crypto/x509: fix mac cert error handling

Ross Peoples · Ross Peoples · commit 319d415594e9 · 2022-07-21T12:07:47.000-05:00
diff --git a/src/crypto/x509/internal/macos/security.go b/src/crypto/x509/internal/macos/security.go
@@ -201,7 +201,7 @@ func SecTrustEvaluateWithError(trustObj CFRef) error {
 	ret := syscall(abi.FuncPCABI0(x509_SecTrustEvaluateWithError_trampoline), uintptr(trustObj), uintptr(unsafe.Pointer(&errRef)), 0, 0, 0, 0)
 	if int32(ret) != 1 {
 		errStr := CFErrorCopyDescription(errRef)
-		err := fmt.Errorf("x509: %s", CFStringToString(errStr))
+		err := fmt.Errorf("%s", CFStringToString(errStr))
 		CFRelease(errRef)
 		CFRelease(errStr)
 		return err
diff --git a/src/crypto/x509/root_darwin.go b/src/crypto/x509/root_darwin.go
@@ -55,7 +55,7 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
 	// using TLS or OCSP for that.
 
 	if err := macOS.SecTrustEvaluateWithError(trustObj); err != nil {
-		return nil, err
+		return nil, CertificateInvalidError{Reason: NotTrusted, Detail: err.Error()}
 	}
 
 	chain := [][]*Certificate{{}}
diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
@@ -56,6 +56,10 @@ const (
 	// CANotAuthorizedForExtKeyUsage results when an intermediate or root
 	// certificate does not permit a requested extended key usage.
 	CANotAuthorizedForExtKeyUsage
+	// NotTrusted results on Macs when a certificate is not trusted. This
+	// is needed to ensure we can properly catch this condition, otherwise
+	// it simply results in an `*error.ErrorString` type.
+	NotTrusted
 )
 
 // CertificateInvalidError results when an odd error occurs. Users of this
@@ -86,6 +90,8 @@ func (e CertificateInvalidError) Error() string {
 		return "x509: issuer has name constraints but leaf doesn't have a SAN extension"
 	case UnconstrainedName:
 		return "x509: issuer has name constraints but leaf contains unknown or unconstrained name: " + e.Detail
+	case NotTrusted:
+		return "x509: " + e.Detail
 	}
 	return "x509: unknown error"
 }

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ func (c Certificate) systemVerify(opts VerifyOptions) (chains [][]*Certificate`
`55`	`55`	`// using TLS or OCSP for that.`
`56`	`56`
`57`	`57`	`if err := macOS.SecTrustEvaluateWithError(trustObj); err != nil {`
`58`		`- return nil, err`
	`58`	`+ return nil, CertificateInvalidError{Reason: NotTrusted, Detail: err.Error()}`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`chain := [][]*Certificate{{}}`
Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,10 @@ const (`
`56`	`56`	`// CANotAuthorizedForExtKeyUsage results when an intermediate or root`
`57`	`57`	`// certificate does not permit a requested extended key usage.`
`58`	`58`	`CANotAuthorizedForExtKeyUsage`
	`59`	`+ // NotTrusted results on Macs when a certificate is not trusted. This`
	`60`	`+ // is needed to ensure we can properly catch this condition, otherwise`
	`61`	+ // it simply results in an `*error.ErrorString` type.
	`62`	`+ NotTrusted`
`59`	`63`	`)`
`60`	`64`
`61`	`65`	`// CertificateInvalidError results when an odd error occurs. Users of this`
`@@ -86,6 +90,8 @@ func (e CertificateInvalidError) Error() string {`
`86`	`90`	`return "x509: issuer has name constraints but leaf doesn't have a SAN extension"`
`87`	`91`	`case UnconstrainedName:`
`88`	`92`	`return "x509: issuer has name constraints but leaf contains unknown or unconstrained name: " + e.Detail`
	`93`	`+ case NotTrusted:`
	`94`	`+ return "x509: " + e.Detail`
`89`	`95`	`}`
`90`	`96`	`return "x509: unknown error"`
`91`	`97`	`}`