]> Cypherpunks.ru repositories - gostls13.git/blobdiff - src/crypto/x509/verify.go
projects / gostls13.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
[dev.boringcrypto] all: merge master into dev.boringcrypto
[gostls13.git] / src / crypto / x509 / verify.go
diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index 25a526181ced3905a36629927ee2c7d1cf52fa84..98778fe4556c119ea56a5d94bd353e6017848a24 100644 (file)
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -505,9 +505,9 @@ func (c *Certificate) checkNameConstraints(count *int,
        maxConstraintComparisons int,
        nameType string,
        name string,
-       parsedName interface{},
-       match func(parsedName, constraint interface{}) (match bool, err error),
-       permitted, excluded interface{}) error {
+       parsedName any,
+       match func(parsedName, constraint any) (match bool, err error),
+       permitted, excluded any) error {
 
        excludedValue := reflect.ValueOf(excluded)
 
@@ -614,7 +614,7 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
                                }
 
                                if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "email address", name, mailbox,
-                                       func(parsedName, constraint interface{}) (bool, error) {
+                                       func(parsedName, constraint any) (bool, error) {
                                                return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string))
                                        }, c.PermittedEmailAddresses, c.ExcludedEmailAddresses); err != nil {
                                        return err
@@ -627,7 +627,7 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
                                }
 
                                if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "DNS name", name, name,
-                                       func(parsedName, constraint interface{}) (bool, error) {
+                                       func(parsedName, constraint any) (bool, error) {
                                                return matchDomainConstraint(parsedName.(string), constraint.(string))
                                        }, c.PermittedDNSDomains, c.ExcludedDNSDomains); err != nil {
                                        return err
@@ -641,7 +641,7 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
                                }
 
                                if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "URI", name, uri,
-                                       func(parsedName, constraint interface{}) (bool, error) {
+                                       func(parsedName, constraint any) (bool, error) {
                                                return matchURIConstraint(parsedName.(*url.URL), constraint.(string))
                                        }, c.PermittedURIDomains, c.ExcludedURIDomains); err != nil {
                                        return err
@@ -654,7 +654,7 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
                                }
 
                                if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "IP address", ip.String(), ip,
-                                       func(parsedName, constraint interface{}) (bool, error) {
+                                       func(parsedName, constraint any) (bool, error) {
                                                return matchIPConstraint(parsedName.(net.IP), constraint.(*net.IPNet))
                                        }, c.PermittedIPRanges, c.ExcludedIPRanges); err != nil {
                                        return err
@@ -753,9 +753,20 @@ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err e
                }
        }
 
-       // Use Windows's own verification and chain building.
-       if opts.Roots == nil && runtime.GOOS == "windows" {
-               return c.systemVerify(&opts)
+       // Use platform verifiers, where available, if Roots is from SystemCertPool.
+       if runtime.GOOS == "windows" || runtime.GOOS == "darwin" || runtime.GOOS == "ios" {
+               if opts.Roots == nil {
+                       return c.systemVerify(&opts)
+               }
+               if opts.Roots != nil && opts.Roots.systemPool {
+                       platformChains, err := c.systemVerify(&opts)
+                       // If the platform verifier succeeded, or there are no additional
+                       // roots, return the platform verifier result. Otherwise, continue
+                       // with the Go verifier.
+                       if err == nil || opts.Roots.len() == 0 {
+                               return platformChains, err
+                       }
+               }
        }
 
        if opts.Roots == nil {
Go GOST TLS 1.3