crypto/x509: load all trusted certs on darwin (nocgo)

The current implementation ignores certificates that exist
in the login and System keychains.

This change adds the missing System and login keychain
files to the `/usr/bin/security` command in
`execSecurityRoots`. If the current user cannot be
obtained, the login keychain is ignored.

Refs golang#16532

Change-Id: I8594a6b8940c58df8a8015b274fa45c39e18862c

Author: mastercactapus

src/crypto/x509/root_darwin.go

@@ -16,6 +16,7 @@ import (
 	"io/ioutil"
 	"os"
 	"os/exec"
+	"os/user"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -61,7 +62,26 @@ func execSecurityRoots() (*CertPool, error) {
 		println(fmt.Sprintf("crypto/x509: %d certs have a trust policy", len(hasPolicy)))
 	}
 
-	cmd := exec.Command("/usr/bin/security", "find-certificate", "-a", "-p", "/System/Library/Keychains/SystemRootCertificates.keychain")
+	args := []string{"find-certificate", "-a", "-p",
+		"/System/Library/Keychains/SystemRootCertificates.keychain",
+		"/Library/Keychains/System.keychain",
+	}
+
+	u, err := user.Current()
+	if err != nil {
+		if debugExecDarwinRoots {
+			println(fmt.Sprintf("crypto/x509: get current user: %v", err))
+		}
+	} else {
+		args = append(args,
+			filepath.Join(u.HomeDir, "/Library/Keychains/login.keychain"),
+
+			// Fresh installs of Sierra use a slightly different path for the login keychain
+			filepath.Join(u.HomeDir, "/Library/Keychains/login.keychain-db"),
+		)
+	}
+
+	cmd := exec.Command("/usr/bin/security", args...)
 	data, err := cmd.Output()
 	if err != nil {
 		return nil, err