crypto/x509: Verify on macOS does not return typed errors #56891
Comments
|
On @FiloSottile's advise, I am pinging him and @rolandshoemaker |
|
This will also be an issue on Windows. Probably reasonable that we should try to convert to a Go style CertificateInvalidError if we can. I know macOS does provide relatively good insight into trust failures (i.e. https://developer.apple.com/documentation/security/certificate_key_and_trust_services/trust/discovering_why_a_trust_evaluation_failed), not entirely sure about Windows (I assume there is probably something, but 🤷). |
|
Oh hah, we actually already do this on Windows 🤦. |
rolandshoemaker
added
the
NeedsFix
rolandshoemaker
changed the title
|
Change https://go.dev/cl/452620 mentions this issue: |
|
@golang/release requesting a freeze exception for this. It's a relatively minor change which simply changes error return types and as such is not very high risk, but should fix a regression that was present in 1.19 that makes macOS behave differently from all other platforms. |
rolandshoemaker
changed the title
If approved for a freeze exception, should it also be backported to 1.19 (on the same grounds)? |
@rolandshoemaker Thanks for letting us know. A freeze exception shouldn't be needed here since this looks like an unintentional bug on macOS rather than new functionality. It's relatively early in the 1.20 freeze and it seems the fix should be safe to land at this stage, so please proceed if that works well for you, otherwise leaving this for 1.21 is fine. |
dmitshur
changed the title
|
@dmitshur 👍 sounds good. |
|
@bcmills yeah I think we should probably backport it to 1.19 as well. |
|
Dmitri pointed out in chat that this constitutes an API change and as such would have to be well-justified as a backport. |
|
@gopherbot please open backport issues. This issue makes macOS behave differently from every other platform, which otherwise return consistent types for verification errors. This was an inadvertent breaking API change introduced in 1.18, and is likely causing silent issues in code that expects consistent behavior across platforms when verifying certificates. Currently working around this requires adding macOS specific code in order to catch specific verification failures. |
|
Backport issue(s) opened: #57426 (for 1.18), #57427 (for 1.19; manually opened). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
|
Did mentioning 1.18 in my comment trick gopherbot into only opening an issue for 1.18? |
|
Heh, whoops, manual it is. |
|
Change https://go.dev/cl/460895 mentions this issue: |
|
Change https://go.dev/cl/460896 mentions this issue: |
… on macOS On macOS return the error code from SecTrustEvaluateWithError, and use it to create typed errors that can be returned from Verify. Updates #56891 Fixes #57426 Change-Id: Ib597ce202abb60702f730e75da583894422e4c14 Reviewed-on: https://go-review.googlesource.com/c/go/+/452620 Run-TryBot: Roland Shoemaker <roland@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> (cherry picked from commit c9a10d4) Reviewed-on: https://go-review.googlesource.com/c/go/+/460896 Reviewed-by: Carlos Amedee <carlos@golang.org> Auto-Submit: Heschi Kreinick <heschi@google.com> Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Filippo Valsorda <filippo@golang.org>
… on macOS On macOS return the error code from SecTrustEvaluateWithError, and use it to create typed errors that can be returned from Verify. Updates #56891 Fixes #57427 Change-Id: Ib597ce202abb60702f730e75da583894422e4c14 Reviewed-on: https://go-review.googlesource.com/c/go/+/452620 Run-TryBot: Roland Shoemaker <roland@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> (cherry picked from commit c9a10d4) Reviewed-on: https://go-review.googlesource.com/c/go/+/460895 Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com> Auto-Submit: Heschi Kreinick <heschi@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org>
Only falls back to macOS-specific x509 error assertion if the initial typed assertion failed. Fixes test failure when running with Go 1.20, 1.19.5 or 1.18.10 due to golang/go#56891
Only falls back to macOS-specific x509 error assertion if the initial typed assertion failed. Fixes test failure when running with Go 1.20, 1.19.5 or 1.18.10 due to golang/go#56891
Only falls back to macOS-specific x509 error assertion if the initial typed assertion failed. Fixes test failure when running with Go 1.20, 1.19.5 or 1.18.10 due to golang/go#56891
* CBG-2608: update websocket implementation * CBG-1901: Update ISGR/Blip to nhooyr.io/websocket (#5421) * Update ISGR/Blip to nhooyr.io/websocket * Fix manifest path * Update manifest for couchbasedeps compress * Bump go-blip manifest * CBG-2242: fix errors.As in tests (#5739) * errors as fix * Assert on typed x509 error first before macOS-specific fallback (#6011) Only falls back to macOS-specific x509 error assertion if the initial typed assertion failed. Fixes test failure when running with Go 1.20, 1.19.5 or 1.18.10 due to golang/go#56891 * missed dependency upgrades to json iterator, and reflect to stop panics --------- Co-authored-by: Ben Brooks <ben.brooks@couchbase.com>
What version of Go are you using (
go version)?(But the issue apparently started in 1.18)
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env)?Darwin arm64
go envOutputWhat did you do?
What did you expect to see?
I expect to see the "Certificate is expired..." output
What did you see instead?
I received this: Unwrapped error is type: *errors.errorString
The text was updated successfully, but these errors were encountered: