Add support for new Apple trust APIs with WOLFSSL_SYS_CA_CERTS

[bigbrett]

Overview

This PR adds support for the new Apple trust validation APIs when using the WOLFSSL_SYS_CA_CERTS option. It adds a new cert verification routine that uses Apple Security Framework APIs to verify peer certs against the system trust store. When this option is enabled, wolfSSL will first attempt to validate against loaded certificates (the current method), and if unsuccessful, invoke the new system validation routine to try and verify the peer.

Why?

Apple deprecated the SecTrustSettingsCopyCertificates for all devices other than Macs, which prevents applications from obtaining certificates from the system trust store. Because we can't grab certs from the system anymore, we can't load them into wolfSSL, and therefore can't use wolfSSL's built-in certificate validation mechanisms.

How?

The new routine uses SecTrustEvaluateWithError() to evaluate the trust of peer certificates, based on the SSL trust policy.
See also:

• Creating a Trust Object
• Getting a certificate

API changes

This new feature is mostly backwards compatible with current API behavior: to use it, the user must enable the WOLFSSL_SYS_CA_CERTS option (--enable-sys-ca-certs) and call wolfSSL_CTX_load_system_CA_certs() for it to work.

The only external differences are:

• An additional macro (WOLFSSL_APPLE_NATIVE_CERT_VALIDATION) was introduced to override the autoconf/Cmake generated header file macros that gate this feature, making it easier for user_settings.h builds to utilize it (user only needs to define one feature macro vs. defining three header detection macros)
• Enabling the option when required headers can't be found now results in a compile time error, vs. the existing behavior which silently disabled itself without warning

Testing

• Able to connect to websites using examples/client/client from mac laptop, when forcing new validation flow using WOLFSSL_APPLE_NATIVE_CERT_CHAIN_VALIDATION
• Customer cURL app on iOS connects to major websites with this new feature, and can connect to a self-signed server only when the cert is added to the phone
• make check tests all pass when this option is enabled, which includes cert validation for real TLS connections

Feedback Requested:

• I would appreciate feedback on where/how I hooked into the cert validation flow in ProcessPeerCerts(). It works, but perhaps there is a better/cleaner way to do it. ProcessPeerCerts is 20k+ lines long, so it was tough to keep track of everything that is going on there. If how I've implemented it seems brittle or not robust, I'd like to change that before merging. Any feedback would be appreciated
• Testing: If there are any additional tests I can add to increase confidence, I'd like to add before merging

Checklist

• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[bigbrett]

Jenkins retest this please

[dgarske]

Approved and merging as-is. Only way to trigger use case is the example/client --sys-ca-certs argument. Also my old Mac OS 11.7 supported the new method fine. We need to add WOLFSSL_APPLE_NATIVE_CERT_VALIDATION to the documentation. For testing I added two lines to suites.c and was able to see proper failure cases.

static char sysCaCerts[] = "--sys-ca-certs";
cliArgs[cliArgsSz++] = sysCaCerts;

And built with: ./configure --enable-sys-ca-certs CFLAGS="-DWOLFSSL_APPLE_NATIVE_CERT_VALIDATION" && make