tls: macos_load_system_certificates using security framework.

Load certificates from SecTrustSettingsCopyCertificates using the security framework to avoid relying on local certificates. Signed-off-by: Jorge Niedbalski <[email protected]>
fluent · Oct 25, 2024 · d385940 · d385940
1 parent ee5aa24
commit d385940
Show file tree

Hide file tree

Showing 2 changed files with 90 additions and 1 deletion.
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
@@ -284,6 +284,7 @@ if(FLB_SYSTEM_MACOS)
     ${FLB_DEPS}
     "-framework Foundation"
     "-framework IOKit"
+    "-framework Security"
     )
 endif()
 

diff --git a/src/tls/openssl.c b/src/tls/openssl.c
@@ -27,6 +27,12 @@
 #include <openssl/opensslv.h>
 #include <openssl/x509v3.h>
 
+#ifdef FLB_SYSTEM_MACOS
+#include <Security/Security.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <unistd.h>
+#endif
+
 #ifdef FLB_SYSTEM_WINDOWS
     #define strtok_r(str, delimiter, context) \
             strtok_s(str, delimiter, context)
@@ -308,7 +314,85 @@ static int windows_load_system_certificates(struct tls_context *ctx)
     flb_debug("[tls] successfully loaded certificates from windows system store.");
     return 0;
 }
+#endif
+
+#ifdef __APPLE__
+/* macOS-specific system certificate loading */
+static int macos_load_system_certificates(struct tls_context *ctx)
+{
+    CFArrayRef certs = NULL;
+    OSStatus status = SecTrustSettingsCopyCertificates(kSecTrustSettingsDomainSystem, &certs);
+
+    if (status != errSecSuccess || !certs) {
+        flb_error("[tls] failed to load system certificates from keychain, status: %d", status);
+        return -1;
+    }
+
+    flb_debug("[tls] attempting to load macos keychain system certificates");
+
+    int loaded_cert_count = 0;
+
+    /* Create a new X509_STORE to hold trusted CAs */
+    X509_STORE *store = SSL_CTX_get_cert_store(ctx->ctx);
+    if (!store) {
+        flb_error("[tls] failed to get certificate store from SSL context");
+        CFRelease(certs);
+        return -1;
+    }
+
+    /* Load certificates into the X509 store */
+    for (CFIndex i = 0; i < CFArrayGetCount(certs); i++) {
+        SecCertificateRef cert = (SecCertificateRef) CFArrayGetValueAtIndex(certs, i);
+        if (!cert) {
+            flb_trace("[tls] invalid certificate reference at index %ld, skipping", i);
+            continue;
+        }
+
+        CFDataRef certData = SecCertificateCopyData(cert);
+        if (!certData) {
+            flb_trace("[tls] failed to retrieve data for certificate %ld from keychain, skipping", i);
+            continue;
+        }
 
+        const unsigned char *data = CFDataGetBytePtr(certData);
+        X509 *x509 = d2i_X509(NULL, &data, CFDataGetLength(certData));
+        CFRelease(certData);
+
+        if (!x509) {
+            flb_trace("[tls] failed to parse certificate %ld from keychain, skipping", i);
+            ERR_print_errors_fp(stderr);
+            continue;
+        }
+
+        char *subject = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0);
+        char *issuer = X509_NAME_oneline(X509_get_issuer_name(x509), NULL, 0);
+        if (subject && issuer) {
+            flb_debug("[tls] certificate %ld details - subject: %s, issuer: %s", i, subject, issuer);
+        }
+
+        /* Add the certificate to the trusted store */
+        if (X509_STORE_add_cert(store, x509) == 1) {
+            loaded_cert_count++;
+            flb_debug("[tls] successfully loaded and added certificate %ld to trusted store", i);
+        } else {
+            unsigned long err = ERR_get_error();
+            if (ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+                flb_debug("[tls] certificate %ld already exists in the trusted store (duplicate)", i);
+            } else {
+                flb_debug("[tls] failed to add certificate %ld to trusted store, error code: %lu", i, err);
+                ERR_print_errors_fp(stderr);
+            }
+        }
+
+        if (subject) OPENSSL_free(subject);
+        if (issuer) OPENSSL_free(issuer);
+        X509_free(x509);
+    }
+
+    CFRelease(certs);
+    flb_debug("[tls] finished loading keychain certificates, total loaded: %d", loaded_cert_count);
+    return 0;
+}
 #endif
 
 static int load_system_certificates(struct tls_context *ctx)
@@ -319,7 +403,9 @@ static int load_system_certificates(struct tls_context *ctx)
     /* For Windows use specific API to read the certs store */
 #ifdef _MSC_VER
     return windows_load_system_certificates(ctx);
-#endif
+#elif defined(__APPLE__)
+    return macos_load_system_certificates(ctx);
+#else
     if (access(ca_file, R_OK) != 0) {
         ca_file = NULL;
     }
@@ -330,8 +416,10 @@ static int load_system_certificates(struct tls_context *ctx)
         ERR_print_errors_fp(stderr);
     }
     return 0;
+#endif
 }
 
+
 static void *tls_context_create(int verify,
                                 int debug,
                                 int mode,