You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Cert 1: mkcert development CA
Number of trust settings : 0
CL 104735 is an incomplete fix, because if trustSettings are present but don't have a kSecTrustSettingsResult value, it defaults to trustRoot. So it will omit the following certificate.
Cert 1: mkcert development CA
Number of trust settings : 1
Trust Setting 0:
Policy OID : SSL
The nocgo path, on the other hand, asks security verify-cert to use the default verification policy, basic, so it will omit the following certificate.
Cert 1: mkcert development CA
Number of trust settings : 1
Trust Setting 0:
Policy OID : SSL
Result Type : kSecTrustSettingsResultTrustRoot
Finally, the cgo path is checking if any policy (ssl or any other explicitly set) has a kSecTrustSettingsResult value (ignoring the defaults, see above), with the last one in the array winning, omitting the following certificate (!!).
Cert 1: mkcert development CA
Number of trust settings : 2
Trust Setting 0:
Policy OID : SSL
Result Type : kSecTrustSettingsResultTrustRoot
Trust Setting 1:
Policy OID : Code Signing
Result Type : kSecTrustSettingsResultDeny
And I didn't even get into allowed errors.
It's fairly late in the freeze, but I'm inclined to fix these, and maybe even backport them, because ignoring the policy types can lead to inclusion of roots that are not supposed to be trusted for TLS, and although crypto/x509 is not TLS-specific, it is meant to serve the WebPKI. @agl agree?
@gopherbot please open the backport tracking issues.
The text was updated successfully, but these errors were encountered:
@FiloSottile requested issue #24652 to be considered for backport to the next 1.9 minor release.
The text was updated successfully, but these errors were encountered: