Created
October 25, 2024 10:38
-
-
Save niedbalski/b4b7710602a13dcb2544d2bc23f29d1a to your computer and use it in GitHub Desktop.
macos-certs.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt | |
| index e24666484..82c958dde 100644 | |
| --- a/src/CMakeLists.txt | |
| +++ b/src/CMakeLists.txt | |
| @@ -284,6 +284,7 @@ if(FLB_SYSTEM_MACOS) | |
| ${FLB_DEPS} | |
| "-framework Foundation" | |
| "-framework IOKit" | |
| + "-framework Security" | |
| ) | |
| endif() | |
| diff --git a/src/tls/openssl.c b/src/tls/openssl.c | |
| index e4f0cdfa5..f5c7f290b 100644 | |
| --- a/src/tls/openssl.c | |
| +++ b/src/tls/openssl.c | |
| @@ -27,6 +27,12 @@ | |
| #include <openssl/opensslv.h> | |
| #include <openssl/x509v3.h> | |
| +#ifdef FLB_SYSTEM_MACOS | |
| +#include <Security/Security.h> | |
| +#include <CoreFoundation/CoreFoundation.h> | |
| +#include <unistd.h> | |
| +#endif | |
| + | |
| #ifdef FLB_SYSTEM_WINDOWS | |
| #define strtok_r(str, delimiter, context) \ | |
| strtok_s(str, delimiter, context) | |
| @@ -315,22 +321,57 @@ static int windows_load_system_certificates(struct tls_context *ctx) | |
| /* macOS-specific system certificate loading */ | |
| static int macos_load_system_certificates(struct tls_context *ctx) | |
| { | |
| - const char *ca_file = "/etc/ssl/cert.pem"; /* Default location for macOS */ | |
| + CFArrayRef certs = NULL; | |
| + OSStatus status = SecTrustSettingsCopyCertificates(kSecTrustSettingsDomainSystem, &certs); | |
| - if (access(ca_file, R_OK) == 0) { | |
| - flb_debug("[tls] using macos ca bundle: %s", ca_file); | |
| - if (SSL_CTX_load_verify_locations(ctx->ctx, ca_file, NULL) != 1) { | |
| - flb_error("[tls] failed to load ca bundle from file: %s", ca_file); | |
| + if (status != errSecSuccess || !certs) { | |
| + flb_error("[tls] failed to load system certificates from keychain, status: %d", status); | |
| + return -1; | |
| + } | |
| + | |
| + flb_debug("[tls] attempting to load macos keychain system certificates"); | |
| + | |
| + int loaded_cert_count = 0; | |
| + | |
| + /* Load certificates into OpenSSL */ | |
| + for (CFIndex i = 0; i < CFArrayGetCount(certs); i++) { | |
| + SecCertificateRef cert = (SecCertificateRef) CFArrayGetValueAtIndex(certs, i); | |
| + if (!cert) { | |
| + flb_error("[tls] invalid certificate reference at index %ld", i); | |
| + continue; | |
| + } | |
| + | |
| + CFDataRef certData = SecCertificateCopyData(cert); | |
| + if (!certData) { | |
| + flb_error("[tls] failed to retrieve data for certificate %ld from keychain", i); | |
| + continue; | |
| + } | |
| + | |
| + const unsigned char *data = CFDataGetBytePtr(certData); | |
| + X509 *x509 = d2i_X509(NULL, &data, CFDataGetLength(certData)); | |
| + CFRelease(certData); | |
| + | |
| + if (!x509) { | |
| + flb_error("[tls] failed to parse certificate %ld from keychain", i); | |
| ERR_print_errors_fp(stderr); | |
| - return -1; | |
| + continue; | |
| } | |
| - } | |
| - else { | |
| - flb_error("[tls] ca bundle not found at %s", ca_file); | |
| - return -1; | |
| + | |
| + if (SSL_CTX_add_client_CA(ctx->ctx, x509) != 1) { | |
| + flb_error("[tls] failed to add certificate %ld to SSL context", i); | |
| + ERR_print_errors_fp(stderr); | |
| + } else { | |
| + loaded_cert_count++; | |
| + flb_debug("[tls] successfully loaded certificate %ld from keychain", i); | |
| + } | |
| + | |
| + X509_free(x509); | |
| } | |
| - return 0; | |
| + CFRelease(certs); | |
| + flb_debug("[tls] finished loading keychain certificates: %d succeeded", loaded_cert_count); | |
| + | |
| + return (loaded_cert_count > 0) ? 0 : -1; | |
| } | |
| #endif | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment