crypto/x509: keep iOS certs compressed in memory, lazily uncompress as needed

This is the Go 1.15 re-do of:
51e4cb9
ed719f7
bb0583b

Author: bradfitz

src/crypto/x509/cert_pool.go

@@ -143,12 +143,9 @@ func (s *CertPool) AddCert(cert *Certificate) {
 	if cert == nil {
 		panic("adding nil Certificate to CertPool")
 	}
-	err := s.addCertFunc(sha256.Sum224(cert.Raw), string(cert.RawSubject), string(cert.SubjectKeyId), func() (*Certificate, error) {
+	s.addCertFunc(sha256.Sum224(cert.Raw), string(cert.RawSubject), string(cert.SubjectKeyId), func() (*Certificate, error) {
 		return cert, nil
 	})
-	if err != nil {
-		panic(err.Error())
-	}
 }
 
 // addCertFunc adds metadata about a certificate to a pool, along with
@@ -157,25 +154,31 @@ func (s *CertPool) AddCert(cert *Certificate) {
 // The rawSubject is Certificate.RawSubject and must be non-empty.
 // The subjectKeyID is Certificate.SubjectKeyId and may be empty.
 // The getCert func may be called 0 or more times.
-func (s *CertPool) addCertFunc(rawSum224 sum224, rawSubject, subjectKeyID string, getCert func() (*Certificate, error)) error {
+func (s *CertPool) addCertFunc(rawSum224 sum224, rawSubject, subjectKeyID string, getCert func() (*Certificate, error)) {
 	if getCert == nil {
 		panic("getCert can't be nil")
 	}
 
 	// Check that the certificate isn't being added twice.
 	if s.haveSum[rawSum224] {
-		return nil
+		return
 	}
-	n := len(s.getCert)
 	s.haveSum[rawSum224] = true
+	s.addCertFuncNotDup(rawSubject, subjectKeyID, getCert)
+}
+
+func (s *CertPool) addCertFuncNotDup(rawSubject, subjectKeyID string, getCert func() (*Certificate, error)) {
+	if getCert == nil {
+		panic("getCert can't be nil")
+	}
+	n := len(s.getCert)
 	s.getCert = append(s.getCert, getCert)
 
 	if subjectKeyID != "" {
 		s.bySubjectKeyId[subjectKeyID] = append(s.bySubjectKeyId[subjectKeyID], n)
 	}
 	s.byName[rawSubject] = append(s.byName[rawSubject], n)
 	s.rawSubjects = append(s.rawSubjects, []byte(rawSubject))
-	return nil
 }
 
 // AppendCertsFromPEM attempts to parse a series of PEM encoded certificates.

src/crypto/x509/root_darwin_arm64.go renamed to src/crypto/x509/certs.pem

@@ -1,25 +1,3 @@
-// Code generated by root_darwin_arm64_gen.go; DO NOT EDIT.
-
-//go:generate go run root_darwin_arm64_gen.go -output root_darwin_arm64.go
-
-// +build !x509omitbundledroots
-
-package x509
-
-func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
-	return nil, nil
-}
-
-// loadSystemRootsWithCgo is not available on iOS.
-var loadSystemRootsWithCgo func() (*CertPool, error)
-
-func loadSystemRoots() (*CertPool, error) {
-	p := NewCertPool()
-	p.AppendCertsFromPEM([]byte(systemRootsPEM))
-	return p, nil
-}
-
-const systemRootsPEM = `
 -----BEGIN CERTIFICATE-----
 MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
 MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
@@ -4313,4 +4291,3 @@ IR9NmXmd4c8nnxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSy
 i6mx5O+aGtA9aZnuqCij4Tyz8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQ
 O+7ETPTsJ3xCwnR8gooJybQDJbw=
 -----END CERTIFICATE-----
-`

src/crypto/x509/root_darwin_arm64_gen.go

@@ -48,8 +48,8 @@ func TestSystemRoots(t *testing.T) {
 		c := sysRoots.mustCert(i)
 		sysPool[string(c.Raw)] = c
 	}
-	for i := 0; i < execRoots.len(); i++ {
-		c := execRoots.mustCert(i)
+	for i := 0; i < cgoRoots.len(); i++ {
+		c := cgoRoots.mustCert(i)
 		if _, ok := sysPool[string(c.Raw)]; ok {
 			delete(sysPool, string(c.Raw))
 		} else {