macOS: Custom chains that include intermediate certificates do not work

[timja]

Hi

In our enterprise setup we have a MiTM setup on most URLs using ZScaler (although some are bypassed).

We have a setup:

Root -> Intermediate 1 -> Intermediate 2 -> Re-signed leaf.

This doesn't work in IntelliJ and JetBrains toolbox.

I tracked down a similar bug in the JDK and created a PR for it here: openjdk/jdk#22911

---

See the documentation for: SecTrustSettingsCopyTrustSettings(::_:)

Specifically:

However, an empty trust settings array isn’t the same as no trust settings, where the trustSettings parameter returns NULL. No trust-settings array means “this certificate must be verifiable using a known trusted certificate”.

This is incorrectly implemented at

jvm-native-trusted-roots/src/main/java/org/jetbrains/nativecerts/mac/SecurityFrameworkUtil.java

Line 122 in 02023e5

if (SecurityFramework.OSStatus.errSecItemNotFound.equals(rc) || trustedSettingsArray == null) {

by returning false when null.

---

I plan to provide a PR for this

[lj-replicate]

Related issue: https://youtrack.jetbrains.com/issue/IJPL-1027/Import-consider-intermediate-CAs-from-system-trust-store