1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
package certifi
import (
"crypto/x509"
"os"
)
var underYaMake = true
// NewCertPool returns a copy of the system or bundled cert pool.
//
// Default behavior can be modified with env variable, e.g. use system pool:
//
// CERTIFI_USE_SYSTEM_CA=yes ./my-cool-program
func NewCertPool() (caCertPool *x509.CertPool, err error) {
if forceSystem() {
return NewCertPoolSystem()
}
return NewCertPoolBundled()
}
// NewCertPoolSystem returns a copy of the system cert pool + common CAs + internal CAs
//
// WARNING: system cert pool is not available on Windows
func NewCertPoolSystem() (caCertPool *x509.CertPool, err error) {
caCertPool, err = x509.SystemCertPool()
if err != nil || caCertPool == nil {
caCertPool = x509.NewCertPool()
}
for _, cert := range CommonCAs() {
caCertPool.AddCert(cert)
}
for _, cert := range InternalCAs() {
caCertPool.AddCert(cert)
}
return caCertPool, nil
}
// NewCertPoolBundled returns a new cert pool with common CAs + internal CAs
func NewCertPoolBundled() (caCertPool *x509.CertPool, err error) {
caCertPool = x509.NewCertPool()
for _, cert := range CommonCAs() {
caCertPool.AddCert(cert)
}
for _, cert := range InternalCAs() {
caCertPool.AddCert(cert)
}
return caCertPool, nil
}
// NewCertPoolInternal returns a new cert pool with internal CAs
func NewCertPoolInternal() (caCertPool *x509.CertPool, err error) {
caCertPool = x509.NewCertPool()
for _, cert := range InternalCAs() {
caCertPool.AddCert(cert)
}
return caCertPool, nil
}
func forceSystem() bool {
if os.Getenv("CERTIFI_USE_SYSTEM_CA") == "yes" {
return true
}
if !underYaMake && len(InternalCAs()) == 0 {
return true
}
return false
}
|
