crypto/x509: export systemRootsPool or equivilant #13335
Comments
phemmer
changed the title
|
I've been in the same position and wanted the system root store. /cc @agl for any thoughts |
|
@bradfitz @ianlancetaylor - I'm a little confused with the tags that were applied to the issue. On one hand it seems like we have no plans of solving the issue, on the other it seems like we want to solve it by Go1.7. Could you please clarify that? Thanks, |
|
We don't have meetings to coordinate these tags. I set the milestone to "unplanned", meaning that it was probably a good idea but nobody was actually working to implement it. @bradfitz set the milestone to "go1.7", meaning (I assume) that he thinks we should implement this for the 1.7 release. But somebody still has to do the work. If you want to work on this, you should do so regardless of the milestone. |
|
(I often change things from Unplanned to Go 1.7 if I want it myself and am willing to do the work if nobody else gets to it first) |
|
CL https://golang.org/cl/21293 mentions this issue. |
I frequently have the need to add a custom CA cert to a go app (both my own apps, along with third party apps I run across). Currently you can create your own
*x509.CertPooland add the CA cert to it, but now you can't verify using the system provided CAs.Since the code behind
systemRootsPoolhas a lot of os/distro-specific logic, it would be good to use this logic instead of having to copy/implement it within the app.If there is a concern about exposing this pool, and code being able to mutate it, then perhaps we could get something similar to
x509.initSystemRoots, but which would return a new copy every time it's called.Edit: After some thought, returning a new CertPool is better. As there is no way to copy a CertPool, it would otherwise be impossible to add a CA cert to the pool without the cert shared everywhere.
The text was updated successfully, but these errors were encountered: