Skip to content

crypto/x509: properly handle errSecInvalidTrustSettings in macOS roots #38888

New issue
New issue
Closed
Closed
crypto/x509: properly handle errSecInvalidTrustSettings in macOS roots#38888
Labels
FrozenDueToAgeNeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.OS-Darwin
Milestone
Backlog
@FiloSottile

Description

@FiloSottile
FiloSottile
opened on May 5, 2020

Looks like when a trust setting is invalid it drops trust in the certificate, overriding wider domains. All of this is documented nowhere else than in the macOS sources, so it will be a pain to figure out.

This came up in a report by @henvic while testing CL 227037. The tests still passed because the cgo and the direct call implementations behave the same, but they used to disagree with the exec one, which for once looks like it might have been the correct one.

https://gist.github.com/henvic/ab28a19631d18135ade7f9507c67feda
https://gist.github.com/henvic/68d9d64bd0120cb74464c5df53c692c0

Not fixing it in CL 227037 and deferring to Go 1.16 because it's been like this forever, and I'd like to focus on getting the port from cgo right, without changing behaviors at the same time.

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.OS-Darwin

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions