Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
crypto/x509: root_cgo_darwin and root_nocgo_darwin omit some system certs [1.11 backport] #26039
…(cgo path) The cgo path was not taking policies into account, using the last security setting in the array whatever it was. Also, it was not aware of the defaults for empty security settings, and for security settings without a result type. Finally, certificates restricted to a hostname were considered roots. The API docs for this code are partial and not very clear, so this is a best effort, really. Updates #24652 Updates #26039 Change-Id: I8fa2fe4706f44f3d963b32e0615d149e997b537d Reviewed-on: https://go-review.googlesource.com/c/128056 Run-TryBot: Filippo Valsorda <firstname.lastname@example.org> TryBot-Result: Gobot Gobot <email@example.com> Reviewed-by: Adam Langley <firstname.lastname@example.org> Reviewed-by: Adam Langley <email@example.com> (cherry picked from commit f6be1cf) Reviewed-on: https://go-review.googlesource.com/c/162860 Reviewed-by: Andrew Bonventre <firstname.lastname@example.org>
…(no-cgo path) Certificates without any trust settings might still be in the keychain (for example if they used to have some, or if they are intermediates for offline verification), but they are not to be trusted. The only ones we can trust unconditionally are the ones in the system roots store. Moreover, the verify-cert invocation was not specifying the ssl policy, defaulting instead to the basic one. We have no way of communicating different usages in a CertPool, so stick to the WebPKI use-case as the primary one for crypto/x509. Updates #24652 Fixes #26039 Change-Id: Ife8b3d2f4026daa1223aa81fac44aeeb4f96528a Reviewed-on: https://go-review.googlesource.com/c/128116 Reviewed-by: Adam Langley <email@example.com> Reviewed-by: Adam Langley <firstname.lastname@example.org> (cherry picked from commit aa24158) Reviewed-on: https://go-review.googlesource.com/c/162861 Run-TryBot: Filippo Valsorda <email@example.com> TryBot-Result: Gobot Gobot <firstname.lastname@example.org> Reviewed-by: Andrew Bonventre <email@example.com>