net/bakedroots: add LetsEncrypt ISRG Root X2

Updates #14690 Change-Id: Ib85e318d48450fc6534f7b0c1d4cc4335de7c0ff Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-02-22 12:58:37 +00:00 · 2025-01-21 17:19:42 -08:00 · 2025-01-21 17:19:42 -08:00 · 042ed6bf69
commit 042ed6bf69
parent 150cd30b1d
2 changed files with 48 additions and 4 deletions
--- a/net/bakedroots/bakedroots.go
+++ b/net/bakedroots/bakedroots.go
@ -16,7 +16,12 @@ import (
 //
 // As of 2025-01-21, this includes only the LetsEncrypt ISRG Root X1 root.
 func Get() *x509.CertPool {
-	roots.once.Do(func() { roots.parsePEM([]byte(letsEncryptX1)) })
+	roots.once.Do(func() {
 		roots.parsePEM(append(
 			[]byte(letsEncryptX1),
 			letsEncryptX2...,
 		))
 	})
 	return roots.p
 }
@ -120,3 +125,25 @@ mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
 emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
 -----END CERTIFICATE-----
 `
 // letsEncryptX2 is the ISRG Root X2.
 //
 // Subject: O = Internet Security Research Group, CN = ISRG Root X2
 // Key type: ECDSA P-384
 // Validity: until 2035-09-04 (generated 2020-09-04)
 const letsEncryptX2 = `
 -----BEGIN CERTIFICATE-----
 MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
 CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
 R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
 MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
 ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
 EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
 +1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
 ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
 AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
 zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
 tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
 /q4AaOeMSQ+2b1tbFfLn
 -----END CERTIFICATE-----
 `
--- a/net/bakedroots/bakedroots_test.go
+++ b/net/bakedroots/bakedroots_test.go
@ -3,13 +3,30 @@
 package bakedroots
-import "testing"
+import (
 	"slices"
 	"testing"
 )
 func TestBakedInRoots(t *testing.T) {
 	ResetForTest(t, nil)
 	p := Get()
 	got := p.Subjects()
-	if len(got) != 1 {
+	if len(got) != 2 {
-		t.Errorf("subjects = %v; want 1", len(got))
+		t.Errorf("subjects = %v; want 2", len(got))
 	}
 	// TODO(bradfitz): is there a way to easily make this test prettier without
 	// writing a DER decoder? I'm not seeing how.
 	var name []string
 	for _, der := range got {
 		name = append(name, string(der))
 	}
 	want := []string{
 		"0O1\v0\t\x06\x03U\x04\x06\x13\x02US1)0'\x06\x03U\x04\n\x13 Internet Security Research Group1\x150\x13\x06\x03U\x04\x03\x13\fISRG Root X1",
 		"0O1\v0\t\x06\x03U\x04\x06\x13\x02US1)0'\x06\x03U\x04\n\x13 Internet Security Research Group1\x150\x13\x06\x03U\x04\x03\x13\fISRG Root X2",
 	}
 	if !slices.Equal(name, want) {
 		t.Errorf("subjects = %q; want %q", name, want)
 	}
 }