Commit ad641e5
committed
cmd/docker-trust: use stdlib's x509.SystemCertPool on Windows
The `tlsconfig.SystemCertPool` utility in go-connections was added in
[docker/go-connections@55aadc3], at which time Go stdlib didn't support
system-pools ([x509.SystemCertPool]) on Windows, so an empty pool was
constructed.
Support for system pools on Windows originally added in Go 1.8 (through
[golang/go@05471e9]), but reverted, and re-implemented in Go 1.18 (through
[golang/go@3544082]).
Go 1.18 and up now implement this, but, unlike Linux, which uses a pure-Go
implementation, certificate validation is handled by the system:
> On macOS and Windows, certificate verification is handled by system APIs,
> but the package aims to apply consistent validation rules across operating
> systems.
On macOS and Windows, x509.SystemCertPool returns an empty Pool, with the
`systemPool` set to `true` (see [loadSystemRoots]). This must be considered
an implementation detail; custom CAs can be appended to this pool, and handled
as usual.
This patch removes the special handling on Windows, removing the dependency
on go-connections for this part.
[docker/go-connections@55aadc3]: docker/go-connections@55aadc3
[golang/go@05471e9]: golang/go@05471e9
[golang/go@3544082]: golang/go@3544082
[x509.SystemCertPool]: https://pkg.go.dev/crypto/x509#SystemCertPool
[loadSystemRoots]: https://cs.opensource.google/go/go/+/refs/tags/go1.26.1:src/crypto/x509/root_windows.go;l=15-17
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>1 parent 950401c commit ad641e5
1 file changed
Lines changed: 2 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
| 7 | + | |
7 | 8 | | |
8 | 9 | | |
9 | 10 | | |
10 | 11 | | |
11 | 12 | | |
12 | 13 | | |
13 | | - | |
14 | 14 | | |
15 | 15 | | |
16 | 16 | | |
| |||
48 | 48 | | |
49 | 49 | | |
50 | 50 | | |
51 | | - | |
| 51 | + | |
52 | 52 | | |
53 | 53 | | |
54 | 54 | | |
| |||
0 commit comments