| blob | 9d7b3a6ffb6cc6977373d1f3d055e11353d8de5f |
1 // Copyright 2013 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 //go:generate go run root_darwin_arm_gen.go -output root_darwin_armx.go
7 package x509
10 "bufio"
11 "bytes"
12 "crypto/sha1"
13 "encoding/pem"
14 "fmt"
15 "io"
16 "io/ioutil"
17 "os"
18 "os/exec"
19 "os/user"
20 "path/filepath"
21 "strings"
22 "sync"
23 )
29 }
31 // This code is only used when compiling without cgo.
32 // It is here, instead of root_nocgo_darwin.go, so that tests can check it
33 // even if the tests are run with cgo enabled.
34 // The linker will not include these unused functions in binaries built with cgo enabled.
36 // execSecurityRoots finds the macOS list of trusted root certificates
37 // using only command-line tools. This is our fallback path when cgo isn't available.
38 //
39 // The strategy is as follows:
40 //
41 // 1. Run "security trust-settings-export" and "security
42 // trust-settings-export -d" to discover the set of certs with some
43 // user-tweaked trust policy. We're too lazy to parse the XML (at
44 // least at this stage of Go 1.8) to understand what the trust
45 // policy actually is. We just learn that there is _some_ policy.
46 //
47 // 2. Run "security find-certificate" to dump the list of system root
48 // CAs in PEM format.
49 //
50 // 3. For each dumped cert, conditionally verify it with "security
51 // verify-cert" if that cert was in the set discovered in Step 1.
52 // Without the Step 1 optimization, running "security verify-cert"
53 // 150-200 times takes 3.5 seconds. With the optimization, the
54 // whole process takes about 180 milliseconds with 1 untrusted root
55 // CA. (Compared to 110ms in the cgo path)
60 }
63 }
68 }
74 }
79 // Fresh installs of Sierra use a slightly different path for the login keychain
81 )
82 }
88 }
91 mu sync.Mutex
94 )
99 // Using 4 goroutines to pipe into verify-cert seems to be
100 // about the best we can do. The verify-cert binary seems to
101 // just RPC to another server with coarse locking anyway, so
102 // running 16 at a time for instance doesn't help at all. Due
103 // to the "if hasPolicy" check below, though, we will rarely
104 // (or never) call verify-cert on stock macOS systems, though.
105 // The hope is that we only call verify-cert when the user has
106 // tweaked their trust policy. These 4 goroutines are only
107 // defensive in the pathological case of many trust edits.
115 continue
116 }
122 verifyChecks++
125 }
126 }
129 numVerified += verifyChecks
132 }
134 }
135 }()
136 }
141 break
142 }
144 continue
145 }
146 blockCh <- block
147 }
155 }
158 }
167 }
172 }
176 }
181 }
184 println(fmt.Sprintf("crypto/x509: verify-cert rejected %s: %q", cert.Subject, bytes.TrimSpace(stderr.Bytes())))
185 }
187 }
190 }
192 }
194 // getCertsWithTrustPolicy returns the set of certs that have a
195 // possibly-altered trust policy. The keys of the map are capitalized
196 // sha1 hex of the raw cert.
197 // They are the certs that should be checked against `security
198 // verify-cert` to see whether the user altered the default trust
199 // settings. This code is only used for cgo-disabled builds.
205 }
214 // If there are no trust settings, the
215 // `security trust-settings-export` command
216 // fails with:
217 // exit status 1, SecTrustSettingsCreateExternalRepresentation: No Trust Settings were found.
218 // Rather than match on English substrings that are probably
219 // localized on macOS, just interpret any failure to mean that
220 // there are no trust settings.
223 }
225 }
229 return err
230 }
233 // Gather all the runs of 40 capitalized hex characters.
244 }
246 }
248 break
249 }
251 return err
252 }
253 }
256 }
259 }
262 }
264 }