Branch: Tag:

2016-04-22

2016-04-22 13:18:39 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Standards.X509 [MacOS X]: Try a few more keychain files.

It seems the files "X509Anchors" and "X509Certificates" are obsolete,
and have been replaced by "SystemRootCertificates.keychain" and
"SystemCACertificates.keychain".

Also makes sure to validate the certificates from Apple.Keychain.

1648:    if (found) continue;       // Then try the Apple KeyChain files. -  foreach(({ "X509Anchors", "X509Certificates" }), string fname) { +  foreach(({ +  // Mostly TLS Root CAs: +  "SystemRootCertificates.keychain", +  +  // Certificates for certifying identities and email, +  // many of which are expired. +  "SystemCACertificates.keychain", +  +  // Old name for SystemRootCertificates.keychain. +  "X509Anchors", +  +  // Old name for SystemCACertificates.keychain. +  "X509Certificates", +  }), string fname) {    string keychain = Stdio.read_bytes(combine_path(dir, fname));    if (keychain) {    Apple.Keychain chain = Apple.Keychain(keychain);    foreach(chain->certs, TBSCertificate tbs) { -  +  if (!verify_ca_certificate(tbs)) continue;    string subj = tbs->subject->get_der();    if( !res[subj] || !has_value(res[subj], tbs->public_key ) )    {    update_expire(tbs);    res[subj] += ({ tbs->public_key });    } -  } +     found = 1;    }    } -  +  }    if (found) continue;       // Fall back to trying every file.