in src/main/java/org/jetbrains/nativecerts/mac/SecurityFrameworkUtil.java [73:158]
public static List<X509Certificate> getTrustedCertificates(boolean systemDomain) {
CFArrayRefByReference returnedCertArray = new CFArrayRefByReference();
SecurityFramework.SecKeychainRefByReference keychain = new SecurityFramework.SecKeychainRefByReference();
CoreFoundation.CFArrayRef searchDomainList = null;
CoreFoundation.CFArrayRef certArray = null;
CoreFoundation.CFDictionaryRef query = null;
try {
Map<CoreFoundation.CFTypeRef, CoreFoundation.CFTypeRef> map = new HashMap<>();
map.put(SecurityFramework.kSecClass, SecurityFramework.kSecClassCertificate);
map.put(SecurityFramework.kSecMatchLimit, SecurityFramework.kSecMatchLimitAll);
map.put(SecurityFramework.kSecReturnRef, CoreFoundationExt.kCFBooleanTrue);
if (systemDomain) {
// `SecKeychainCopyDomainSearchList` doesn't return the keychain for the system domain
SecurityFramework.OSStatus rc = SecurityFramework.INSTANCE.SecKeychainOpen("/System/Library/Keychains/SystemRootCertificates.keychain", keychain);
if (!SecurityFramework.OSStatus.errSecSuccess.equals(rc)) {
throw new IllegalStateException("Failed to read system keychain: " + rc);
}
searchDomainList = CoreFoundation.INSTANCE.CFArrayCreate(
null, keychain.getPointer(), new CoreFoundation.CFIndex(1), null
);
map.put(SecurityFramework.kSecMatchSearchList, searchDomainList);
}
query = CoreFoundationExtUtil.createDictionary(map);
SecurityFramework.OSStatus rc = SecurityFramework.INSTANCE.SecItemCopyMatching(query, returnedCertArray);
if (!SecurityFramework.OSStatus.errSecSuccess.equals(rc)) {
throw new IllegalStateException("SecItemCopyMatching failed: " + rc);
}
certArray = returnedCertArray.getArray();
if (certArray == null) {
return Collections.emptyList();
}
List<X509Certificate> result = new ArrayList<>();
for (int i = 0; i < certArray.getCount(); i++) {
SecurityFramework.SecCertificateRef secCertificateRef = new SecurityFramework.SecCertificateRef(certArray.getValueAtIndex(i));
// system domain certificates are implicitly trusted
if (!systemDomain) {
try {
boolean trustedRoot = isTrustedRoot(secCertificateRef);
if (!trustedRoot) {
String certificateDescription = CoreFoundationExtUtil.getDescription(secCertificateRef);
LOGGER.fine("Certificate '" + certificateDescription + "' has failed to validate against trusted roots");
continue;
}
} catch (Throwable validateException) {
String certificateDescription = CoreFoundationExtUtil.getDescription(secCertificateRef);
LOGGER.warning(renderExceptionMessage("Unable to check certificate '" + certificateDescription + "'", validateException));
continue;
}
}
try {
result.add(getX509Certificate(secCertificateRef));
} catch (Throwable parsingError) {
String certificateDescription = CoreFoundationExtUtil.getDescription(secCertificateRef);
LOGGER.warning(renderExceptionMessage("Unable to parse certificate '" + certificateDescription + "'", parsingError));
}
}
return result;
} finally {
if (query != null) {
query.release();
}
if (certArray != null) {
certArray.release();
}
if (searchDomainList != null) {
searchDomainList.release();
}
SecurityFramework.SecKeychainRef secKeychainRef = keychain.getSecKeychainRef();
if (secKeychainRef != null) {
secKeychainRef.release();
}
}
}