Don't import client certificates into Keychain on macOS. #2085
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
It's very strange why there was no travis build for this PR! @refnum, would you mind for example rebasing this commit and force-push it to see if it can trigger a correct travis build then? The travis job builds and tests the PR with many different setups and helps making sure it is good! |
refnum
force-pushed
the
feral/darwin_immutable_keychain
branch
from
d7c0414
to
2296b23
Compare
|
Done; it seems to be doing an AppVeyor build (7.50.0.6191) rather than Travis? |
nickzman
approved these changes
Nov 25, 2017
|
Thanks! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SecPKCS12Import is used to import a PKCS12 certificate on Darwin, generating a SecIdentityRef that can pass the certificate into Secure Transport.
On iOS SecPKCS12Import never stores the imported certificate into the Keychain. However on macOS this API will always store the imported certificate into the user's Keychain.
As this does not match iOS, and applications may not want to see their client certificate saved into the user's Keychain, the SecItemImport API can be used to obtain a SecIdentityRef without changing the Keychain.
SecItemImport is only available from 10.7 onwards, however this code was already wrapped in a CURL_BUILD_MAC_10_7 test and on macOS the replacement API is available on the same systems that SecPKCS12Import was.