
|
|
// OpenSSL and BoringSSL both use ":" as the SSL_CERT_DIR separator.
|
|
// See:
|
|
// * https://golang.org/issue/35325
|
|
// * https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html
|
|
dirs = strings.Split(d, ":")
|
|
}
|
|
|
|
for _, directory := range dirs {
|
|
fis, err := readUniqueDirectoryEntries(directory)
|
|
if err != nil {
|
|
if firstErr == nil && !os.IsNotExist(err) {
|
|
firstErr = err
|
|
}
|
|
continue
|
|
}
|
|
for _, fi := range fis {
|
|
data, err := ioutil.ReadFile(directory + "/" + fi.Name())
|
|
if err == nil {
|
|
roots.AppendCertsFromPEM(data)
|
|
}
|
|
}
|
|
}
|
|
|
|
if len(roots.certs) > 0 || firstErr == nil {
|
|
return roots, nil
|
|
}
|
|
|
|
return nil, firstErr
|
|
}
|
|
|
|
// readUniqueDirectoryEntries is like ioutil.ReadDir but omits
|
|
// symlinks that point within the directory.
|
|
func readUniqueDirectoryEntries(dir string) ([]os.FileInfo, error) {
|
|
fis, err := ioutil.ReadDir(dir)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
uniq := fis[:0]
|
|
for _, fi := range fis {
|
|
if !isSameDirSymlink(fi, dir) {
|
|
uniq = append(uniq, fi)
|
|
}
|
|
}
|
|
return uniq, nil
|
|
}
|
|
|
|
// isSameDirSymlink reports whether fi in dir is a symlink with a
|
|
// target not containing a slash.
|
|
func isSameDirSymlink(fi os.FileInfo, dir string) bool {
|
|
if fi.Mode()&os.ModeSymlink == 0 {
|
|
return false
|
|
}
|
|
target, err := os.Readlink(filepath.Join(dir, fi.Name()))
|
|
return err == nil && !strings.Contains(target, "/")
|
|
}
|