1 // Copyright 2011 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
10 #cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060
11 #cgo LDFLAGS: -framework CoreFoundation -framework Security
13 #include <CoreFoundation/CoreFoundation.h>
14 #include <Security/Security.h>
16 // FetchPEMRootsCTX509 fetches the system's list of trusted X.509 root certificates.
18 // On success it returns 0 and fills pemRoots with a CFDataRef that contains the extracted root
19 // certificates of the system. On failure, the function returns -1.
21 // Note: The CFDataRef returned in pemRoots must be released (using CFRelease) after
22 // we've consumed its content.
23 int FetchPEMRootsCTX509(CFDataRef *pemRoots) {
24 if (pemRoots == NULL) {
28 CFArrayRef certs = NULL;
29 OSStatus err = SecTrustCopyAnchorCertificates(&certs);
34 CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
35 int i, ncerts = CFArrayGetCount(certs);
36 for (i = 0; i < ncerts; i++) {
37 CFDataRef data = NULL;
38 SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, i);
43 // Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport.
44 // Once we support weak imports via cgo we should prefer that, and fall back to this
46 err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
52 CFDataAppendBytes(combinedData, CFDataGetBytePtr(data), CFDataGetLength(data));
59 *pemRoots = combinedData;
66 func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
70 func initSystemRoots() {
71 roots := NewCertPool()
73 var data C.CFDataRef = nil
74 err := C.FetchPEMRootsCTX509(&data)
79 defer C.CFRelease(C.CFTypeRef(data))
80 buf := C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(data)), C.int(C.CFDataGetLength(data)))
81 roots.AppendCertsFromPEM(buf)