crypto/x509: Verify on macOS does not return typed errors

[wneessen]

What version of Go are you using (go version)?

$ go version
go version go1.19.3 darwin/arm64

(But the issue apparently started in 1.18)

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

Darwin arm64

go env Output

$ go env
GO111MODULE=""

GOARCH="arm64"

GOBIN=""

GOCACHE="/Users/wneessen/Library/Caches/go-build"

GOENV="/Users/wneessen/Library/Application Support/go/env"

GOEXE=""

GOEXPERIMENT=""

GOFLAGS=""

GOHOSTARCH="arm64"

GOHOSTOS="darwin"

GOINSECURE=""

GOMODCACHE="/Users/wneessen/go/pkg/mod"

GONOPROXY=""

GONOSUMDB=""

GOOS="darwin"

GOPATH="/Users/wneessen/go"

GOPRIVATE=""

GOPROXY="https://proxy.golang.org,direct"

GOROOT="/opt/homebrew/Cellar/go/1.19.3/libexec"

GOSUMDB="sum.golang.org"

GOTMPDIR=""

GOTOOLDIR="/opt/homebrew/Cellar/go/1.19.3/libexec/pkg/tool/darwin_arm64"

GOVCS=""

GOVERSION="go1.19.3"

GCCGO="gccgo"

AR="ar"

CC="clang"

CXX="clang++"

CGO_ENABLED="1"

GOMOD="/Users/wneessen/go/src/dev-to-example/go.mod"

GOWORK=""

CGO_CFLAGS="-g -O2"

CGO_CPPFLAGS=""

CGO_CXXFLAGS="-g -O2"

CGO_FFLAGS="-g -O2"

CGO_LDFLAGS="-g -O2"

PKG_CONFIG="pkg-config"

GOGCCFLAGS="-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/lw/f2psdp2s5fg4z_jw0q58rdgm0000gn/T/go-build119423787=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

package main

import (
	"crypto/x509"
	"errors"
	"fmt"
	"net/http"
	"net/url"
	"reflect"
)

func main() {
	_, err := http.Get("https://expired.badssl.com/")
	if err != nil {
		switch {
		case errors.As(err, &x509.CertificateInvalidError{Reason: x509.Expired}):
			fmt.Printf("Certificate is expired...\n")
		default:
			if ue, ok := err.(*url.Error); ok {
				fmt.Printf("Unwrapped error is type: %s\n", reflect.TypeOf(ue.Err))
			}
		}
	}
}

What did you expect to see?

I expect to see the "Certificate is expired..." output

What did you see instead?

I received this: Unwrapped error is type: *errors.errorString

[wneessen]

On @FiloSottile's advise, I am pinging him and @rolandshoemaker

[rolandshoemaker]

This will also be an issue on Windows.

Probably reasonable that we should try to convert to a Go style CertificateInvalidError if we can. I know macOS does provide relatively good insight into trust failures (i.e. https://developer.apple.com/documentation/security/certificate_key_and_trust_services/trust/discovering_why_a_trust_evaluation_failed), not entirely sure about Windows (I assume there is probably something, but 🤷).

[rolandshoemaker]

Oh hah, we actually already do this on Windows 🤦.

[gopherbot]

Change https://go.dev/cl/452620 mentions this issue: crypto/x509: return typed verification errors on macOS

[rolandshoemaker]

@golang/release requesting a freeze exception for this. It's a relatively minor change which simply changes error return types and as such is not very high risk, but should fix a regression that was present in 1.19 that makes macOS behave differently from all other platforms.

[bcmills]

should fix a regression that was present in 1.19 that makes macOS behave differently from all other platforms.

If approved for a freeze exception, should it also be backported to 1.19 (on the same grounds)?

[dmitshur]

@golang/release requesting a freeze exception for this.

@rolandshoemaker Thanks for letting us know. A freeze exception shouldn't be needed here since this looks like an unintentional bug on macOS rather than new functionality. It's relatively early in the 1.20 freeze and it seems the fix should be safe to land at this stage, so please proceed if that works well for you, otherwise leaving this for 1.21 is fine.

[rolandshoemaker]

@dmitshur 👍 sounds good.

[rolandshoemaker]

@bcmills yeah I think we should probably backport it to 1.19 as well.

[heschi]

Dmitri pointed out in chat that this constitutes an API change and as such would have to be well-justified as a backport.

[rolandshoemaker]

@gopherbot please open backport issues. This issue makes macOS behave differently from every other platform, which otherwise return consistent types for verification errors. This was an inadvertent breaking API change introduced in 1.18, and is likely causing silent issues in code that expects consistent behavior across platforms when verifying certificates. Currently working around this requires adding macOS specific code in order to catch specific verification failures.

[gopherbot]

Backport issue(s) opened: #57426 (for 1.18), #57427 (for 1.19; manually opened).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[rolandshoemaker]

Did mentioning 1.18 in my comment trick gopherbot into only opening an issue for 1.18?

[dmitshur]

Yes, unfortunately (see #27489 and #25574). You'll need to make a 1.19 copy manually.

[rolandshoemaker]

Heh, whoops, manual it is.

[gopherbot]

Change https://go.dev/cl/460895 mentions this issue: [release-branch.go1.19] crypto/x509: return typed verification errors on macOS

[gopherbot]

Change https://go.dev/cl/460896 mentions this issue: [release-branch.go1.18] crypto/x509: return typed verification errors on macOS