tjh.dev
1commit 9bcdde1ab9cdff6a4471f9a926dd488ab70c7247
2Author: Daiderd Jordan <daiderd@gmail.com>
3Date: Mon Apr 22 16:38:27 2019 +0200
4
5 Revert "gnutls_x509_trust_list_add_system_trust: Add macOS keychain support"
6
7 This reverts commit c0eb46d3463cd21b3f822ac377ff37f067f66b8d.
8
9diff --git a/configure.ac b/configure.ac
10index 8ad597bfd..8d14f26cd 100644
11--- a/configure.ac
12+++ b/configure.ac
13@@ -781,7 +781,7 @@ dnl auto detect https://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.
14 AC_ARG_WITH([default-trust-store-file],
15 [AS_HELP_STRING([--with-default-trust-store-file=FILE],
16 [use the given file default trust store])], with_default_trust_store_file="$withval",
17- [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x && test x$have_macosx = x;then
18+ [if test "$build" = "$host" && test x$with_default_trust_store_pkcs11 = x && test x$with_default_trust_store_dir = x;then
19 for i in \
20 /etc/ssl/ca-bundle.pem \
21 /etc/ssl/certs/ca-certificates.crt \
22diff --git a/lib/Makefile.am b/lib/Makefile.am
23index fe9cf63a2..745695f7e 100644
24--- a/lib/Makefile.am
25+++ b/lib/Makefile.am
26@@ -203,10 +203,6 @@ if WINDOWS
27 thirdparty_libadd += -lcrypt32
28 endif
29
30-if MACOSX
31-libgnutls_la_LDFLAGS += -framework Security -framework CoreFoundation
32-endif
33-
34 libgnutls_la_LIBADD += $(thirdparty_libadd)
35
36 # C++ library
37diff --git a/lib/system/certs.c b/lib/system/certs.c
38index 611c645e0..912b0aa5e 100644
39--- a/lib/system/certs.c
40+++ b/lib/system/certs.c
41@@ -44,12 +44,6 @@
42 # endif
43 #endif
44
45-#ifdef __APPLE__
46-# include <CoreFoundation/CoreFoundation.h>
47-# include <Security/Security.h>
48-# include <Availability.h>
49-#endif
50-
51 /* System specific function wrappers for certificate stores.
52 */
53
54@@ -276,72 +270,6 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
55
56 return r;
57 }
58-#elif defined(__APPLE__) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070
59-static
60-int osstatus_error(status)
61-{
62- CFStringRef err_str = SecCopyErrorMessageString(status, NULL);
63- _gnutls_debug_log("Error loading system root certificates: %s\n",
64- CFStringGetCStringPtr(err_str, kCFStringEncodingUTF8));
65- CFRelease(err_str);
66- return GNUTLS_E_FILE_ERROR;
67-}
68-
69-static
70-int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
71- unsigned int tl_vflags)
72-{
73- int r=0;
74-
75- SecTrustSettingsDomain domain[] = { kSecTrustSettingsDomainUser,
76- kSecTrustSettingsDomainAdmin,
77- kSecTrustSettingsDomainSystem };
78- for (size_t d=0; d<sizeof(domain)/sizeof(*domain); d++) {
79- CFArrayRef certs = NULL;
80- OSStatus status = SecTrustSettingsCopyCertificates(domain[d],
81- &certs);
82- if (status == errSecNoTrustSettings)
83- continue;
84- if (status != errSecSuccess)
85- return osstatus_error(status);
86-
87- int cert_count = CFArrayGetCount(certs);
88- for (int i=0; i<cert_count; i++) {
89- SecCertificateRef cert =
90- (void*)CFArrayGetValueAtIndex(certs, i);
91- CFDataRef der;
92- status = SecItemExport(cert, kSecFormatX509Cert, 0,
93- NULL, &der);
94- if (status != errSecSuccess) {
95- CFRelease(der);
96- CFRelease(certs);
97- return osstatus_error(status);
98- }
99-
100- if (gnutls_x509_trust_list_add_trust_mem(list,
101- &(gnutls_datum_t) {
102- .data = (void*)CFDataGetBytePtr(der),
103- .size = CFDataGetLength(der),
104- },
105- NULL,
106- GNUTLS_X509_FMT_DER,
107- tl_flags,
108- tl_vflags) > 0)
109- r++;
110- CFRelease(der);
111- }
112- CFRelease(certs);
113- }
114-
115-#ifdef DEFAULT_BLACKLIST_FILE
116- ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
117- if (ret < 0) {
118- _gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE);
119- }
120-#endif
121-
122- return r;
123-}
124 #else
125
126 #define add_system_trust(x,y,z) GNUTLS_E_UNIMPLEMENTED_FEATURE