gazagnaire.org / ca-certs
upstream: github.com/mirage/ca-certs
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

add: additional key path for macos (#28)

* add: additional key path for macos

On MacOS it's normal[1] to add custom certificates to
`/Library/Keychains/System.keychain` in addition to
`/System/Library/Keychains/SystemRootCertificates.keychain`. This PR now
checks both locations and concatenates them

[1] https://apple.stackexchange.com/questions/53579/how-is-the-system-keychain-secured-in-os-x

authored by

Austin Theriault and committed by
GitHub 37099bcc 8d2baf43

+40 -8
+40 -8
lib/ca_certs.ml
··· 46 46 let openbsd_location = "/etc/ssl/cert.pem" 47 47 let freebsd_location = "/usr/local/share/certs/ca-root-nss.crt" 48 48 49 - let macos_keychain_location = 50 - "/System/Library/Keychains/SystemRootCertificates.keychain" 49 + let macos_keychain_locations = 50 + [ 51 + "/System/Library/Keychains/SystemRootCertificates.keychain"; 52 + "/Library/Keychains/System.keychain"; 53 + ] 51 54 52 55 external iter_on_anchors : (string -> unit) -> unit = "ca_certs_iter_on_anchors" 53 56 ··· 99 102 | "OpenBSD" -> detect_one openbsd_location 100 103 | "Linux" -> detect_list linux_locations 101 104 | "Darwin" -> 102 - let cmd = 103 - Bos.Cmd.( 104 - v "security" % "find-certificate" % "-a" % "-p" 105 - % macos_keychain_location) 106 - in 107 - Bos.OS.Cmd.(run_out cmd |> out_string |> success) 105 + macos_keychain_locations 106 + |> List.map (fun path -> 107 + let cmd = 108 + Bos.Cmd.( 109 + v "security" % "find-certificate" % "-a" % "-p" % path) 110 + in 111 + Bos.OS.Cmd.(run_out cmd |> out_string |> success)) 112 + |> List.fold_left 113 + (fun acc cert -> 114 + match (cert, acc) with 115 + | Ok cert, Ok acc -> Ok (cert ^ "\n" ^ acc) 116 + | Ok cert, Error (`Msg msg) -> 117 + Log.warn (fun m -> 118 + m 119 + "ignoring error %s (got another set of \ 120 + certificates)" 121 + msg); 122 + Ok cert 123 + | Error e, Ok "" -> Error e 124 + | Error (`Msg msg), Ok x -> 125 + Log.warn (fun m -> 126 + m 127 + "ignoring error %s (already have another set of \ 128 + certificates)" 129 + msg); 130 + Ok x 131 + | Error e, Error (`Msg msg) -> 132 + Log.warn (fun m -> 133 + m "ignoring error %s (got another error)" msg); 134 + Error e) 135 + (Ok "") 136 + |> Result.map_error (function `Msg msg -> 137 + `Msg 138 + ("ca-certs: no trust anchor file found on macOS: " ^ msg 139 + ^ ".\n" ^ issue)) 108 140 | s -> Error (`Msg ("ca-certs: unknown system " ^ s ^ ".\n" ^ issue))) 109 141 110 142 let extra_trust_anchors () =