From 8fd8fc9c7d4adcc0126197b47fa8f55bf621c35c Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <brad@danga.com>
Date: Sat, 25 Apr 2020 08:03:10 -0700
Subject: [PATCH] tempfork/x509: fix build on darwin and windows

These fixes were originally in the updates to CL 229917 after
Trybots failed there.
See https://go-review.googlesource.com/c/go/+/229917/1..3
---
 tempfork/x509/root_cgo_darwin.go  |  9 +++++++--
 tempfork/x509/root_darwin_test.go | 10 ++++++----
 tempfork/x509/root_windows.go     |  6 +++++-
 3 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/tempfork/x509/root_cgo_darwin.go b/tempfork/x509/root_cgo_darwin.go
index 784470bb3..887b602d1 100644
--- a/tempfork/x509/root_cgo_darwin.go
+++ b/tempfork/x509/root_cgo_darwin.go
@@ -305,8 +305,13 @@ func loadSystemRoots() (*CertPool, error) {
 	untrustedRoots.AppendCertsFromPEM(buf)
 
 	trustedRoots := NewCertPool()
-	for _, c := range roots.certs {
-		if !untrustedRoots.contains(c) {
+	for i := 0; i < roots.len(); i++ {
+		c := roots.mustCert(i)
+		contains, err := untrustedRoots.contains(c)
+		if err != nil {
+			return nil, err
+		}
+		if !contains {
 			trustedRoots.AddCert(c)
 		}
 	}
diff --git a/tempfork/x509/root_darwin_test.go b/tempfork/x509/root_darwin_test.go
index bd14d34b9..df5235755 100644
--- a/tempfork/x509/root_darwin_test.go
+++ b/tempfork/x509/root_darwin_test.go
@@ -40,7 +40,7 @@ func TestSystemRoots(t *testing.T) {
 	// with extra certs?) Other OS X users report 135, 142, 145...
 	// Let's try requiring at least 100, since this is just a sanity
 	// check.
-	if want, have := 100, len(sysRoots.certs); have < want {
+	if want, have := 100, sysRoots.len(); have < want {
 		t.Errorf("want at least %d system roots, have %d", want, have)
 	}
 
@@ -56,11 +56,13 @@ func TestSystemRoots(t *testing.T) {
 	allCerts.AppendCertsFromPEM(out)
 
 	// Check that the two cert pools are the same.
-	sysPool := make(map[string]*Certificate, len(sysRoots.certs))
-	for _, c := range sysRoots.certs {
+	sysPool := make(map[string]*Certificate, sysRoots.len())
+	for i := 0; i < sysRoots.len(); i++ {
+		c := sysRoots.mustCert(i)
 		sysPool[string(c.Raw)] = c
 	}
-	for _, c := range execRoots.certs {
+	for i := 0; i < execRoots.len(); i++ {
+		c := execRoots.mustCert(i)
 		if _, ok := sysPool[string(c.Raw)]; ok {
 			delete(sysPool, string(c.Raw))
 		} else {
diff --git a/tempfork/x509/root_windows.go b/tempfork/x509/root_windows.go
index 34d585318..f98728179 100644
--- a/tempfork/x509/root_windows.go
+++ b/tempfork/x509/root_windows.go
@@ -38,7 +38,11 @@ func createStoreContext(leaf *Certificate, opts *VerifyOptions) (*syscall.CertCo
 	}
 
 	if opts.Intermediates != nil {
-		for _, intermediate := range opts.Intermediates.certs {
+		for i := 0; i < opts.Intermediates.len(); i++ {
+			intermediate, err := opts.Intermediates.cert(i)
+			if err != nil {
+				return nil, err
+			}
 			ctx, err := syscall.CertCreateCertificateContext(syscall.X509_ASN_ENCODING|syscall.PKCS_7_ASN_ENCODING, &intermediate.Raw[0], uint32(len(intermediate.Raw)))
 			if err != nil {
 				return nil, err