[glib-networking/nacho/ca-macos] Use the keychain CA certificates on macos

From: Ignacio Casal Quinteiro <icq src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib-networking/nacho/ca-macos] Use the keychain CA certificates on macos
Date: Wed, 12 May 2021 10:48:19 +0000 (UTC)


commit 9496833e9577dda21e38aedb2ee1351a8a2c5897
Author: Ignacio Casal Quinteiro <qignacio amazon com>
Date:   Wed May 12 12:43:36 2021 +0200

    Use the keychain CA certificates on macos
    
    On macOS the system CA certificates are stored in the keychain.
    Use the system api to retrieve them and to add them to the
    default database.

 meson.build                        |  4 ++++
 tls/openssl/gtlsdatabase-openssl.c | 42 ++++++++++++++++++++++++++++++++++++++
 tls/openssl/meson.build            |  6 ++++++
 3 files changed, 52 insertions(+)
---
diff --git a/meson.build b/meson.build
index 768cdf2..6d15970 100644
--- a/meson.build
+++ b/meson.build
@@ -190,6 +190,10 @@ if gnutls_dep.found()
 endif
 
 if backends.contains('openssl')
+  if ['darwin', 'ios'].contains(host_system)
+    security_dep = dependency('appleframeworks', modules : ['Security'])
+  endif
+
   subdir('tls/openssl')
 endif
 
diff --git a/tls/openssl/gtlsdatabase-openssl.c b/tls/openssl/gtlsdatabase-openssl.c
index 61d607d..6cf2f49 100644
--- a/tls/openssl/gtlsdatabase-openssl.c
+++ b/tls/openssl/gtlsdatabase-openssl.c
@@ -31,6 +31,10 @@
 #include <glib/gi18n-lib.h>
 #include "openssl-include.h"
 
+#ifdef __APPLE__
+#include <Security/Security.h>
+#endif
+
 typedef struct
 {
   /*
@@ -181,6 +185,44 @@ g_tls_database_openssl_populate_trust_list (GTlsDatabaseOpenssl  *self,
                                             X509_STORE           *store,
                                             GError              **error)
 {
+#ifdef __APPLE__
+  CFArrayRef anchors;
+  OSStatus ret;
+  CFIndex i;
+
+  ret = SecTrustCopyAnchorCertificates (&anchors);
+  if (ret != errSecSuccess)
+    {
+      g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
+                           _("Could not get trusted anchors from Keychain"));
+      return FALSE;
+    }
+
+  for (i = 0; i < CFArrayGetCount (anchors); i++)
+    {
+      SecCertificateRef cert;
+      CFDataRef data;
+
+      cert = (SecCertificateRef)CFArrayGetValueAtIndex (anchors, i);
+      data = SecCertificateCopyData (cert);
+      if (data)
+        {
+          X509 *x;
+          const unsigned char *pdata;
+
+          pdata = (const unsigned char *)CFDataGetBytePtr (data);
+
+          x = d2i_X509 (NULL, &pdata, CFDataGetLength (data));
+          if (x)
+            X509_STORE_add_cert (store, x);
+
+          CFRelease (data);
+        }
+    }
+
+  CFRelease (anchors);
+#endif
+
   if (!X509_STORE_set_default_paths (store))
     {
       g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
diff --git a/tls/openssl/meson.build b/tls/openssl/meson.build
index 0ac25c8..feb10b1 100644
--- a/tls/openssl/meson.build
+++ b/tls/openssl/meson.build
@@ -24,6 +24,12 @@ deps = [
   tlsbase_dep,
 ]
 
+if ['darwin', 'ios'].contains(host_system)
+  deps += [
+    security_dep,
+  ]
+endif
+
 module = shared_module(
   'gioopenssl',
   sources: sources,

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]