• Filippo Valsorda's avatar
    crypto/x509: fix root CA extraction on macOS (no-cgo path) · aa241580
    Filippo Valsorda authored
    Certificates without any trust settings might still be in the keychain
    (for example if they used to have some, or if they are intermediates for
    offline verification), but they are not to be trusted. The only ones we
    can trust unconditionally are the ones in the system roots store.
    
    Moreover, the verify-cert invocation was not specifying the ssl policy,
    defaulting instead to the basic one. We have no way of communicating
    different usages in a CertPool, so stick to the WebPKI use-case as the
    primary one for crypto/x509.
    
    Updates #24652
    
    Change-Id: Ife8b3d2f4026daa1223aa81fac44aeeb4f96528a
    Reviewed-on: https://go-review.googlesource.com/c/128116Reviewed-by: 's avatarAdam Langley <agl@google.com>
    Reviewed-by: 's avatarAdam Langley <agl@golang.org>
    aa241580
Name
Last commit
Last update
.github Loading commit data...
api Loading commit data...
doc Loading commit data...
lib/time Loading commit data...
misc Loading commit data...
src Loading commit data...
test Loading commit data...
.gitattributes Loading commit data...
.gitignore Loading commit data...
AUTHORS Loading commit data...
CONTRIBUTING.md Loading commit data...
CONTRIBUTORS Loading commit data...
LICENSE Loading commit data...
PATENTS Loading commit data...
README.md Loading commit data...
favicon.ico Loading commit data...
robots.txt Loading commit data...