1 // Copyright 2011 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
10 #cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060
11 #cgo LDFLAGS: -framework CoreFoundation -framework Security
13 #include <CoreFoundation/CoreFoundation.h>
14 #include <Security/Security.h>
16 // FetchPEMRoots fetches the system's list of trusted X.509 root certificates.
18 // On success it returns 0 and fills pemRoots with a CFDataRef that contains the extracted root
19 // certificates of the system. On failure, the function returns -1.
21 // Note: The CFDataRef returned in pemRoots must be released (using CFRelease) after
22 // we've consumed its content.
23 int FetchPEMRoots(CFDataRef *pemRoots) {
24 if (pemRoots == NULL) {
28 CFArrayRef certs = NULL;
29 OSStatus err = SecTrustCopyAnchorCertificates(&certs);
34 CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
35 int i, ncerts = CFArrayGetCount(certs);
36 for (i = 0; i < ncerts; i++) {
37 CFDataRef data = NULL;
38 SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, i);
43 // Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport.
44 // Once we support weak imports via cgo we should prefer that, and fall back to this
46 err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
52 CFDataAppendBytes(combinedData, CFDataGetBytePtr(data), CFDataGetLength(data));
59 *pemRoots = combinedData;
66 func initSystemRoots() {
67 roots
:= NewCertPool()
69 var data C
.CFDataRef
= nil
70 err
:= C
.FetchPEMRoots(&data
)
75 defer C
.CFRelease(C
.CFTypeRef(data
))
76 buf
:= C
.GoBytes(unsafe
.Pointer(C
.CFDataGetBytePtr(data
)), C
.int(C
.CFDataGetLength(data
)))
77 roots
.AppendCertsFromPEM(buf
)