crypto/x509: new home for root fetchers; build chains using Windows API

This moves the various CA root fetchers from crypto/tls into crypto/x509.

The move was brought about by issue 2997. Windows doesn't ship with all
its root certificates, but will instead download them as-needed when using
CryptoAPI for certificate verification.

This CL changes crypto/x509 to verify a certificate using the system root
CAs when VerifyOptions.RootCAs == nil. On Windows, this verification is
now implemented using Windows's CryptoAPI. All other root fetchers are
unchanged, and still use Go's own verification code.

The CL also fixes the hostname matching logic in crypto/tls/tls.go, in
order to be able to test whether hostname mismatches are honored by the
Windows verification code.

The move to crypto/x509 also allows other packages to use the OS-provided
root certificates, instead of hiding them inside the crypto/tls package.

Fixes #2997.

R=agl, golang-dev, alex.brainman, rsc, mikkel
CC=golang-dev
https://golang.org/cl/5700087

Author: mkrautz

src/pkg/crypto/tls/common.go

@@ -198,14 +198,6 @@ func (c *Config) time() time.Time {
 	return t()
 }
 
-func (c *Config) rootCAs() *x509.CertPool {
-	s := c.RootCAs
-	if s == nil {
-		s = defaultRoots()
-	}
-	return s
-}
-
 func (c *Config) cipherSuites() []uint16 {
 	s := c.CipherSuites
 	if s == nil {
@@ -311,28 +303,16 @@ func defaultConfig() *Config {
 	return &emptyConfig
 }
 
-var once sync.Once
-
-func defaultRoots() *x509.CertPool {
-	once.Do(initDefaults)
-	return varDefaultRoots
-}
+var (
+	once                   sync.Once
+	varDefaultCipherSuites []uint16
+)
 
 func defaultCipherSuites() []uint16 {
-	once.Do(initDefaults)
+	once.Do(initDefaultCipherSuites)
 	return varDefaultCipherSuites
 }
 
-func initDefaults() {
-	initDefaultRoots()
-	initDefaultCipherSuites()
-}
-
-var (
-	varDefaultRoots        *x509.CertPool
-	varDefaultCipherSuites []uint16
-)
-
 func initDefaultCipherSuites() {
 	varDefaultCipherSuites = make([]uint16, len(cipherSuites))
 	for i, suite := range cipherSuites {

src/pkg/crypto/tls/handshake_client.go

@@ -102,7 +102,7 @@ func (c *Conn) clientHandshake() error {
 
 	if !c.config.InsecureSkipVerify {
 		opts := x509.VerifyOptions{
-			Roots:         c.config.rootCAs(),
+			Roots:         c.config.RootCAs,
 			CurrentTime:   c.config.time(),
 			DNSName:       c.config.ServerName,
 			Intermediates: x509.NewCertPool(),

src/pkg/crypto/tls/root_test.go

@@ -5,25 +5,25 @@
 package tls
 
 import (
+	"crypto/x509"
+	"runtime"
 	"testing"
 )
 
 var tlsServers = []string{
-	"google.com:443",
-	"github.com:443",
-	"twitter.com:443",
+	"google.com",
+	"github.com",
+	"twitter.com",
 }
 
 func TestOSCertBundles(t *testing.T) {
-	defaultRoots()
-
 	if testing.Short() {
 		t.Logf("skipping certificate tests in short mode")
 		return
 	}
 
 	for _, addr := range tlsServers {
-		conn, err := Dial("tcp", addr, nil)
+		conn, err := Dial("tcp", addr+":443", &Config{ServerName: addr})
 		if err != nil {
 			t.Errorf("unable to verify %v: %v", addr, err)
 			continue
@@ -34,3 +34,28 @@ func TestOSCertBundles(t *testing.T) {
 		}
 	}
 }
+
+func TestCertHostnameVerifyWindows(t *testing.T) {
+	if runtime.GOOS != "windows" {
+		return
+	}
+
+	if testing.Short() {
+		t.Logf("skipping certificate tests in short mode")
+		return
+	}
+
+	for _, addr := range tlsServers {
+		cfg := &Config{ServerName: "example.com"}
+		conn, err := Dial("tcp", addr+":443", cfg)
+		if err == nil {
+			conn.Close()
+			t.Errorf("should fail to verify for example.com: %v", addr, err)
+			continue
+		}
+		_, ok := err.(x509.HostnameError)
+		if !ok {
+			t.Errorf("error type mismatch, got: %v", err)
+		}
+	}
+}

src/pkg/crypto/tls/root_windows.go

@@ -97,7 +97,9 @@ func Dial(network, addr string, config *Config) (*Conn, error) {
 	if config == nil {
 		config = defaultConfig()
 	}
-	if config.ServerName != "" {
+	// If no ServerName is set, infer the ServerName
+	// from the hostname we're connecting to.
+	if config.ServerName == "" {
 		// Make a copy to avoid polluting argument or default.
 		c := *config
 		c.ServerName = hostname

src/pkg/crypto/tls/tls.go

@@ -0,0 +1,17 @@
+// Copyright 2012 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package x509
+
+import "sync"
+
+var (
+	once        sync.Once
+	systemRoots *CertPool
+)
+
+func systemRootsPool() *CertPool {
+	once.Do(initSystemRoots)
+	return systemRoots
+}

src/pkg/crypto/x509/root.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package tls
+package x509
 
 /*
 #cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060
@@ -59,13 +59,14 @@ int FetchPEMRoots(CFDataRef *pemRoots) {
 }
 */
 import "C"
-import (
-	"crypto/x509"
-	"unsafe"
-)
+import "unsafe"
 
-func initDefaultRoots() {
-	roots := x509.NewCertPool()
+func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
+	return nil, nil
+}
+
+func initSystemRoots() {
+	roots := NewCertPool()
 
 	var data C.CFDataRef = nil
 	err := C.FetchPEMRoots(&data)
@@ -75,5 +76,5 @@ func initDefaultRoots() {
 		roots.AppendCertsFromPEM(buf)
 	}
 
-	varDefaultRoots = roots
+	systemRoots = roots
 }

src/pkg/crypto/tls/root_darwin.go renamed to src/pkg/crypto/x509/root_darwin.go

@@ -4,7 +4,12 @@
 
 // +build plan9 darwin,!cgo
 
-package tls
+package x509
 
-func initDefaultRoots() {
+func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
+	return nil, nil
+}
+
+func initSystemRoots() {
+	systemRoots = NewCertPool()
 }

src/pkg/crypto/tls/root_stub.go renamed to src/pkg/crypto/x509/root_stub.go

@@ -4,12 +4,9 @@
 
 // +build freebsd linux openbsd netbsd
 
-package tls
+package x509
 
-import (
-	"crypto/x509"
-	"io/ioutil"
-)
+import "io/ioutil"
 
 // Possible certificate files; stop after finding one.
 var certFiles = []string{
@@ -20,14 +17,19 @@ var certFiles = []string{
 	"/usr/local/share/certs/ca-root-nss.crt", // FreeBSD
 }
 
-func initDefaultRoots() {
-	roots := x509.NewCertPool()
+func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
+	return nil, nil
+}
+
+func initSystemRoots() {
+	roots := NewCertPool()
 	for _, file := range certFiles {
 		data, err := ioutil.ReadFile(file)
 		if err == nil {
 			roots.AppendCertsFromPEM(data)
 			break
 		}
 	}
-	varDefaultRoots = roots
+
+	systemRoots = roots
 }