search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
123.69k stars 17.62k forks source link

crypto/x509: root_cgo_darwin omits intermediate CAs with an empty policy settings or an unspecified trust type setting #30672

Closed penglei closed 5 years ago

penglei commented 5 years ago

What version of Go are you using (go version)?

$ go version
go version go1.12 darwin/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/penglei/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/penglei/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/Cellar/go/1.12/libexec"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.12/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/n1/b06cdpcn6y58vz_184h4rlbc0000gn/T/go-build500360568=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

  1. generate certs

    Use this script to generate a server certificate signed by an intermediate certificate

    https://gist.github.com/penglei/91530ced7174d4d96ecbe8a5f8420749

    this script will generate root.pem, root-key.pem, intermediate.pem, intermediate-key.pem, server.pem, server-key.pem. certs in following step can be found here.

  2. add ca cert to system by /usr/bin/security

    sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain   root.pem
sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain  intermediate.pem

    NOTE: bug is produced when adding intermediate.pem by calling security add-trusted-cert with no any -p policy options.

  3. config a HTTPS server

    Copy server.pem and server-key.pem to nginx config directory

    add the following content to nginx.conf:

    server {
    listen       443 ssl;
    server_name  localhost;

    ssl_certificate server.pem;
    ssl_certificate_key server-key.pem;

    location / {
        root   html;
        index  index.html index.htm;
    }
}

  4. run the following go program

    func main() {
    _, err := http.DefaultClient.Get("https://127.0.0.1/")
    if err != nil {
        panic(err)
    } else {
        fmt.Println("OK")
    }
}

    please ensure CGO_ENABLED=1 (this is default)

What did you expect to see?

OK

What did you see instead?

panic: Get https://127.0.0.1/: x509: certificate signed by unknown authority
gopherbot commented 5 years ago

Change https://golang.org/cl/166219 mentions this issue: fix root_cgo_darwin omits some trusty intermediate ca certificate

FiloSottile commented 5 years ago

Probably a duplicate of #30471.

penglei commented 5 years ago

Probably a duplicate of #30471.

Yes, it is. I reproduced the problem of #30471. After applying the patch and recompiling go binary, it's fixed.

gopherbot commented 5 years ago

Change https://golang.org/cl/178539 mentions this issue: crypto/x509: include roots with empty or multiple policies on macOS

FiloSottile commented 5 years ago

This should be now fixed at tip. Please test it with https://golang.org/dl/gotip and report back.

$ go get golang.org/dl/gotip
$ gotip download
$ GODEBUG=x509roots=1 gotip test -v -run TestSystemRoots crypto/x509
$ gotip run [YOUR_PROGRAM]
gopherbot commented 4 years ago

Change https://golang.org/cl/227037 mentions this issue: crypto/x509: use Security.framework without cgo for roots on macOS