summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Caldwell <david@porkrind.org>2017-04-04 21:29:55 -0700
committerNikos Mavrogiannopoulos <nmav@redhat.com>2017-04-06 12:36:22 +0200
commitc0eb46d3463cd21b3f822ac377ff37f067f66b8d (patch)
treea38d08221ed692db5723a2831860b5ef8fd84a10
parent5659d09e3760c8d1986ba9852204c6942bc7d510 (diff)
downloadgnutls-c0eb46d3463cd21b3f822ac377ff37f067f66b8d.tar.gz
gnutls_x509_trust_list_add_system_trust: Add macOS keychain support
Also don't check for a default_trust_store_file in configure when building on macOS (unless explicitly asked to with --with-default-trust-store-file=xxx), because otherwise it finds /etc/ssl/cert.pem: This file is new (since 10.12.2?), which means libraries built on the newest OS version wouldn't work the same way on an older versions (and vice versa). "/etc/ssl/cert.pem" also doesn't seem to reflect additions and deletions from the user's or system's trusted roots keychain (in my limited testing). Signed-off-by: David Caldwell <david@porkrind.org>
-rw-r--r--configure.ac2
-rw-r--r--lib/Makefile.am4
-rw-r--r--lib/system/certs.c72
3 files changed, 77 insertions, 1 deletions
diff --git a/configure.ac b/configure.ac
index 2e94e1693e..84c9500eda 100644
--- a/configure.ac
+++ b/configure.ac
@@ -780,7 +780,7 @@ dnl auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.h
AC_ARG_WITH([default-trust-store-file],
[AS_HELP_STRING([--with-default-trust-store-file=FILE],
[use the given file default trust store])], with_default_trust_store_file="$withval",
- [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x;then
+ [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x && test x$have_macosx = x;then
for i in \
/etc/ssl/ca-bundle.pem \
/etc/ssl/certs/ca-certificates.crt \
diff --git a/lib/Makefile.am b/lib/Makefile.am
index bf07ecf6f5..98364cb5d2 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -204,6 +204,10 @@ if WINDOWS
thirdparty_libadd += -lcrypt32
endif
+if MACOSX
+libgnutls_la_LDFLAGS += -framework Security -framework CoreFoundation
+endif
+
libgnutls_la_LIBADD += $(thirdparty_libadd)
# C++ library
diff --git a/lib/system/certs.c b/lib/system/certs.c
index 5136275a62..53eb561d00 100644
--- a/lib/system/certs.c
+++ b/lib/system/certs.c
@@ -44,6 +44,12 @@
# endif
#endif
+#ifdef __APPLE__
+# include <CoreFoundation/CoreFoundation.h>
+# include <Security/Security.h>
+# include <Availability.h>
+#endif
+
/* System specific function wrappers for certificate stores.
*/
@@ -270,6 +276,72 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
return r;
}
+#elif defined(__APPLE__) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070
+static
+int osstatus_error(status)
+{
+ CFStringRef err_str = SecCopyErrorMessageString(status, NULL);
+ _gnutls_debug_log("Error loading system root certificates: %s\n",
+ CFStringGetCStringPtr(err_str, kCFStringEncodingUTF8));
+ CFRelease(err_str);
+ return GNUTLS_E_FILE_ERROR;
+}
+
+static
+int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
+ unsigned int tl_vflags)
+{
+ int r=0;
+
+ SecTrustSettingsDomain domain[] = { kSecTrustSettingsDomainUser,
+ kSecTrustSettingsDomainAdmin,
+ kSecTrustSettingsDomainSystem };
+ for (size_t d=0; d<sizeof(domain)/sizeof(*domain); d++) {
+ CFArrayRef certs = NULL;
+ OSStatus status = SecTrustSettingsCopyCertificates(domain[d],
+ &certs);
+ if (status == errSecNoTrustSettings)
+ continue;
+ if (status != errSecSuccess)
+ return osstatus_error(status);
+
+ int cert_count = CFArrayGetCount(certs);
+ for (int i=0; i<cert_count; i++) {
+ SecCertificateRef cert =
+ (void*)CFArrayGetValueAtIndex(certs, i);
+ CFDataRef der;
+ status = SecItemExport(cert, kSecFormatX509Cert, 0,
+ NULL, &der);
+ if (status != errSecSuccess) {
+ CFRelease(der);
+ CFRelease(certs);
+ return osstatus_error(status);
+ }
+
+ if (gnutls_x509_trust_list_add_trust_mem(list,
+ &(gnutls_datum_t) {
+ .data = (void*)CFDataGetBytePtr(der),
+ .size = CFDataGetLength(der),
+ },
+ NULL,
+ GNUTLS_X509_FMT_DER,
+ tl_flags,
+ tl_vflags) > 0)
+ r++;
+ CFRelease(der);
+ }
+ CFRelease(certs);
+ }
+
+#ifdef DEFAULT_BLACKLIST_FILE
+ ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
+ if (ret < 0) {
+ _gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE);
+ }
+#endif
+
+ return r;
+}
#else
#define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE