Find system-installed root SSL certificates on macOS

Author: FnControlOption

lib/std/crypto/Certificate/Bundle.zig

@@ -60,9 +60,7 @@ pub fn rescan(cb: *Bundle, gpa: Allocator) !void {
         .windows => {
             // TODO
         },
-        .macos => {
-            // TODO
-        },
+        .macos => return rescanMac(cb, gpa, .{}),
         else => {},
     }
 }
@@ -90,6 +88,51 @@ pub fn rescanLinux(cb: *Bundle, gpa: Allocator) !void {
     cb.bytes.shrinkAndFree(gpa, cb.bytes.items.len);
 }
 
+pub fn rescanMac(
+    cb: *Bundle,
+    gpa: Allocator,
+    options: struct { verbose: bool = false },
+) !void {
+    const argv = [_][]const u8{
+        "/usr/bin/security",
+        "find-certificate",
+        "-a",
+        "-p",
+        "/System/Library/Keychains/SystemRootCertificates.keychain",
+    };
+
+    const exec_result = std.ChildProcess.exec(.{
+        .allocator = gpa,
+        .argv = &argv,
+        .max_output_bytes = 1024 * 1024,
+    }) catch |err| switch (err) {
+        error.OutOfMemory => return error.OutOfMemory,
+        else => {
+            printVerboseInvocation(&argv, options.verbose, null);
+            return error.UnableToSpawnSecurity;
+        },
+    };
+    defer {
+        gpa.free(exec_result.stdout);
+        gpa.free(exec_result.stderr);
+    }
+    switch (exec_result.term) {
+        .Exited => |code| if (code != 0) {
+            printVerboseInvocation(&argv, options.verbose, exec_result.stderr);
+            return error.SecurityExitCode;
+        },
+        else => {
+            printVerboseInvocation(&argv, options.verbose, exec_result.stderr);
+            return error.SecurityCrashed;
+        },
+    }
+
+    const encoded_bytes = exec_result.stdout;
+    const decoded_size_upper_bound = encoded_bytes.len / 4 * 3;
+    try cb.bytes.ensureUnusedCapacity(gpa, decoded_size_upper_bound);
+    return addCertsFromBytes(cb, gpa, encoded_bytes);
+}
+
 pub fn addCertsFromFile(
     cb: *Bundle,
     gpa: Allocator,
@@ -112,7 +155,14 @@ pub fn addCertsFromFile(
     const buffer = cb.bytes.allocatedSlice()[end_reserved..];
     const end_index = try file.readAll(buffer);
     const encoded_bytes = buffer[0..end_index];
+    return addCertsFromBytes(cb, gpa, encoded_bytes);
+}
 
+pub fn addCertsFromBytes(
+    cb: *Bundle,
+    gpa: Allocator,
+    encoded_bytes: []const u8,
+) !void {
     const begin_marker = "-----BEGIN CERTIFICATE-----";
     const end_marker = "-----END CERTIFICATE-----";
 
@@ -132,10 +182,13 @@ pub fn addCertsFromFile(
         // the subject name, we pre-parse all of them to make sure and only
         // include in the bundle ones that we know will parse. This way we can
         // use `catch unreachable` later.
-        const parsed_cert = try Certificate.parse(.{
+        const parsed_cert = Certificate.parse(.{
             .buffer = cb.bytes.items,
             .index = decoded_start,
-        });
+        }) catch |err| switch (err) {
+            error.UnsupportedCertificateVersion => continue,
+            else => |e| return e,
+        };
         if (now_sec > parsed_cert.validity.not_after) {
             // Ignore expired cert.
             cb.bytes.items.len = decoded_start;
@@ -179,6 +232,24 @@ const MapContext = struct {
     }
 };
 
+fn printVerboseInvocation(
+    argv: []const []const u8,
+    verbose: bool,
+    stderr: ?[]const u8,
+) void {
+    if (!verbose) return;
+
+    std.debug.print("Zig attempted to find system-installed root SSL certificates by executing this command:\n", .{});
+    for (argv) |arg, i| {
+        if (i != 0) std.debug.print(" ", .{});
+        std.debug.print("{s}", .{arg});
+    }
+    std.debug.print("\n", .{});
+    if (stderr) |s| {
+        std.debug.print("Output:\n==========\n{s}\n==========\n", .{s});
+    }
+}
+
 test "scan for OS-provided certificates" {
     if (builtin.os.tag == .wasi) return error.SkipZigTest;