// Copyright 2011 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. //go:build aix || dragonfly || freebsd || (js && wasm) || linux || netbsd || openbsd || solaris package x509 import ( "io/fs" "os" "path/filepath" "strings" ) const ( // certFileEnv is the environment variable which identifies where to locate // the SSL certificate file. If set this overrides the system default. certFileEnv = "SSL_CERT_FILE" // certDirEnv is the environment variable which identifies which directory // to check for SSL certificate files. If set this overrides the system default. // It is a colon separated list of directories. // See https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html. certDirEnv = "SSL_CERT_DIR" ) func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) { return nil, nil } func loadSystemRoots() (*CertPool, error) { roots := NewCertPool() files := certFiles if f := os.Getenv(certFileEnv); f != "" { files = []string{f} } var firstErr error for _, file := range files { data, err := os.ReadFile(file) if err == nil { roots.AppendCertsFromPEM(data) break } if firstErr == nil && !os.IsNotExist(err) { firstErr = err } } dirs := certDirectories if d := os.Getenv(certDirEnv); d != "" { // OpenSSL and BoringSSL both use ":" as the SSL_CERT_DIR separator. // See: // * https://golang.org/issue/35325 // * https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html dirs = strings.Split(d, ":") } for _, directory := range dirs { fis, err := readUniqueDirectoryEntries(directory) if err != nil { if firstErr == nil && !os.IsNotExist(err) { firstErr = err } continue } for _, fi := range fis { data, err := os.ReadFile(directory + "/" + fi.Name()) if err == nil { roots.AppendCertsFromPEM(data) } } } if roots.len() > 0 || firstErr == nil { return roots, nil } return nil, firstErr } // readUniqueDirectoryEntries is like os.ReadDir but omits // symlinks that point within the directory. func readUniqueDirectoryEntries(dir string) ([]fs.DirEntry, error) { files, err := os.ReadDir(dir) if err != nil { return nil, err } uniq := files[:0] for _, f := range files { if !isSameDirSymlink(f, dir) { uniq = append(uniq, f) } } return uniq, nil } // isSameDirSymlink reports whether fi in dir is a symlink with a // target not containing a slash. func isSameDirSymlink(f fs.DirEntry, dir string) bool { if f.Type()&fs.ModeSymlink == 0 { return false } target, err := os.Readlink(filepath.Join(dir, f.Name())) return err == nil && !strings.Contains(target, "/") }