1 // Copyright 2011 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
8 #cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060
9 #cgo LDFLAGS: -framework CoreFoundation -framework Security
11 #include <CoreFoundation/CoreFoundation.h>
12 #include <Security/Security.h>
14 // FetchPEMRoots fetches the system's list of trusted X.509 root certificates.
16 // On success it returns 0 and fills pemRoots with a CFDataRef that contains the extracted root
17 // certificates of the system. On failure, the function returns -1.
19 // Note: The CFDataRef returned in pemRoots must be released (using CFRelease) after
20 // we've consumed its content.
21 int FetchPEMRoots(CFDataRef *pemRoots) {
22 if (pemRoots == NULL) {
26 CFArrayRef certs = NULL;
27 OSStatus err = SecTrustCopyAnchorCertificates(&certs);
32 CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
33 int i, ncerts = CFArrayGetCount(certs);
34 for (i = 0; i < ncerts; i++) {
35 CFDataRef data = NULL;
36 SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, i);
41 // Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport.
42 // Once we support weak imports via cgo we should prefer that, and fall back to this
44 err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
50 CFDataAppendBytes(combinedData, CFDataGetBytePtr(data), CFDataGetLength(data));
57 *pemRoots = combinedData;
67 func initDefaultRoots() {
68 roots := x509.NewCertPool()
70 var data C.CFDataRef = nil
71 err := C.FetchPEMRoots(&data)
73 defer C.CFRelease(C.CFTypeRef(data))
74 buf := C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(data)), C.int(C.CFDataGetLength(data)))
75 roots.AppendCertsFromPEM(buf)
78 varDefaultRoots = roots