File 5241-Load-certificates-from-systems-keychain-on-darwin.patch of Package erlang
From dcc396abd3e24fc2b74c4216cee9038de1cd75b7 Mon Sep 17 00:00:00 2001
From: Bryan Paxton <bryan@starbelly.io>
Date: Sun, 22 Sep 2024 09:16:54 -0500
Subject: [PATCH 1/2] Load certificates from systems keychain on darwin
The systems root keychain contains well know root certificates,
yet is non-modifiable. As such, internal CA certificates (both root
and intermediate) tend to get installed into the systems keychain
in the context of an private organization. Not loading certs
from this keychain results in differing behavior from other tools
(e.g., openssl, curl, etc.). This commit changes to that so that
ssl in conjunction with public key just works in such environments.
---
lib/public_key/src/pubkey_os_cacerts.erl | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/lib/public_key/src/pubkey_os_cacerts.erl b/lib/public_key/src/pubkey_os_cacerts.erl
index 6fa5fdb9a6..e21681e03f 100644
--- a/lib/public_key/src/pubkey_os_cacerts.erl
+++ b/lib/public_key/src/pubkey_os_cacerts.erl
@@ -171,11 +171,25 @@ load_win32() ->
store(lists:foldl(Dec, [], os_cacerts())).
load_darwin() ->
+ SystemRootsKeyChainFile = "/System/Library/Keychains/SystemRootCertificates.keychain",
+ case get_darwin_certs(SystemRootsKeyChainFile) of
+ {ok, Bin1} ->
+ SystemKeyChainFile = "/Library/Keychains/System.keychain",
+ case get_darwin_certs(SystemKeyChainFile) of
+ {ok, Bin2} ->
+ decode_result(<<Bin1/binary, Bin2/binary>>);
+ Err ->
+ Err
+ end;
+ Err ->
+ Err
+ end.
+
+get_darwin_certs(KeyChainFile) ->
%% Could/should probably be re-written to use Keychain Access API
- KeyChainFile = "/System/Library/Keychains/SystemRootCertificates.keychain",
Args = ["export", "-t", "certs", "-f", "pemseq", "-k", KeyChainFile],
try run_cmd("/usr/bin/security", Args) of
- {ok, Bin} -> decode_result(Bin);
+ {ok, _} = Res -> Res;
Err -> Err
catch error:Reason ->
{error, {eopnotsupp, Reason}}
--
2.43.0
