Merge pull request #150 from thaJeztah/deprecate_SystemCertPool

thaJeztah · web-flow · commit 894d811275c2 · 2026-03-25T13:21:02.000+01:00
Deprecate tlsconfig.SystemCertPool
diff --git a/tlsconfig/certpool.go b/tlsconfig/certpool.go
@@ -1,16 +1,12 @@
 package tlsconfig
 
-import (
-	"crypto/x509"
-	"runtime"
-)
+import "crypto/x509"
 
-// SystemCertPool returns a copy of the system cert pool,
-// returns an error if failed to load or empty pool on windows.
+// SystemCertPool returns a copy of the system cert pool.
+//
+// Deprecated: use [x509.SystemCertPool] instead.
+//
+//go:fix inline
 func SystemCertPool() (*x509.CertPool, error) {
-	certpool, err := x509.SystemCertPool()
-	if err != nil && runtime.GOOS == "windows" {
-		return x509.NewCertPool(), nil
-	}
-	return certpool, err
+	return x509.SystemCertPool()
 }
diff --git a/tlsconfig/config.go b/tlsconfig/config.go
@@ -86,7 +86,7 @@ func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {
 	if exclusivePool {
 		pool = x509.NewCertPool()
 	} else {
-		pool, err = SystemCertPool()
+		pool, err = x509.SystemCertPool()
 		if err != nil {
 			return nil, fmt.Errorf("failed to read system certificates: %v", err)
 		}
diff --git a/tlsconfig/config_test.go b/tlsconfig/config_test.go
@@ -183,9 +183,9 @@ func TestConfigServerTLSClientCASet(t *testing.T) {
 	if tlsConfig.ClientAuth != tls.VerifyClientCertIfGiven {
 		t.Fatal("ClientAuth was not set to what was in the options")
 	}
-	basePool, err := SystemCertPool()
+	basePool, err := x509.SystemCertPool()
 	if err != nil {
-		basePool = x509.NewCertPool()
+		t.Fatal("Failed to get SystemCertPool", err)
 	}
 	// because we are not enabling `ExclusiveRootPools`, any root pool will also contain the system roots
 	if tlsConfig.ClientCAs == nil || len(tlsConfig.ClientCAs.Subjects()) != len(basePool.Subjects())+2 { //nolint:staticcheck // Ignore SA1019: tlsConfig.ClientCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots.
@@ -441,9 +441,9 @@ func TestConfigClientTLSRootCAFileWithOneCert(t *testing.T) {
 	if err != nil || tlsConfig == nil {
 		t.Fatal("Unable to configure client TLS", err)
 	}
-	basePool, err := SystemCertPool()
+	basePool, err := x509.SystemCertPool()
 	if err != nil {
-		basePool = x509.NewCertPool()
+		t.Fatal("Failed to get SystemCertPool", err)
 	}
 	// because we are not enabling `ExclusiveRootPools`, any root pool will also contain the system roots
 	if tlsConfig.RootCAs == nil || len(tlsConfig.RootCAs.Subjects()) != len(basePool.Subjects())+2 { //nolint:staticcheck // Ignore SA1019: tlsConfig.ClientCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots.

Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,7 @@ func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {`
`86`	`86`	`if exclusivePool {`
`87`	`87`	`pool = x509.NewCertPool()`
`88`	`88`	`} else {`
`89`		`- pool, err = SystemCertPool()`
	`89`	`+ pool, err = x509.SystemCertPool()`
`90`	`90`	`if err != nil {`
`91`	`91`	`return nil, fmt.Errorf("failed to read system certificates: %v", err)`
`92`	`92`	`}`
Original file line number	Diff line number	Diff line change
`@@ -183,9 +183,9 @@ func TestConfigServerTLSClientCASet(t *testing.T) {`
`183`	`183`	`if tlsConfig.ClientAuth != tls.VerifyClientCertIfGiven {`
`184`	`184`	`t.Fatal("ClientAuth was not set to what was in the options")`
`185`	`185`	`}`
`186`		`- basePool, err := SystemCertPool()`
	`186`	`+ basePool, err := x509.SystemCertPool()`
`187`	`187`	`if err != nil {`
`188`		`- basePool = x509.NewCertPool()`
	`188`	`+ t.Fatal("Failed to get SystemCertPool", err)`
`189`	`189`	`}`
`190`	`190`	// because we are not enabling `ExclusiveRootPools`, any root pool will also contain the system roots
`191`	`191`	`if tlsConfig.ClientCAs == nil \|\| len(tlsConfig.ClientCAs.Subjects()) != len(basePool.Subjects())+2 { //nolint:staticcheck // Ignore SA1019: tlsConfig.ClientCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots.`
`@@ -441,9 +441,9 @@ func TestConfigClientTLSRootCAFileWithOneCert(t *testing.T) {`
`441`	`441`	`if err != nil \|\| tlsConfig == nil {`
`442`	`442`	`t.Fatal("Unable to configure client TLS", err)`
`443`	`443`	`}`
`444`		`- basePool, err := SystemCertPool()`
	`444`	`+ basePool, err := x509.SystemCertPool()`
`445`	`445`	`if err != nil {`
`446`		`- basePool = x509.NewCertPool()`
	`446`	`+ t.Fatal("Failed to get SystemCertPool", err)`
`447`	`447`	`}`
`448`	`448`	// because we are not enabling `ExclusiveRootPools`, any root pool will also contain the system roots
`449`	`449`	`if tlsConfig.RootCAs == nil \|\| len(tlsConfig.RootCAs.Subjects()) != len(basePool.Subjects())+2 { //nolint:staticcheck // Ignore SA1019: tlsConfig.ClientCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots.`