Skip to content

Instantly share code, notes, and snippets.

@henvic
Last active Apr 15, 2020
Embed
What would you like to do?
TestSystemRoots results in
$ GO111MODULE=on go get golang.org/dl/gotip@latest
$ gotip download 227037
$ GODEBUG=x509roots=1 gotip test crypto/x509 -v -run TestSystemRoots
=== RUN TestSystemRoots
crypto/x509: trust settings for CN=Blue Coat Public Services Intermediate CA,OU=Symantec Trust Network,O=Blue Coat Systems\, Inc.,C=US: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=CINRADIUS2.windows.cin.ufpe.br: 4
crypto/x509: trust settings for CN=windows-CINRADIUS2-CA: 1
crypto/x509: trust settings for CN=CINRADIUS2.windows.cin.ufpe.br: 4
crypto/x509: trust settings for CN=Charles Proxy Custom Root Certificate (built on henvic-mp.local\, 19 Oct 2015),OU=http://charlesproxy.com/ssl,O=XK72 Ltd,L=Auckland,ST=Auckland,C=NZ: 1
crypto/x509: trust settings for CN=localhost.localdomain,OU=VMware ESX Server Default Certificate,O=VMware\, Inc,L=Palo Alto,ST=California,C=US: 4
crypto/x509: trust settings for CN=localhost.localdomain,OU=Touchstone,O=ARRIS Group Inc.,ST=Georgia,C=US: 4
crypto/x509: trust settings for CN=pfSense-5e95d26d276ac,O=pfSense webConfigurator Self-Signed Certificate: 4
crypto/x509: trust settings for CN=pfSense-5e95d52001397,O=pfSense webConfigurator Self-Signed Certificate: 4
crypto/x509: trust settings for CN=openvpnas2: 4
crypto/x509: trust settings for CN=Leap Motion Local Certificate,OU=WebServices,O=Leap Motion\, Inc.,L=San Francisco,ST=California,C=US: 1
crypto/x509: trust settings for O=Government Root Certification Authority,C=TW: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=DoD CLASS 3 Root CA,OU=DoD+OU=PKI,O=U.S. Government,C=US: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=DoD Root CA 2,OU=DoD+OU=PKI,O=U.S. Government,C=US: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=Federal Common Policy CA,OU=FPKI,O=U.S. Government,C=US: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=VRK Gov. Root CA,OU=Certification Authority Services+OU=Varmennepalvelut,O=Vaestorekisterikeskus CA,ST=Finland,C=FI: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=SwissSign CA (RSA IK May 6 1999 18:00:58),O=SwissSign,C=CH: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=AC Raíz Certicámara S.A.,O=Sociedad Cameral de Certificación Digital - Certicámara S.A.,C=CO: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=CNNIC ROOT,O=CNNIC,C=CN: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı,O=(c) 2005 TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş.,L=ANKARA,C=TR: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı,O=TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Kasım 2005,L=Ankara,C=TR: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı,O=TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Aralık 2007,L=Ankara,C=TR: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=KISA RootCA 1,OU=Korea Certification Authority Central,O=KISA,C=KR: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=Autoridad de Certificacion Raiz del Estado Venezolano,OU=Superintendencia de Servicios de Certificacion Electronica,O=Sistema Nacional de Certificacion Electronica,L=Caracas,ST=Distrito Capital,C=VE: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES: SecTrustSettingsCopyTrustSettings error: -25262
crypto/x509: trust settings for CN=dlv-cert: 1
crypto/x509: trust settings for CN=mkcert henvic@henvic.local (Henrique Vicente de Oliveira Pinto),OU=henvic@henvic.local (Henrique Vicente de Oliveira Pinto),O=mkcert development CA: 1
TestSystemRoots: root_darwin_test.go:23: loadSystemRoots: 339.992727ms
crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: Leap Motion Local Certificate returned 1
crypto/x509: Government Root Certification Authority returned 4
crypto/x509: DoD CLASS 3 Root CA returned 4
crypto/x509: DoD Root CA 2 returned 4
crypto/x509: China Internet Network Information Center EV Certificates Root returned 4
crypto/x509: Federal Common Policy CA returned 4
crypto/x509: VRK Gov. Root CA returned 4
crypto/x509: SwissSign Silver CA - G2 returned 4
crypto/x509: SwissSign Platinum CA - G2 returned 4
crypto/x509: SwissSign Gold CA - G2 returned 4
crypto/x509: SwissSign CA (RSA IK May 6 1999 18:00:58) returned 4
crypto/x509: AC Raíz Certicámara S.A. returned 4
crypto/x509: Hongkong Post Root CA 1 returned 4
crypto/x509: Staat der Nederlanden EV Root CA returned 4
crypto/x509: Staat der Nederlanden Root CA returned 4
crypto/x509: Staat der Nederlanden Root CA - G2 returned 4
crypto/x509: CNNIC ROOT returned 4
crypto/x509: TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı returned 4
crypto/x509: TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı returned 4
crypto/x509: TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı returned 4
crypto/x509: KISA RootCA 1 returned 4
crypto/x509: Autoridad de Certificacion Raiz del Estado Venezolano returned 4
crypto/x509: Autoridad de Certificacion Firmaprofesional CIF A62634068 returned 4
crypto/x509: dlv-cert returned 1
crypto/x509: mkcert henvic@henvic.local (Henrique Vicente de Oliveira Pinto) returned 1
crypto/x509: Blue Coat Public Services Intermediate CA returned 4
crypto/x509: CINRADIUS2.windows.cin.ufpe.br returned 4
crypto/x509: windows-CINRADIUS2-CA returned 1
crypto/x509: CINRADIUS2.windows.cin.ufpe.br returned 4
crypto/x509: Charles Proxy Custom Root Certificate (built on henvic-mp.local, 19 Oct 2015) returned 1
crypto/x509: localhost.localdomain returned 4
crypto/x509: localhost.localdomain returned 4
crypto/x509: pfSense-5e95d26d276ac returned 4
crypto/x509: pfSense-5e95d52001397 returned 4
crypto/x509: openvpnas2 returned 4
TestSystemRoots: root_darwin_test.go:43: loadSystemRootsWithCgo: 275.270337ms
--- PASS: TestSystemRoots (0.62s)
PASS
ok crypto/x509 0.897s
See https://twitter.com/FiloSottile/status/1250218833454997504 and https://golang.org/cl/227037.
The certificates 'not present in cgo' pool is because I distrust CAs that are state actors on my system.
$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.15.4
BuildVersion: 19E266
$ uname -a
Darwin henvic.local 19.4.0 Darwin Kernel Version 19.4.0: Wed Mar 4 22:28:40 PST 2020; root:xnu-6153.101.6~15/RELEASE_X86_64 x86_64
$ git rev-parse HEAD
8f53fad035ccc580859f7b063ae8be30b009a6be
$ go version
go version go1.14.1 darwin/amd64
$ go test crypto/x509 -v -run TestSystemRoots
=== RUN TestSystemRoots
TestSystemRoots: root_darwin_test.go:35: cgo sys roots: 246.508159ms
TestSystemRoots: root_darwin_test.go:36: non-cgo sys roots: 1.074184179s
TestSystemRoots: root_darwin_test.go:79: signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
TestSystemRoots: root_darwin_test.go:118: certificate only present in cgo pool: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
TestSystemRoots: root_darwin_test.go:99: off-EKU certificate only present in cgo pool (acceptable): CN=dlv-cert
TestSystemRoots: root_darwin_test.go:118: certificate only present in cgo pool: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
TestSystemRoots: root_darwin_test.go:118: certificate only present in cgo pool: CN=KISA RootCA 1,OU=Korea Certification Authority Central,O=KISA,C=KR
TestSystemRoots: root_darwin_test.go:118: certificate only present in cgo pool: O=Government Root Certification Authority,C=TW
TestSystemRoots: root_darwin_test.go:118: certificate only present in cgo pool: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
TestSystemRoots: root_darwin_test.go:118: certificate only present in cgo pool: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
TestSystemRoots: root_darwin_test.go:118: certificate only present in cgo pool: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
TestSystemRoots: root_darwin_test.go:106: expired certificate only present in cgo pool (acceptable): CN=Leap Motion Local Certificate,OU=WebServices,O=Leap Motion\, Inc.,L=San Francisco,ST=California,C=US
TestSystemRoots: root_darwin_test.go:118: certificate only present in cgo pool: CN=VRK Gov. Root CA,OU=Certification Authority Services+OU=Varmennepalvelut,O=Vaestorekisterikeskus CA,ST=Finland,C=FI
TestSystemRoots: root_darwin_test.go:118: certificate only present in cgo pool: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
TestSystemRoots: root_darwin_test.go:118: certificate only present in cgo pool: CN=Autoridad de Certificacion Raiz del Estado Venezolano,OU=Superintendencia de Servicios de Certificacion Electronica,O=Sistema Nacional de Certificacion Electronica,L=Caracas,ST=Distrito Capital,C=VE
TestSystemRoots: root_darwin_test.go:106: expired certificate only present in cgo pool (acceptable): CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
--- FAIL: TestSystemRoots (1.36s)
FAIL
FAIL crypto/x509 1.464s
FAIL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment