Skip to content

Commit

Permalink
tls: macos load system certificates using security framework.
Browse files Browse the repository at this point in the history
Load the system certicates using the security framework instead
of a depending on a local pem file.

Signed-off-by: Jorge Niedbalski <[email protected]>
  • Loading branch information
Jorge Niedbalski committed Oct 29, 2024
1 parent 6fccaa2 commit d82ebfd
Show file tree
Hide file tree
Showing 2 changed files with 106 additions and 1 deletion.
1 change: 1 addition & 0 deletions src/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,7 @@ if(FLB_SYSTEM_MACOS)
${FLB_DEPS}
"-framework Foundation"
"-framework IOKit"
"-framework Security"
)
endif()

Expand Down
106 changes: 105 additions & 1 deletion src/tls/openssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,12 @@
#include <openssl/opensslv.h>
#include <openssl/x509v3.h>

#ifdef FLB_SYSTEM_MACOS
#include <Security/Security.h>
#include <CoreFoundation/CoreFoundation.h>
#include <unistd.h>
#endif

#ifdef FLB_SYSTEM_WINDOWS
#define strtok_r(str, delimiter, context) \
strtok_s(str, delimiter, context)
Expand Down Expand Up @@ -312,6 +318,101 @@ static int windows_load_system_certificates(struct tls_context *ctx)
}
#endif

#ifdef __APPLE__
/* macOS-specific system certificate loading */
static int macos_load_system_certificates(struct tls_context *ctx)
{
X509_STORE *store = NULL;
X509 *x509 = NULL;
SecCertificateRef cert = NULL;
CFArrayRef certs = NULL;
CFDataRef certData = NULL;
const unsigned char *data = NULL;
char *subject = NULL;
char *issuer = NULL;
OSStatus status;
unsigned long err;
int ret = -1;
int loaded_cert_count = 0;

/* Retrieve system certificates from macOS Keychain */
status = SecTrustSettingsCopyCertificates(kSecTrustSettingsDomainSystem, &certs);
if (status != errSecSuccess || !certs) {
flb_debug("[tls] failed to load system certificates from keychain, status: %d", status);
return -1;
}

flb_debug("[tls] attempting to load macOS keychain system certificates");

/* Get the SSL context's certificate store */
store = SSL_CTX_get_cert_store(ctx->ctx);
if (!store) {
flb_debug("[tls] failed to get certificate store from SSL context");
CFRelease(certs);
return -1;
}

/* Load each certificate into the X509 store */
for (CFIndex i = 0; i < CFArrayGetCount(certs); i++) {
cert = (SecCertificateRef) CFArrayGetValueAtIndex(certs, i);
if (!cert) {
flb_debug("[tls] invalid certificate reference at index %ld, skipping", i);
continue;
}

certData = SecCertificateCopyData(cert);
if (!certData) {
flb_debug("[tls] failed to retrieve data for certificate %ld from keychain, skipping", i);
continue;
}

/* Convert certificate data to X509 */
data = CFDataGetBytePtr(certData);
x509 = d2i_X509(NULL, &data, CFDataGetLength(certData));
CFRelease(certData);

if (!x509) {
flb_debug("[tls] failed to parse certificate %ld from keychain, skipping", i);
continue;
}

subject = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0);
issuer = X509_NAME_oneline(X509_get_issuer_name(x509), NULL, 0);
if (subject && issuer) {
flb_debug("[tls] certificate %ld details - subject: %s, issuer: %s", i, subject, issuer);
}

/* Attempt to add certificate to trusted store */
ret = X509_STORE_add_cert(store, x509);
if (ret != 1) {
err = ERR_get_error();
if (ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
flb_debug("[tls] certificate %ld already exists in the trusted store (duplicate)", i);
} else {
flb_debug("[tls] failed to add certificate %ld to trusted store, error code: %lu", i, err);
}
X509_free(x509);
continue;
}

loaded_cert_count++;
flb_debug("[tls] successfully loaded and added certificate %ld to trusted store", i);

if (subject) {
OPENSSL_free(subject);
}
if (issuer) {
OPENSSL_free(issuer);
}
X509_free(x509);
}

CFRelease(certs);
flb_debug("[tls] finished loading keychain certificates, total loaded: %d", loaded_cert_count);
return 0;
}
#endif

static int load_system_certificates(struct tls_context *ctx)
{
int ret;
Expand All @@ -320,7 +421,9 @@ static int load_system_certificates(struct tls_context *ctx)
/* For Windows use specific API to read the certs store */
#ifdef _MSC_VER
return windows_load_system_certificates(ctx);
#endif
#elif defined(__APPLE__)
return macos_load_system_certificates(ctx);
#else
if (access(ca_file, R_OK) != 0) {
ca_file = NULL;
}
Expand All @@ -331,6 +434,7 @@ static int load_system_certificates(struct tls_context *ctx)
ERR_print_errors_fp(stderr);
}
return 0;
#endif
}

static void *tls_context_create(int verify,
Expand Down

0 comments on commit d82ebfd

Please sign in to comment.