[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 13/150: darwinssl: Don't import client certificates
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 13/150: darwinssl: Don't import client certificates into Keychain on macOS |
Date: |
Fri, 30 Mar 2018 16:47:47 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit f8475c69410dc401974ffe54691c1f44b0577141
Author: Dair Grant <address@hidden>
AuthorDate: Wed Nov 15 21:30:58 2017 +0000
darwinssl: Don't import client certificates into Keychain on macOS
Closes #2085
---
lib/vtls/darwinssl.c | 73 +++++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 61 insertions(+), 12 deletions(-)
diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
index 53a7ec37b..694ac572d 100644
--- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
@@ -1135,28 +1135,77 @@ static OSStatus CopyIdentityFromPKCS12File(const char
*cPath,
raise linker errors when used on that cat for some reason. */
#if CURL_BUILD_MAC_10_7 || CURL_BUILD_IOS
if(CFURLCreateDataAndPropertiesFromResource(NULL, pkcs_url, &pkcs_data,
- NULL, NULL, &status)) {
+ NULL, NULL, &status)) {
+ CFArrayRef items = NULL;
+
+ /* On iOS SecPKCS12Import will never add the client certificate to the
+ * Keychain.
+ *
+ * It gives us back a SecIdentityRef that we can use directly. */
+#if CURL_BUILD_IOS
const void *cKeys[] = {kSecImportExportPassphrase};
const void *cValues[] = {password};
CFDictionaryRef options = CFDictionaryCreate(NULL, cKeys, cValues,
password ? 1L : 0L, NULL, NULL);
- CFArrayRef items = NULL;
- /* Here we go: */
- status = SecPKCS12Import(pkcs_data, options, &items);
- if(status == errSecSuccess && items && CFArrayGetCount(items)) {
- CFDictionaryRef identity_and_trust = CFArrayGetValueAtIndex(items, 0L);
- const void *temp_identity = CFDictionaryGetValue(identity_and_trust,
- kSecImportItemIdentity);
+ if(options != NULL) {
+ status = SecPKCS12Import(pkcs_data, options, &items);
+ CFRelease(options);
+ }
+
- /* Retain the identity; we don't care about any other data... */
- CFRetain(temp_identity);
- *out_cert_and_key = (SecIdentityRef)temp_identity;
+ /* On macOS SecPKCS12Import will always add the client certificate to
+ * the Keychain.
+ *
+ * As this doesn't match iOS, and apps may not want to see their client
+ * certificate saved in the the user's keychain, we use SecItemImport
+ * with a NULL keychain to avoid importing it.
+ *
+ * This returns a SecCertificateRef from which we can construct a
+ * SecIdentityRef.
+ */
+#elif CURL_BUILD_MAC_10_7
+ SecItemImportExportKeyParameters keyParams;
+ SecExternalFormat inputFormat = kSecFormatPKCS12;
+ SecExternalItemType inputType = kSecItemTypeCertificate;
+
+ memset(&keyParams, 0x00, sizeof(keyParams));
+ keyParams.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
+ keyParams.passphrase = password;
+
+ status = SecItemImport(pkcs_data, NULL, &inputFormat, &inputType,
+ 0, &keyParams, NULL, &items);
+#endif
+
+
+ /* Extract the SecIdentityRef */
+ if(status == errSecSuccess && items && CFArrayGetCount(items)) {
+ CFIndex i, count;
+ count = CFArrayGetCount(items);
+
+ for(i = 0; i < count; i++) {
+ CFTypeRef item = (CFTypeRef) CFArrayGetValueAtIndex(items, i);
+ CFTypeID itemID = CFGetTypeID(item);
+
+ if(itemID == CFDictionaryGetTypeID()) {
+ CFTypeRef identity = (CFTypeRef) CFDictionaryGetValue(
+ (CFDictionaryRef) item,
+ kSecImportItemIdentity);
+ CFRetain(identity);
+ *out_cert_and_key = (SecIdentityRef) identity;
+ break;
+ }
+ else if(itemID == SecCertificateGetTypeID()) {
+ status = SecIdentityCreateWithCertificate(NULL,
+ (SecCertificateRef) item,
+ out_cert_and_key);
+ break;
+ }
+ }
}
if(items)
CFRelease(items);
- CFRelease(options);
CFRelease(pkcs_data);
}
#endif /* CURL_BUILD_MAC_10_7 || CURL_BUILD_IOS */
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 01/150: Fix small typo., (continued)
- [GNUnet-SVN] [gnurl] 01/150: Fix small typo., gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 09/150: SChannel/WinSSL: Replace Curl_none_md5sum with Curl_schannel_md5sum, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 04/150: TODO: CURL_REFUSE_CLEARTEXT, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 03/150: progress-bar: don't use stderr explicitly, use bar->out, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 02/150: Fixes for MSDOS etc., gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 05/150: TODO: hardcode the "localhost" addresses, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 08/150: SChannel/WinSSL: Implement public key pinning, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 12/150: configure: fix the check for unsigned time_t, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 15/150: lib544: sync ascii code data with textual data, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 27/150: curl_easy_reset: clear digest auth state, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 13/150: darwinssl: Don't import client certificates into Keychain on macOS,
gnunet <=
- [GNUnet-SVN] [gnurl] 14/150: GSKit: restore pinnedpubkey functionality, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 07/150: bump: towards 7.58.1, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 16/150: lib517: make variable static to avoid compiler warning, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 17/150: lib555: drop text conversion and encode data as ascii codes, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 29/150: curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 10/150: openssl: fix pinned public key build error in FIPS mode, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 38/150: fnmatch: do not match the empty string with a character set, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 18/150: docs: fix typos in man pages, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 19/150: KNOWN_BUGS: DICT responses show the underlying protocol, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 20/150: TODO: UTF-8 filenames in Content-Disposition, gnunet, 2018/03/30