Skip to content

proposal: x509.Certificate.Verify should provide an option for both using the host's root CA set and an additional set of user-provided root CAs #34937

Closed
@philipatl

Description

@philipatl

(similar thing would apply to tls.Config's RootCAs option)

Currently, you can attempt to do this by getting SystemCertPool() and then adding additional certs to this pool, and then setting this as the Roots member. One problem with this is on Windows, where SystemCertPool() does not work. Even if you try to work around this by implementing your own SystemCertPool for Windows (via CertEnumCertificatesInStore etc), it could be incomplete due to Windows' behavior of adding trusted roots to its store on-demand.

The neat thing is that Go's systemVerify (called when no *CertPool is given) will use the Windows CryptoAPI, which during the verification process will pull in trusted root CAs into the Windows store if they are not there already. With this in mind, changing the capabilities of tls.Config (and x509.VerifyOptions) to take not only a *CertPool but also a flag that indicates if the system roots should be used as well, would give more capabilities to Go programs built for Windows.

This would probably go a long way to ameliorating the issues most Windows people face with SystemCertPool. See issues #16736 and #18609.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions