cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: curl importing certs into mac keystore?

From: Nick Zitzmann <nick_at_chronosnet.com>
Date: Sun, 8 Nov 2015 12:28:52 -0600

> On Nov 3, 2015, at 6:14 AM, Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> I fell over this tweet just a while ago and it seems curl does something unexpected here or at the very least undocumented:
>
> "invoking curl --cert ./smthng.p12 on OSX stores cert and key(!) in your
> Keychain for later use in i.e. Safari." [1]
>
> Is this intended? If not, we should fix it. If it is, we should document it.

I checked this, and yes, as of OS X 10.11, importing a P12 identity using curl does cause it to get written to the Keychain. However...

1. We aren't doing this intentionally; the Security framework must be doing this when either importing the P12 file using SecPKCS12Import() or setting the identity in the context using SSLSetCertificate().

2. This isn't a security hole, since the user's Keychain is a protected area, and someone can't just come along and read the private key without authentication.

Want me to document it?

Nick Zitzmann
<http://www.chronosnet.com/>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-11-08

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: curl importing certs into mac keystore?"
Previous message: daniel_at_haxx.se: "(no subject)"
In reply to: Daniel Stenberg: "curl importing certs into mac keystore?"
Next in thread: Daniel Stenberg: "Re: curl importing certs into mac keystore?"
Reply: Daniel Stenberg: "Re: curl importing certs into mac keystore?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]