Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Fix for MacOS 10.13 and older to use SecTrustEvaluate #156

Closed
wants to merge 1 commit into from
+34 −0
Closed

WIP: Fix for MacOS 10.13 and older to use SecTrustEvaluate #156

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions src/truststore/_macos.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -431,7 +431,41 @@ def _verify_peercerts_impl(
# We always want system certificates.
Security.SecTrustSetAnchorCertificatesOnly(trust, False)

# if _mac_version_info <= (10, 13):
if 1 or _mac_version_info <= (10, 13):
sec_trust_result = Security.SecTrustResultType()
Security.SecTrustEvaluate(trust, ctypes.byref(sec_trust_result))

try:
sec_trust_result = int(sec_trust_result)
except (TypeError, ValueError):
sec_trust_result = -1
Comment on lines +439 to +442
Copy link

@ThomasWaldmann ThomasWaldmann Sep 30, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried the code on macOS 10.12 where I was encountering the pip issues and it almost worked. Thanks for working on this!

440 needs to get changed to use sec_trust_result.value, otherwise it will be -1 (due to except block).

For c_uint types, .value is documented to be int, so maybe that int() is not even needed if the result type is always c_uint. Please check, I am not familiar with that stuff.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After that change, pip install ... worked!

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like that might be the reason for the github CI failing.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ping @illume - can you try the fix I suggested?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
try:
sec_trust_result = int(sec_trust_result)
except (TypeError, ValueError):
sec_trust_result = -1
try:
sec_trust_result = int(sec_trust_result.value)
except (TypeError, ValueError):
sec_trust_result = -1


# See https://developer.apple.com/documentation/security/sectrustevaluate(_:_:)?language=objc
if sec_trust_result not in [1, 4]:
result_mapping = {
0: "Invalid trust result.",
1: "Trust evaluation succeeded.",
2: "Trust was explicitly denied.",
3: "Fatal trust failure occurred.",
4: "Trust result is unspecified (but trusted).",
5: "Recoverable trust failure occurred.",
6: "An unknown error occurred.",
7: "User confirmation required.",
}

error_message = result_mapping.get(
sec_trust_result, "Unknown trust result."
)
err = ssl.SSLCertVerificationError(error_message)
err.verify_message = error_message
err.verify_code = sec_trust_result
raise err

return

cf_error = CoreFoundation.CFErrorRef()
# See https://developer.apple.com/documentation/security/sectrustevaluatewitherror(_:_:)?language=objc
sec_trust_eval_result = Security.SecTrustEvaluateWithError(
trust, ctypes.byref(cf_error)
)
Expand Down
Loading