há 1 ano atrás · 042ed6bf69
--- a/net/bakedroots/bakedroots.go
+++ b/net/bakedroots/bakedroots.go
@@ -16,7 +16,12 @@ import (
 
				 //
			
 
				 // As of 2025-01-21, this includes only the LetsEncrypt ISRG Root X1 root.
			
 
				 func Get() *x509.CertPool {
			
 
				-	roots.once.Do(func() { roots.parsePEM([]byte(letsEncryptX1)) })
			
 
				+	roots.once.Do(func() {
			
 
				+		roots.parsePEM(append(
			
 
				+			[]byte(letsEncryptX1),
			
 
				+			letsEncryptX2...,
			
 
				+		))
			
 
				+	})
			
 
				 	return roots.p
			
 
				 }
			
 
				 
			
@@ -120,3 +125,25 @@ mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
 
				 emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
			
 
				 -----END CERTIFICATE-----
			
 
				 `
			
 
				+
			
 
				+// letsEncryptX2 is the ISRG Root X2.
			
 
				+//
			
 
				+// Subject: O = Internet Security Research Group, CN = ISRG Root X2
			
 
				+// Key type: ECDSA P-384
			
 
				+// Validity: until 2035-09-04 (generated 2020-09-04)
			
 
				+const letsEncryptX2 = `
			
 
				+-----BEGIN CERTIFICATE-----
			
 
				+MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
			
 
				+CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
			
 
				+R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
			
 
				+MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
			
 
				+ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
			
 
				+EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
			
 
				++1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
			
 
				+ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
			
 
				+AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
			
 
				+zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
			
 
				+tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
			
 
				+/q4AaOeMSQ+2b1tbFfLn
			
 
				+-----END CERTIFICATE-----
			
 
				+`
			
--- a/net/bakedroots/bakedroots_test.go
+++ b/net/bakedroots/bakedroots_test.go
@@ -3,13 +3,30 @@
 
				 
			
 
				 package bakedroots
			
 
				 
			
 
				-import "testing"
			
 
				+import (
			
 
				+	"slices"
			
 
				+	"testing"
			
 
				+)
			
 
				 
			
 
				 func TestBakedInRoots(t *testing.T) {
			
 
				 	ResetForTest(t, nil)
			
 
				 	p := Get()
			
 
				 	got := p.Subjects()
			
 
				-	if len(got) != 1 {
			
 
				-		t.Errorf("subjects = %v; want 1", len(got))
			
 
				+	if len(got) != 2 {
			
 
				+		t.Errorf("subjects = %v; want 2", len(got))
			
 
				+	}
			
 
				+
			
 
				+	// TODO(bradfitz): is there a way to easily make this test prettier without
			
 
				+	// writing a DER decoder? I'm not seeing how.
			
 
				+	var name []string
			
 
				+	for _, der := range got {
			
 
				+		name = append(name, string(der))
			
 
				+	}
			
 
				+	want := []string{
			
 
				+		"0O1\v0\t\x06\x03U\x04\x06\x13\x02US1)0'\x06\x03U\x04\n\x13 Internet Security Research Group1\x150\x13\x06\x03U\x04\x03\x13\fISRG Root X1",
			
 
				+		"0O1\v0\t\x06\x03U\x04\x06\x13\x02US1)0'\x06\x03U\x04\n\x13 Internet Security Research Group1\x150\x13\x06\x03U\x04\x03\x13\fISRG Root X2",
			
 
				+	}
			
 
				+	if !slices.Equal(name, want) {
			
 
				+		t.Errorf("subjects = %q; want %q", name, want)
			
 
				 	}
			
 
				 }