Merge pull request #816 from Rinzwind/squeakssl-macos-certname

Extend macOS implementation of SqueakSSL plugin to support setting a certificate on the SSL session context
pharo-project · Jun 28, 2024 · 273ac6a · 273ac6a
2 parents d417aeb + 28670bc
commit 273ac6a
Showing 1 changed file with 35 additions and 1 deletion.
diff --git a/extracted/plugins/SqueakSSL/src/osx/sqMacSSL.c b/extracted/plugins/SqueakSSL/src/osx/sqMacSSL.c
@@ -206,6 +206,40 @@ OSStatus sqSetupSSL(sqSSL* ssl, int isServer)
         }
     }
 
+    if (ssl->certName) {
+        CFStringRef certName = CFStringCreateWithCString(kCFAllocatorDefault, ssl->certName, kCFStringEncodingASCII);
+        if (certName == NULL)
+            return SQSSL_GENERIC_ERROR;
+        CFMutableDictionaryRef query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+        if (query == NULL) {
+            CFRelease(certName);
+            return SQSSL_GENERIC_ERROR;
+        }
+        CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitOne);
+        CFDictionarySetValue(query, kSecReturnRef, kCFBooleanTrue);
+        CFDictionarySetValue(query, kSecClass, kSecClassIdentity);
+        CFDictionarySetValue(query, kSecMatchSubjectWholeString, certName);
+        CFDictionarySetValue(query, kSecMatchValidOnDate, kCFNull);
+        CFRelease(certName);
+        SecIdentityRef identity;
+        status = SecItemCopyMatching(query, (CFTypeRef*) &identity);
+        CFRelease(query);
+        if (status != noErr) {
+            logStatus(status, status == errSecItemNotFound ? "SecItemCopyMatching had no results" : "SecItemCopyMatching failed");
+            return status;
+        }
+        CFArrayRef certs = CFArrayCreate(kCFAllocatorDefault, (const void **)&identity, 1, &kCFTypeArrayCallBacks);
+        CFRelease(identity);
+        if (certs == NULL)
+            return SQSSL_GENERIC_ERROR;
+        status = SSLSetCertificate(ssl->ctx, certs);
+        CFRelease(certs);
+        if (status != noErr) {
+            logStatus(status, "SSLSetCertificate failed");
+            return status;
+        }
+    }
+
     return status;
 }
 
@@ -626,7 +660,7 @@ sqInt sqAcceptSSL(sqInt handle, char* srcBuf, sqInt srcLen, char* dstBuf,
     }
     /* We are connected. Verify the cert. */
     ssl->state = SQSSL_CONNECTED;
-        return SQSSL_OK;
+    return ssl->outLen;
 }
 
 /* sqEncryptSSL: Encrypt data for SSL transmission.