diff options
| author |  Anshul Gupta <ansg191@anshulg.com>
| 2023-11-04 12:42:25 -0700 |
|---|---|---|
| committer | Anshul Gupta <ansg191@anshulg.com>
| 2023-11-12 12:52:52 -0800 |
| commit | eb1354b33c383ea337bd3d182bd978223b9fccc0 (patch) | |
| tree | c2d86d0daff5bf2a830e0108a77d37c6b4b9e694 | |
| parent | af368e9287ea975d184f9f66df52dbf109adf0e4 (diff) | |
| download | quiche-ansg191/macos-root-certs.tar.gz quiche-ansg191/macos-root-certs.tar.zst quiche-ansg191/macos-root-certs.zip | |
Adds macOS root certs to SSL `Context`ansg191/macos-root-certs
| -rw-r--r-- | quiche/Cargo.toml | 3 | ||||
| -rw-r--r-- | quiche/src/tls.rs | 61 |
2 files changed, 56 insertions, 8 deletions
diff --git a/quiche/Cargo.toml b/quiche/Cargo.toml index f3c47e1a..714c4bfe 100644 --- a/quiche/Cargo.toml +++ b/quiche/Cargo.toml @@ -72,6 +72,9 @@ smallvec = { version = "1.10", features = ["serde", "union"] } [target."cfg(windows)".dependencies] winapi = { version = "0.3", features = ["wincrypt", "ws2def", "ws2ipdef", "ws2tcpip"] } +[target.'cfg(target_os = "macos")'.dependencies] +security-framework = "2.9" + [dev-dependencies] mio = { version = "0.8", features = ["net", "os-poll"] } url = "1" diff --git a/quiche/src/tls.rs b/quiche/src/tls.rs index 04bda715..864f443b 100644 --- a/quiche/src/tls.rs +++ b/quiche/src/tls.rs @@ -77,7 +77,7 @@ struct X509_VERIFY_PARAM(c_void); #[allow(non_camel_case_types)] #[repr(transparent)] -#[cfg(windows)] +#[cfg(any(windows, target_os = "macos"))] struct X509_STORE(c_void); #[allow(non_camel_case_types)] @@ -86,7 +86,7 @@ struct X509_STORE_CTX(c_void); #[allow(non_camel_case_types)] #[repr(transparent)] -#[cfg(windows)] +#[cfg(any(windows, target_os = "macos"))] struct X509(c_void); #[allow(non_camel_case_types)] @@ -272,11 +272,56 @@ impl Context { }) } - #[cfg(not(windows))] + #[cfg(all(not(windows), not(target_os = "macos")))] fn load_ca_certs(&mut self) -> Result<()> { unsafe { map_result(SSL_CTX_set_default_verify_paths(self.as_mut_ptr())) } } + #[cfg(target_os = "macos")] + fn load_ca_certs(&mut self) -> Result<()> { + use security_framework::trust_settings::{ + Domain, + TrustSettings, + TrustSettingsForCertificate::{TrustRoot, TrustAsRoot}, + }; + + let ctx_store = unsafe { SSL_CTX_get_cert_store(self.as_mut_ptr()) }; + if ctx_store.is_null() { + return Err(Error::TlsFail); + } + + for domain in &[Domain::User, Domain::Admin, Domain::System] { + let ts = TrustSettings::new(*domain); + let iter = ts.iter().map_err(|_| Error::TlsFail)?; + + for cert in iter { + let der = cert.to_der(); + + let trusted = ts + .tls_trust_settings_for_certificate(&cert) + .map_err(|_| Error::TlsFail)? + .unwrap_or(TrustRoot); + + if let TrustRoot | TrustAsRoot = trusted { + unsafe { + let cert = d2i_X509( + ptr::null_mut(), + &der.as_ptr(), + der.len() as i32, + ); + + if !cert.is_null() { + X509_STORE_add_cert(ctx_store, cert); + } + + X509_free(cert); + } + } + } + } + Ok(()) + } + #[cfg(windows)] fn load_ca_certs(&mut self) -> Result<()> { unsafe { @@ -1297,10 +1342,10 @@ extern { ctx: *mut SSL_CTX, file: *const c_char, path: *const c_char, ) -> c_int; - #[cfg(not(windows))] + #[cfg(all(not(windows), not(target_os = "macos")))] fn SSL_CTX_set_default_verify_paths(ctx: *mut SSL_CTX) -> c_int; - #[cfg(windows)] + #[cfg(any(windows, target_os = "macos"))] fn SSL_CTX_get_cert_store(ctx: *mut SSL_CTX) -> *mut X509_STORE; fn SSL_CTX_set_verify( @@ -1464,13 +1509,13 @@ extern { ) -> c_int; // X509_STORE - #[cfg(windows)] + #[cfg(any(windows, target_os = "macos"))] fn X509_STORE_add_cert(ctx: *mut X509_STORE, x: *mut X509) -> c_int; // X509 - #[cfg(windows)] + #[cfg(any(windows, target_os = "macos"))] fn X509_free(x: *mut X509); - #[cfg(windows)] + #[cfg(any(windows, target_os = "macos"))] fn d2i_X509(px: *mut X509, input: *const *const u8, len: c_int) -> *mut X509; // STACK_OF |