New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SecTrustSettings bindings #82
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't fail-open behavior of tls_trust_settings_for_certificate
concerning? I see it's inherited from macOS, but maybe the function could return None
if there are no explicit settings and leave it to the caller to do .unwrap_or(trust)?
Also, assert there are numerous system certs.
As it happens this is documented to return errSecItemNotFound for unknown certificates.
This can be done by the caller and it only makes sense in some contexts.
Thanks for the time you spent reviewing this. I think I've addressed all your comments in some remedial commits; let me know if you prefer these to be squashed. |
Great. Thank you! |
This allows a consuming crate to enumerate macos trusted certificates via
SecTrustSettingsCopyCertificates
, and then learn whether they're suitable for use in TLS viaSecTrustSettingsCopyTrustSettings
.I've done some manual testing of this by twiddling keychain trust settings and observing the results.
Sample calling code is here if you're interested: https://github.com/ctz/rustls-native-certs/blob/master/src/macos.rs