mirror of https://github.com/golang/go.git
3357daa96e
Piping into security verify-cert only worked on macOS Sierra, and was flaky for unknown reasons. Users reported that the number of trusted root certs stopped randomly jumping around once they switched to using verify-cert against files on disk instead of /dev/stdin. But even using "security verify-cert" on 150-200 certs took too long. It took 3.5 seconds on my machine. More than 4 goroutines hitting verify-cert didn't help much, and soon started to hurt instead. New strategy, from comments in the code: // 1. Run "security trust-settings-export" and "security // trust-settings-export -d" to discover the set of certs with some // user-tweaked trusy policy. We're too lazy to parse the XML (at // least at this stage of Go 1.8) to understand what the trust // policy actually is. We just learn that there is _some_ policy. // // 2. Run "security find-certificate" to dump the list of system root // CAs in PEM format. // // 3. For each dumped cert, conditionally verify it with "security // verify-cert" if that cert was in the set discovered in Step 1. // Without the Step 1 optimization, running "security verify-cert" // 150-200 times takes 3.5 seconds. With the optimization, the // whole process takes about 180 milliseconds with 1 untrusted root // CA. (Compared to 110ms in the cgo path) Fixes #18203 Change-Id: I4e9c11fa50d0273c615382e0d8f9fd03498d4cb4 Reviewed-on: https://go-review.googlesource.com/34389 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-by: Quentin Smith <quentin@golang.org> |
||
|---|---|---|
| .. | ||
| archive | ||
| bufio | ||
| builtin | ||
| bytes | ||
| cmd | ||
| compress | ||
| container | ||
| context | ||
| crypto | ||
| database/sql | ||
| debug | ||
| encoding | ||
| errors | ||
| expvar | ||
| flag | ||
| fmt | ||
| go | ||
| hash | ||
| html | ||
| image | ||
| index/suffixarray | ||
| internal | ||
| io | ||
| log | ||
| math | ||
| mime | ||
| net | ||
| os | ||
| path | ||
| plugin | ||
| reflect | ||
| regexp | ||
| runtime | ||
| sort | ||
| strconv | ||
| strings | ||
| sync | ||
| syscall | ||
| testing | ||
| text | ||
| time | ||
| unicode | ||
| unsafe | ||
| vendor/golang_org/x | ||
| Make.dist | ||
| all.bash | ||
| all.bat | ||
| all.rc | ||
| androidtest.bash | ||
| bootstrap.bash | ||
| buildall.bash | ||
| clean.bash | ||
| clean.bat | ||
| clean.rc | ||
| cmp.bash | ||
| iostest.bash | ||
| make.bash | ||
| make.bat | ||
| make.rc | ||
| naclmake.bash | ||
| nacltest.bash | ||
| race.bash | ||
| race.bat | ||
| run.bash | ||
| run.bat | ||
| run.rc | ||