1 // Copyright 2011 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
8 #cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060
9 #cgo LDFLAGS: -framework CoreFoundation -framework Security
11 #include <CoreFoundation/CoreFoundation.h>
12 #include <Security/Security.h>
14 // FetchPEMRoots fetches the system's list of trusted X.509 root certificates.
16 // On success it returns 0 and fills pemRoots with a CFDataRef that contains the extracted root
17 // certificates of the system. On failure, the function returns -1.
19 // Note: The CFDataRef returned in pemRoots must be released (using CFRelease) after
20 // we've consumed its content.
21 int FetchPEMRoots(CFDataRef *pemRoots) {
22 if (pemRoots == NULL) {
26 CFArrayRef certs = NULL;
27 OSStatus err = SecTrustCopyAnchorCertificates(&certs);
32 CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
33 int i, ncerts = CFArrayGetCount(certs);
34 for (i = 0; i < ncerts; i++) {
35 CFDataRef data = NULL;
36 SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, i);
41 // Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport.
42 // Once we support weak imports via cgo we should prefer that, and fall back to this
44 err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
50 CFDataAppendBytes(combinedData, CFDataGetBytePtr(data), CFDataGetLength(data));
57 *pemRoots = combinedData;
64 func (c
*Certificate
) systemVerify(opts
*VerifyOptions
) (chains
[][]*Certificate
, err error
) {
68 func initSystemRoots() {
69 roots
:= NewCertPool()
71 var data C
.CFDataRef
= nil
72 err
:= C
.FetchPEMRoots(&data
)
77 defer C
.CFRelease(C
.CFTypeRef(data
))
78 buf
:= C
.GoBytes(unsafe
.Pointer(C
.CFDataGetBytePtr(data
)), C
.int(C
.CFDataGetLength(data
)))
79 roots
.AppendCertsFromPEM(buf
)