• Nathaniel Caza's avatar
    crypto/x509: load all trusted certs on darwin (cgo) · e7f95b3c
    Nathaniel Caza authored
    The current implementation ignores certs wherein the
    Subject does not match the Issuer. An example of where
    this causes issue is an enterprise environment with
    intermediate CAs. In this case, the issuer is separate
    (and may be loaded) but the intermediate is ignored.
    A TLS handshake that does not include the intermediate
    cert would then fail with an untrusted error in Go.
    
    On other platforms (darwin-nocgo included), all trusted
    certs are loaded and accepted reguardless of
    Subject/Issuer names.
    
    This change removes the Subject/Issuer name-matching
    restriction of certificates when trustAsRoot is set,
    allowing all trusted certs to be loaded on darwin (cgo).
    
    Refs #16532
    
    Change-Id: I451e929588f8911892be6bdc2143d0799363c5f8
    Reviewed-on: https://go-review.googlesource.com/36942
    Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
    TryBot-Result: Gobot Gobot <gobot@golang.org>
    Reviewed-by: 's avatarBrad Fitzpatrick <bradfitz@golang.org>
    e7f95b3c
root_cgo_darwin.go 8.32 KB