macos-tls.patch

macos-tls.patch

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index e24666484..82c958dde 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -284,6 +284,7 @@ if(FLB_SYSTEM_MACOS)
     ${FLB_DEPS}
     "-framework Foundation"
     "-framework IOKit"
+    "-framework Security"
     )
 endif()
 
diff --git a/src/tls/openssl.c b/src/tls/openssl.c
index e4f0cdfa5..2f4c1f759 100644
--- a/src/tls/openssl.c
+++ b/src/tls/openssl.c
@@ -27,6 +27,12 @@
 #include <openssl/opensslv.h>
 #include <openssl/x509v3.h>
 
+#ifdef FLB_SYSTEM_MACOS
+#include <Security/Security.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <unistd.h>
+#endif
+
 #ifdef FLB_SYSTEM_WINDOWS
     #define strtok_r(str, delimiter, context) \
             strtok_s(str, delimiter, context)
@@ -315,22 +321,66 @@ static int windows_load_system_certificates(struct tls_context *ctx)
 /* macOS-specific system certificate loading */
 static int macos_load_system_certificates(struct tls_context *ctx)
 {
-    const char *ca_file = "/etc/ssl/cert.pem"; /* Default location for macOS */
+    CFArrayRef certs = NULL;
+    OSStatus status = SecTrustSettingsCopyCertificates(kSecTrustSettingsDomainSystem, &certs);
 
-    if (access(ca_file, R_OK) == 0) {
-        flb_debug("[tls] using macos ca bundle: %s", ca_file);
-        if (SSL_CTX_load_verify_locations(ctx->ctx, ca_file, NULL) != 1) {
-            flb_error("[tls] failed to load ca bundle from file: %s", ca_file);
-            ERR_print_errors_fp(stderr);
-            return -1;
-        }
+    if (status != errSecSuccess || !certs) {
+        flb_error("[tls] failed to load system certificates from Keychain, OSStatus: %d", status);
+        return -1;
     }
-    else {
-        flb_error("[tls] ca bundle not found at %s", ca_file);
+
+    flb_debug("[tls] attempting to load macos keychain system certificates");
+
+    int loaded_cert_count = 0;
+
+    /* Create a new X509_STORE to hold trusted CAs */
+    X509_STORE *store = SSL_CTX_get_cert_store(ctx->ctx);
+    if (!store) {
+        flb_error("[tls] failed to get certificate store from SSL context");
+        CFRelease(certs);
         return -1;
     }
 
-    return 0;
+    /* Load certificates into the X509 store */
+    for (CFIndex i = 0; i < CFArrayGetCount(certs); i++) {
+        SecCertificateRef cert = (SecCertificateRef) CFArrayGetValueAtIndex(certs, i);
+        if (!cert) {
+            flb_error("[tls] invalid certificate reference at index %ld", i);
+            continue;
+        }
+
+        CFDataRef certData = SecCertificateCopyData(cert);
+        if (!certData) {
+            flb_error("[tls] failed to retrieve data for certificate %ld from Keychain", i);
+            continue;
+        }
+
+        const unsigned char *data = CFDataGetBytePtr(certData);
+        X509 *x509 = d2i_X509(NULL, &data, CFDataGetLength(certData));
+        CFRelease(certData);
+
+        if (!x509) {
+            flb_error("[tls] failed to parse certificate %ld from Keychain", i);
+            ERR_print_errors_fp(stderr);
+            continue;
+        }
+
+        /* Add the certificate to the trusted store */
+        if (X509_STORE_add_cert(store, x509) == 1) {
+            loaded_cert_count++;
+            flb_debug("[tls] successfully loaded and added certificate %ld to trusted store", i);
+        } else {
+            flb_error("[tls] failed to add certificate %ld to trusted store", i);
+            ERR_print_errors_fp(stderr);
+        }
+
+        X509_free(x509);
+    }
+
+    CFRelease(certs);
+    flb_debug("[tls] finished loading Keychain certificates: %d succeeded", loaded_cert_count);
+
+    return (loaded_cert_count > 0) ? 0 : -1;
 }
 #endif