crypto/x509: change how we retrieve chains on darwin

Instead of using the deprecated SecTrustGetCertificateAtIndex and
SecTrustGetCertificateCount method, use the SecTrustCopyCertificateChain
method.

This method require macOS 12+, which will be the minimum supported
version in 1.25.

Change-Id: I9a5ef75431cdb84f1cbe4eee47e6e9e2da4dea03
Reviewed-on: https://go-review.googlesource.com/c/go/+/654376
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>

src/crypto/x509/internal/macos/security.go

@@ -122,25 +122,6 @@ func SecTrustEvaluateWithError(trustObj CFRef) (int, error) {
 }
 func x509_SecTrustEvaluateWithError_trampoline()
 
-//go:cgo_import_dynamic x509_SecTrustGetCertificateCount SecTrustGetCertificateCount "/System/Library/Frameworks/Security.framework/Versions/A/Security"
-
-func SecTrustGetCertificateCount(trustObj CFRef) int {
-	ret := syscall(abi.FuncPCABI0(x509_SecTrustGetCertificateCount_trampoline), uintptr(trustObj), 0, 0, 0, 0, 0)
-	return int(ret)
-}
-func x509_SecTrustGetCertificateCount_trampoline()
-
-//go:cgo_import_dynamic x509_SecTrustGetCertificateAtIndex SecTrustGetCertificateAtIndex "/System/Library/Frameworks/Security.framework/Versions/A/Security"
-
-func SecTrustGetCertificateAtIndex(trustObj CFRef, i int) (CFRef, error) {
-	ret := syscall(abi.FuncPCABI0(x509_SecTrustGetCertificateAtIndex_trampoline), uintptr(trustObj), uintptr(i), 0, 0, 0, 0)
-	if ret == 0 {
-		return 0, OSStatus{"SecTrustGetCertificateAtIndex", int32(ret)}
-	}
-	return CFRef(ret), nil
-}
-func x509_SecTrustGetCertificateAtIndex_trampoline()
-
 //go:cgo_import_dynamic x509_SecCertificateCopyData SecCertificateCopyData "/System/Library/Frameworks/Security.framework/Versions/A/Security"
 
 func SecCertificateCopyData(cert CFRef) ([]byte, error) {
@@ -153,3 +134,14 @@ func SecCertificateCopyData(cert CFRef) ([]byte, error) {
 	return b, nil
 }
 func x509_SecCertificateCopyData_trampoline()
+
+//go:cgo_import_dynamic x509_SecTrustCopyCertificateChain SecTrustCopyCertificateChain "/System/Library/Frameworks/Security.framework/Versions/A/Security"
+
+func SecTrustCopyCertificateChain(trustObj CFRef) (CFRef, error) {
+	ret := syscall(abi.FuncPCABI0(x509_SecTrustCopyCertificateChain_trampoline), uintptr(trustObj), 0, 0, 0, 0, 0)
+	if ret == 0 {
+		return 0, OSStatus{"SecTrustCopyCertificateChain", int32(ret)}
+	}
+	return CFRef(ret), nil
+}
+func x509_SecTrustCopyCertificateChain_trampoline()

src/crypto/x509/internal/macos/security.s

@@ -21,9 +21,7 @@ TEXT ·x509_SecTrustEvaluate_trampoline(SB),NOSPLIT,$0-0
 	JMP x509_SecTrustEvaluate(SB)
 TEXT ·x509_SecTrustEvaluateWithError_trampoline(SB),NOSPLIT,$0-0
 	JMP x509_SecTrustEvaluateWithError(SB)
-TEXT ·x509_SecTrustGetCertificateCount_trampoline(SB),NOSPLIT,$0-0
-	JMP x509_SecTrustGetCertificateCount(SB)
-TEXT ·x509_SecTrustGetCertificateAtIndex_trampoline(SB),NOSPLIT,$0-0
-	JMP x509_SecTrustGetCertificateAtIndex(SB)
 TEXT ·x509_SecCertificateCopyData_trampoline(SB),NOSPLIT,$0-0
 	JMP x509_SecCertificateCopyData(SB)
+TEXT ·x509_SecTrustCopyCertificateChain_trampoline(SB),NOSPLIT,$0-0
+	JMP x509_SecTrustCopyCertificateChain(SB)

src/crypto/x509/root_darwin.go

@@ -73,12 +73,13 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
 	}
 
 	chain := [][]*Certificate{{}}
-	numCerts := macOS.SecTrustGetCertificateCount(trustObj)
-	for i := 0; i < numCerts; i++ {
-		certRef, err := macOS.SecTrustGetCertificateAtIndex(trustObj, i)
-		if err != nil {
-			return nil, err
-		}
+	chainRef, err := macOS.SecTrustCopyCertificateChain(trustObj)
+	if err != nil {
+		return nil, err
+	}
+	defer macOS.CFRelease(chainRef)
+	for i := 0; i < macOS.CFArrayGetCount(chainRef); i++ {
+		certRef := macOS.CFArrayGetValueAtIndex(chainRef, i)
 		cert, err := exportCertificate(certRef)
 		if err != nil {
 			return nil, err