crypto/x509: load all trusted certs on darwin (nocgo)

The current implementation ignores certificates that exist in the login and System keychains. This change adds the missing System and login keychain files to the `/usr/bin/security` command in `execSecurityRoots`. If the current user cannot be obtained, the login keychain is ignored. Refs #16532 Change-Id: I8594a6b8940c58df8a8015b274fa45c39e18862c Reviewed-on: https://go-review.googlesource.com/36941 Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

crypto/x509: load all trusted certs on darwin (nocgo)
The current implementation ignores certificates that exist in the login and System keychains. This change adds the missing System and login keychain files to the `/usr/bin/security` command in `execSecurityRoots`. If the current user cannot be obtained, the login keychain is ignored. Refs #16532 Change-Id: I8594a6b8940c58df8a8015b274fa45c39e18862c Reviewed-on: https://go-review.googlesource.com/36941 Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
4dbcacda · Nathaniel Caza · Brad Fitzpatrick · a005a8d1 · 4dbcacda · 4dbcacda
Commit 4dbcacda authored Feb 13, 2017 by Nathaniel Caza Committed by Brad Fitzpatrick Jul 14, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 2 deletions

src/crypto/x509/root_darwin.go src/crypto/x509/root_darwin.go +21 -1

src/go/build/deps_test.go src/go/build/deps_test.go +1 -1

No files found.
--- a/src/crypto/x509/root_darwin.go
+++ b/src/crypto/x509/root_darwin.go
@@ -16,6 +16,7 @@ import (
 	"io/ioutil"
 	"os"
 	"os/exec"
+	"os/user"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -61,7 +62,26 @@ func execSecurityRoots() (*CertPool, error) {
 		println(fmt.Sprintf("crypto/x509: %d certs have a trust policy", len(hasPolicy)))
 	}

-	cmd := exec.Command("/usr/bin/security", "find-certificate", "-a", "-p", "/System/Library/Keychains/SystemRootCertificates.keychain")
+	args := []string{"find-certificate", "-a", "-p",
+		"/System/Library/Keychains/SystemRootCertificates.keychain",
+		"/Library/Keychains/System.keychain",
+	}
+
+	u, err := user.Current()
+	if err != nil {
+		if debugExecDarwinRoots {
+			println(fmt.Sprintf("crypto/x509: get current user: %v", err))
+		}
+	} else {
+		args = append(args,
+			filepath.Join(u.HomeDir, "/Library/Keychains/login.keychain"),
+
+			// Fresh installs of Sierra use a slightly different path for the login keychain
+			filepath.Join(u.HomeDir, "/Library/Keychains/login.keychain-db"),
+		)
+	}
+
+	cmd := exec.Command("/usr/bin/security", args...)
 	data, err := cmd.Output()
 	if err != nil {
 		return nil, err

--- a/src/go/build/deps_test.go
+++ b/src/go/build/deps_test.go
@@ -377,7 +377,7 @@ var pkgDeps = map[string][]string{
 	},
 	"crypto/x509": {
 		"L4", "CRYPTO-MATH", "OS", "CGO",
-		"crypto/x509/pkix", "encoding/pem", "encoding/hex", "net", "syscall",
+		"crypto/x509/pkix", "encoding/pem", "encoding/hex", "net", "os/user", "syscall",
 	},
 	"crypto/x509/pkix": {"L4", "CRYPTO-MATH"},