Created
October 25, 2024 10:26
-
-
Save niedbalski/3b83b097e4a819cfbc162bec7abedb0a to your computer and use it in GitHub Desktop.
certs.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt | |
| index e24666484..82c958dde 100644 | |
| --- a/src/CMakeLists.txt | |
| +++ b/src/CMakeLists.txt | |
| @@ -284,6 +284,7 @@ if(FLB_SYSTEM_MACOS) | |
| ${FLB_DEPS} | |
| "-framework Foundation" | |
| "-framework IOKit" | |
| + "-framework Security" | |
| ) | |
| endif() | |
| diff --git a/src/tls/openssl.c b/src/tls/openssl.c | |
| index e4f0cdfa5..d498a65de 100644 | |
| --- a/src/tls/openssl.c | |
| +++ b/src/tls/openssl.c | |
| @@ -27,6 +27,12 @@ | |
| #include <openssl/opensslv.h> | |
| #include <openssl/x509v3.h> | |
| +#ifdef FLB_SYSTEM_MACOS | |
| +#include <Security/Security.h> | |
| +#include <CoreFoundation/CoreFoundation.h> | |
| +#include <unistd.h> | |
| +#endif | |
| + | |
| #ifdef FLB_SYSTEM_WINDOWS | |
| #define strtok_r(str, delimiter, context) \ | |
| strtok_s(str, delimiter, context) | |
| @@ -315,22 +321,63 @@ static int windows_load_system_certificates(struct tls_context *ctx) | |
| /* macOS-specific system certificate loading */ | |
| static int macos_load_system_certificates(struct tls_context *ctx) | |
| { | |
| - const char *ca_file = "/etc/ssl/cert.pem"; /* Default location for macOS */ | |
| + const char *default_ca_file = "/etc/ssl/cert.pem"; // Default location | |
| + const char *homebrew_ca_file = "/usr/local/etc/openssl/cert.pem"; // Homebrew (Intel) | |
| + const char *homebrew_m1_ca_file = "/opt/homebrew/etc/openssl/cert.pem"; // Homebrew (Apple Silicon) | |
| - if (access(ca_file, R_OK) == 0) { | |
| + /* Check default paths */ | |
| + const char *ca_file = NULL; | |
| + | |
| + if (access(default_ca_file, R_OK) == 0) { | |
| + ca_file = default_ca_file; | |
| + } | |
| + else if (access(homebrew_ca_file, R_OK) == 0) { | |
| + ca_file = homebrew_ca_file; | |
| + } | |
| + else if (access(homebrew_m1_ca_file, R_OK) == 0) { | |
| + ca_file = homebrew_m1_ca_file; | |
| + } | |
| + | |
| + if (ca_file) { | |
| flb_debug("[tls] using macos ca bundle: %s", ca_file); | |
| if (SSL_CTX_load_verify_locations(ctx->ctx, ca_file, NULL) != 1) { | |
| flb_error("[tls] failed to load ca bundle from file: %s", ca_file); | |
| ERR_print_errors_fp(stderr); | |
| return -1; | |
| } | |
| + return 0; | |
| + } | |
| + | |
| + /* Attempt to load certificates from macOS Keychain */ | |
| + CFArrayRef certs = NULL; | |
| + OSStatus status = SecTrustSettingsCopyCertificates(kSecTrustSettingsDomainSystem, &certs); | |
| + | |
| + if (status == errSecSuccess && certs) { | |
| + flb_debug("[tls] using macOS Keychain system certificates"); | |
| + | |
| + /* Load certificates into OpenSSL */ | |
| + for (CFIndex i = 0; i < CFArrayGetCount(certs); i++) { | |
| + SecCertificateRef cert = (SecCertificateRef) CFArrayGetValueAtIndex(certs, i); | |
| + if (cert) { | |
| + CFDataRef certData = SecCertificateCopyData(cert); | |
| + if (certData) { | |
| + const unsigned char *data = CFDataGetBytePtr(certData); | |
| + X509 *x509 = d2i_X509(NULL, &data, CFDataGetLength(certData)); | |
| + if (x509) { | |
| + SSL_CTX_add_client_CA(ctx->ctx, x509); | |
| + X509_free(x509); | |
| + } | |
| + CFRelease(certData); | |
| + } | |
| + } | |
| + } | |
| + CFRelease(certs); | |
| + return 0; | |
| } | |
| else { | |
| - flb_error("[tls] ca bundle not found at %s", ca_file); | |
| + flb_error("[tls] failed to load system certificates from Keychain"); | |
| return -1; | |
| } | |
| - | |
| - return 0; | |
| } | |
| #endif | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment