sudo required for MacOS

[aaronriekenberg]

If I call rustls_native_certs::load_native_certs() when running on MacOS Catalina as normal non-root user I get the following error:

Custom { kind: InvalidData, error: BadDER }

If I use sudo to run my rust app as root it works.

Took a look at the integration tests in this project and they are using sudo on MacOS: https://github.com/ctz/rustls-native-certs/blob/master/admin/pipelines/macos-tests.yml#L2

Seems like it should be possible to run rust apps using rustls on MacOS as a non-root user. This is definitely possible in other languages/frameworks using tls on MacOS.

[ctz]

Can you help debug this? I don't have a mac, and wrote this all blind using azure devops.

The tests use sudo because they call security add-trusted-cert which is a privileged operation.

[DoumanAsh]

Interestingly enough on Windows it fails regardless of privilage(this crate is probably only working on linux properly)

[ctz]

Please can you file a separate issue for any Windows-specific problems you are having. Note that the tests pass on Windows CI, so it is likely some difference between your site and Azure's configuration.

[yoshihitoh]

First, thank you for your great work!
Rustls helps me a lot to run Rust programs on AWS Lambda function.

Same error happened on my MBP too.

• macOS: 10.14.6 (Mojave)
• Rust: 1.41.0 (stable)
• rustls-native-certs : 0.3.0

Repro code:

use rustls_native_certs::load_native_certs;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    load_native_certs()
        .map_err(|(_, e)| format!("Error: {:?}", e))
        .expect("");
    Ok(())
}

Run normally:

$ cargo run
    Finished dev [unoptimized + debuginfo] target(s) in 0.02s
     Running `target/debug/rustls-repro`
thread 'main' panicked at ': "Error: Custom { kind: InvalidData, error: BadDER }"', src/libcore/result.rs:1188:5
stack backtrace:
   0:        0x108010c05 - backtrace::backtrace::libunwind::trace::h911c6edb13c01562
                               at /Users/runner/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.40/src/backtrace/libunwind.rs:88
   1:        0x108010c05 - backtrace::backtrace::trace_unsynchronized::h2ce2c7e527380081
                               at /Users/runner/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.40/src/backtrace/mod.rs:66
   2:        0x108010c05 - std::sys_common::backtrace::_print_fmt::h8353c21ebc85f8ce
                               at src/libstd/sys_common/backtrace.rs:84
   3:        0x108010c05 - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h109831b4e69a3cdc
                               at src/libstd/sys_common/backtrace.rs:61
   4:        0x1080282a0 - core::fmt::ArgumentV1::show_usize::h2b639519b89008df
   5:        0x10800f3cb - std::io::Write::write_fmt::h32eef7193f012831
                               at src/libstd/io/mod.rs:1426
   6:        0x1080127d3 - std::sys_common::backtrace::_print::h46561fd8cd69dba1
                               at src/libstd/sys_common/backtrace.rs:65
   7:        0x1080127d3 - std::sys_common::backtrace::print::h784fbdd0629557ec
                               at src/libstd/sys_common/backtrace.rs:50
   8:        0x1080127d3 - std::panicking::default_hook::{{closure}}::hd11104060d683e7f
                               at src/libstd/panicking.rs:193
   9:        0x1080124da - std::panicking::default_hook::h3ac89e0bbec67847
                               at src/libstd/panicking.rs:210
  10:        0x108012dbb - std::panicking::rust_panic_with_hook::h497844b5b7d1708e
                               at src/libstd/panicking.rs:471
  11:        0x108012959 - rust_begin_unwind
                               at src/libstd/panicking.rs:375
  12:        0x10802b4bc - core::panicking::panic_fmt::h2877d31f4cece04d
                               at src/libcore/panicking.rs:84
  13:        0x10802b599 - core::result::unwrap_failed::h41045cf6a251332f
                               at src/libcore/result.rs:1188
  14:        0x107fcdf57 - core::result::Result<T,E>::expect::hc667f96806b829bf
                               at /rustc/5e1a799842ba6ed4a57e91f7ab9435947482f7d8/src/libcore/result.rs:983
  15:        0x107fcdc39 - rustls_repro::main::h3ea1b39f58567061
                               at src/main.rs:4
  16:        0x107fcd4c2 - std::rt::lang_start::{{closure}}::he2edb35cb1819746
                               at /rustc/5e1a799842ba6ed4a57e91f7ab9435947482f7d8/src/libstd/rt.rs:67
  17:        0x108012898 - std::rt::lang_start_internal::{{closure}}::h04f5bc1b8502155f
                               at src/libstd/rt.rs:52
  18:        0x108012898 - std::panicking::try::do_call::h77eb563f55a56484
                               at src/libstd/panicking.rs:292
  19:        0x1080142af - __rust_maybe_catch_panic
                               at src/libpanic_unwind/lib.rs:78
  20:        0x10801314e - std::panicking::try::h989c79f60ffdf02a
                               at src/libstd/panicking.rs:270
  21:        0x10801314e - std::panic::catch_unwind::hd3f56528916c87b0
                               at src/libstd/panic.rs:394
  22:        0x10801314e - std::rt::lang_start_internal::h3d261fac4b6382f2
                               at src/libstd/rt.rs:51
  23:        0x107fcd4a2 - std::rt::lang_start::hf9a9e04bf47ae319
                               at /rustc/5e1a799842ba6ed4a57e91f7ab9435947482f7d8/src/libstd/rt.rs:67
  24:        0x107fcdc82 - rustls_repro::main::h3ea1b39f58567061
$ 

Run with sudo:

$  sudo cargo run
Password:
    Finished dev [unoptimized + debuginfo] target(s) in 0.14s
     Running `target/debug/rustls-repro`
$ 

I tried to debug and found that error happens here.

• https://github.com/ctz/rustls-native-certs/blob/master/src/macos.rs#L69

On my MBP, der has 879 bytes and it appears when iterating Domain::User 's certificates.

• https://github.com/ctz/rustls-native-certs/blob/master/src/macos.rs#L43-L58

If I understand correctly, the root error raised in the webpki crate.

• https://github.com/briansmith/webpki/blob/master/src/trust_anchor_util.rs#L39-L47
  • parse_cert_internal returns Error::BadDER (input detects EOF)
  • parse_cert_v1 returns Error::BadDER (tag unmatch)

When removing Domain::User from the slice, it worked well even though I'm not sure it is okay to remove it.

[ctz]

That's very interesting, and the fact there's a user-level item that is invalid explains why sudo fixes it. Could you look in "keychain access" and see what this certificate actually is? I've checked on a friend's mac (running Catalina) and cargo test worked OK there and there were no user-level keychain certs.

Thanks a lot for helping debug this!

[yoshihitoh]

@ctz It is a login certificate. I have 3 certs, and 1 of them raises an error on adding the cert into a
RootCertStore.

This certificate uses the RSA-SHA-1 for signature algorithm. Remaining 2 certificates uses the RSA-SHA-256, and they could be handled correctly.

I checked behavior with below.

use rustls::RootCertStore;
use rustls_native_certs::load_native_certs;
use security_framework::os::macos::certificate::SecCertificateExt;
use security_framework::trust_settings::{Domain, TrustSettings};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let ts = TrustSettings::new(Domain::User);
    let certs = ts.iter()?.collect::<Vec<_>>();
    println!("certs.len():{}", certs.len());

    let mut results = Vec::new();
    let mut store = RootCertStore::empty();
    for cert in certs {
        let der = cert.to_der();
        results.push((cert, store.add(&rustls::Certificate(der))));
    }

    for r in results {
        println!("{:?}", r);
    }

    Ok(())
}

result is

$ cargo run
certs.len():3
(SecCertificate { subject: "CERT-USING-SHA-1" }, Err(BadDER))
(SecCertificate { subject: "CERT-USING-SHA-256(1)" }, Ok(()))
(SecCertificate { subject: "CERT-USING-SHA-256(2)" }, Ok(()))

That's very interesting, and the fact there's a user-level item that is invalid explains why sudo fixes it.

I found why sudo fixes this. When executing TrustSettings::new(Domain::User).iter() with sudo, this iterator returns nothing, so it doesn't contain the certificate which will raise an error.

$ sudo cargo run
Password:
certs.len():0

[ctz]

Do you know where this certificate came from? I'd like to get a similar one for testing; albeit without any of your sensitive information inside.

[yoshihitoh]

I think I get this certificate at an airport, or maybe at a hotel.
This certificate does not contain my sensitive information!

FibergateInc.cer.zip

[brigand]

Also running into this. Combined with the inability to specify target-specific features on stable, I now have a native tls set of features for a dep on MacOS, and use sed to swap in Rustls for my MuslC builds on Linux. I would ideally use Rustls on both.

[ctz]

I believe this is fixed now by the API changes introduced in 0.2.0. That means that individual users of this crate can opt-in to "best effort" behaviour where certificates we cannot parse are omitted. hyper-rustls does this.