1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
|
// Copyright 2020 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
//go:build darwin
package macOS
import (
"errors"
"internal/abi"
"strconv"
"unsafe"
)
// Security.framework linker flags for the external linker. See Issue 42459.
//go:cgo_ldflag "-framework"
//go:cgo_ldflag "Security"
// Based on https://opensource.apple.com/source/Security/Security-59306.41.2/base/Security.h
type SecTrustSettingsResult int32
const (
SecTrustSettingsResultInvalid SecTrustSettingsResult = iota
SecTrustSettingsResultTrustRoot
SecTrustSettingsResultTrustAsRoot
SecTrustSettingsResultDeny
SecTrustSettingsResultUnspecified
)
type SecTrustResultType int32
const (
SecTrustResultInvalid SecTrustResultType = iota
SecTrustResultProceed
SecTrustResultConfirm // deprecated
SecTrustResultDeny
SecTrustResultUnspecified
SecTrustResultRecoverableTrustFailure
SecTrustResultFatalTrustFailure
SecTrustResultOtherError
)
type SecTrustSettingsDomain int32
const (
SecTrustSettingsDomainUser SecTrustSettingsDomain = iota
SecTrustSettingsDomainAdmin
SecTrustSettingsDomainSystem
)
const (
// various macOS error codes that can be returned from
// SecTrustEvaluateWithError that we can map to Go cert
// verification error types.
ErrSecCertificateExpired = -67818
ErrSecHostNameMismatch = -67602
ErrSecNotTrusted = -67843
)
type OSStatus struct {
call string
status int32
}
func (s OSStatus) Error() string {
return s.call + " error: " + strconv.Itoa(int(s.status))
}
// Dictionary keys are defined as build-time strings with CFSTR, but the Go
// linker's internal linking mode can't handle CFSTR relocations. Create our
// own dynamic strings instead and just never release them.
//
// Note that this might be the only thing that can break over time if
// these values change, as the ABI arguably requires using the strings
// pointed to by the symbols, not values that happen to be equal to them.
var SecTrustSettingsResultKey = StringToCFString("kSecTrustSettingsResult")
var SecTrustSettingsPolicy = StringToCFString("kSecTrustSettingsPolicy")
var SecTrustSettingsPolicyString = StringToCFString("kSecTrustSettingsPolicyString")
var SecPolicyOid = StringToCFString("SecPolicyOid")
var SecPolicyAppleSSL = StringToCFString("1.2.840.113635.100.1.3") // defined by POLICYMACRO
var ErrNoTrustSettings = errors.New("no trust settings found")
const errSecNoTrustSettings = -25263
//go:cgo_import_dynamic x509_SecTrustSettingsCopyCertificates SecTrustSettingsCopyCertificates "/System/Library/Frameworks/Security.framework/Versions/A/Security"
func SecTrustSettingsCopyCertificates(domain SecTrustSettingsDomain) (certArray CFRef, err error) {
ret := syscall(abi.FuncPCABI0(x509_SecTrustSettingsCopyCertificates_trampoline), uintptr(domain),
uintptr(unsafe.Pointer(&certArray)), 0, 0, 0, 0)
if int32(ret) == errSecNoTrustSettings {
return 0, ErrNoTrustSettings
} else if ret != 0 {
return 0, OSStatus{"SecTrustSettingsCopyCertificates", int32(ret)}
}
return certArray, nil
}
func x509_SecTrustSettingsCopyCertificates_trampoline()
const errSecItemNotFound = -25300
//go:cgo_import_dynamic x509_SecTrustSettingsCopyTrustSettings SecTrustSettingsCopyTrustSettings "/System/Library/Frameworks/Security.framework/Versions/A/Security"
func SecTrustSettingsCopyTrustSettings(cert CFRef, domain SecTrustSettingsDomain) (trustSettings CFRef, err error) {
ret := syscall(abi.FuncPCABI0(x509_SecTrustSettingsCopyTrustSettings_trampoline), uintptr(cert), uintptr(domain),
uintptr(unsafe.Pointer(&trustSettings)), 0, 0, 0)
if int32(ret) == errSecItemNotFound {
return 0, ErrNoTrustSettings
} else if ret != 0 {
return 0, OSStatus{"SecTrustSettingsCopyTrustSettings", int32(ret)}
}
return trustSettings, nil
}
func x509_SecTrustSettingsCopyTrustSettings_trampoline()
//go:cgo_import_dynamic x509_SecPolicyCopyProperties SecPolicyCopyProperties "/System/Library/Frameworks/Security.framework/Versions/A/Security"
func SecPolicyCopyProperties(policy CFRef) CFRef {
ret := syscall(abi.FuncPCABI0(x509_SecPolicyCopyProperties_trampoline), uintptr(policy), 0, 0, 0, 0, 0)
return CFRef(ret)
}
func x509_SecPolicyCopyProperties_trampoline()
//go:cgo_import_dynamic x509_SecTrustCreateWithCertificates SecTrustCreateWithCertificates "/System/Library/Frameworks/Security.framework/Versions/A/Security"
func SecTrustCreateWithCertificates(certs CFRef, policies CFRef) (CFRef, error) {
var trustObj CFRef
ret := syscall(abi.FuncPCABI0(x509_SecTrustCreateWithCertificates_trampoline), uintptr(certs), uintptr(policies),
uintptr(unsafe.Pointer(&trustObj)), 0, 0, 0)
if int32(ret) != 0 {
return 0, OSStatus{"SecTrustCreateWithCertificates", int32(ret)}
}
return trustObj, nil
}
func x509_SecTrustCreateWithCertificates_trampoline()
//go:cgo_import_dynamic x509_SecCertificateCreateWithData SecCertificateCreateWithData "/System/Library/Frameworks/Security.framework/Versions/A/Security"
func SecCertificateCreateWithData(b []byte) CFRef {
data := BytesToCFData(b)
ret := syscall(abi.FuncPCABI0(x509_SecCertificateCreateWithData_trampoline), kCFAllocatorDefault, uintptr(data), 0, 0, 0, 0)
CFRelease(data)
return CFRef(ret)
}
func x509_SecCertificateCreateWithData_trampoline()
//go:cgo_import_dynamic x509_SecPolicyCreateSSL SecPolicyCreateSSL "/System/Library/Frameworks/Security.framework/Versions/A/Security"
func SecPolicyCreateSSL(name string) CFRef {
var hostname CFString
if name != "" {
hostname = StringToCFString(name)
defer CFRelease(CFRef(hostname))
}
ret := syscall(abi.FuncPCABI0(x509_SecPolicyCreateSSL_trampoline), 1 /* true */, uintptr(hostname), 0, 0, 0, 0)
return CFRef(ret)
}
func x509_SecPolicyCreateSSL_trampoline()
//go:cgo_import_dynamic x509_SecTrustSetVerifyDate SecTrustSetVerifyDate "/System/Library/Frameworks/Security.framework/Versions/A/Security"
func SecTrustSetVerifyDate(trustObj CFRef, dateRef CFRef) error {
ret := syscall(abi.FuncPCABI0(x509_SecTrustSetVerifyDate_trampoline), uintptr(trustObj), uintptr(dateRef), 0, 0, 0, 0)
if int32(ret) != 0 {
return OSStatus{"SecTrustSetVerifyDate", int32(ret)}
}
return nil
}
func x509_SecTrustSetVerifyDate_trampoline()
//go:cgo_import_dynamic x509_SecTrustEvaluate SecTrustEvaluate "/System/Library/Frameworks/Security.framework/Versions/A/Security"
func SecTrustEvaluate(trustObj CFRef) (CFRef, error) {
var result CFRef
ret := syscall(abi.FuncPCABI0(x509_SecTrustEvaluate_trampoline), uintptr(trustObj), uintptr(unsafe.Pointer(&result)), 0, 0, 0, 0)
if int32(ret) != 0 {
return 0, OSStatus{"SecTrustEvaluate", int32(ret)}
}
return CFRef(result), nil
}
func x509_SecTrustEvaluate_trampoline()
//go:cgo_import_dynamic x509_SecTrustGetResult SecTrustGetResult "/System/Library/Frameworks/Security.framework/Versions/A/Security"
func SecTrustGetResult(trustObj CFRef, result CFRef) (CFRef, CFRef, error) {
var chain, info CFRef
ret := syscall(abi.FuncPCABI0(x509_SecTrustGetResult_trampoline), uintptr(trustObj), uintptr(unsafe.Pointer(&result)),
uintptr(unsafe.Pointer(&chain)), uintptr(unsafe.Pointer(&info)), 0, 0)
if int32(ret) != 0 {
return 0, 0, OSStatus{"SecTrustGetResult", int32(ret)}
}
return chain, info, nil
}
func x509_SecTrustGetResult_trampoline()
//go:cgo_import_dynamic x509_SecTrustEvaluateWithError SecTrustEvaluateWithError "/System/Library/Frameworks/Security.framework/Versions/A/Security"
func SecTrustEvaluateWithError(trustObj CFRef) (int, error) {
var errRef CFRef
ret := syscall(abi.FuncPCABI0(x509_SecTrustEvaluateWithError_trampoline), uintptr(trustObj), uintptr(unsafe.Pointer(&errRef)), 0, 0, 0, 0)
if int32(ret) != 1 {
errStr := CFErrorCopyDescription(errRef)
err := errors.New(CFStringToString(errStr))
errCode := CFErrorGetCode(errRef)
CFRelease(errRef)
CFRelease(errStr)
return errCode, err
}
return 0, nil
}
func x509_SecTrustEvaluateWithError_trampoline()
//go:cgo_import_dynamic x509_SecTrustGetCertificateCount SecTrustGetCertificateCount "/System/Library/Frameworks/Security.framework/Versions/A/Security"
func SecTrustGetCertificateCount(trustObj CFRef) int {
ret := syscall(abi.FuncPCABI0(x509_SecTrustGetCertificateCount_trampoline), uintptr(trustObj), 0, 0, 0, 0, 0)
return int(ret)
}
func x509_SecTrustGetCertificateCount_trampoline()
//go:cgo_import_dynamic x509_SecTrustGetCertificateAtIndex SecTrustGetCertificateAtIndex "/System/Library/Frameworks/Security.framework/Versions/A/Security"
func SecTrustGetCertificateAtIndex(trustObj CFRef, i int) CFRef {
ret := syscall(abi.FuncPCABI0(x509_SecTrustGetCertificateAtIndex_trampoline), uintptr(trustObj), uintptr(i), 0, 0, 0, 0)
return CFRef(ret)
}
func x509_SecTrustGetCertificateAtIndex_trampoline()
//go:cgo_import_dynamic x509_SecCertificateCopyData SecCertificateCopyData "/System/Library/Frameworks/Security.framework/Versions/A/Security"
func SecCertificateCopyData(cert CFRef) ([]byte, error) {
ret := syscall(abi.FuncPCABI0(x509_SecCertificateCopyData_trampoline), uintptr(cert), 0, 0, 0, 0, 0)
if ret == 0 {
return nil, errors.New("x509: invalid certificate object")
}
b := CFDataToSlice(CFRef(ret))
CFRelease(CFRef(ret))
return b, nil
}
func x509_SecCertificateCopyData_trampoline()
|