• Mikkel Krautz's avatar
    crypto/x509: new home for root fetchers; build chains using Windows API · a324a5ac
    Mikkel Krautz authored
    This moves the various CA root fetchers from crypto/tls into crypto/x509.
    
    The move was brought about by issue 2997. Windows doesn't ship with all
    its root certificates, but will instead download them as-needed when using
    CryptoAPI for certificate verification.
    
    This CL changes crypto/x509 to verify a certificate using the system root
    CAs when VerifyOptions.RootCAs == nil. On Windows, this verification is
    now implemented using Windows's CryptoAPI. All other root fetchers are
    unchanged, and still use Go's own verification code.
    
    The CL also fixes the hostname matching logic in crypto/tls/tls.go, in
    order to be able to test whether hostname mismatches are honored by the
    Windows verification code.
    
    The move to crypto/x509 also allows other packages to use the OS-provided
    root certificates, instead of hiding them inside the crypto/tls package.
    
    Fixes #2997.
    
    R=agl, golang-dev, alex.brainman, rsc, mikkel
    CC=golang-dev
    https://golang.org/cl/5700087
    a324a5ac
verify_test.go 16.6 KB