gnutls_x509_trust_list_add_system_trust: Add macOS keychain support
This patch also stops checking for a default_trust_store_file in configure when building on
macOS (unless explicitly asked to with --with-default-trust-store-file=xxx
),
because otherwise it finds /etc/ssl/cert.pem
: This file is new (since
10.12.2?), which means libraries built on the newest OS version wouldn't work
the same way on an older versions (and vice versa). /etc/ssl/cert.pem
also
doesn't seem to reflect additions and deletions from the user's or system's
trusted roots keychain (in my limited testing).
I'm not super happy with the top of system/cert.c where I hacked around a clash between uint64
in the macOS APIs and the array defined in gnutls_int.h
. The only other way I could think of was to rename the gnutls one (as it doesn't seem to be exported) to something else (gnutls_uint64
maybe?). But I went with the #define
hack because it seemed less invasive. I'm open to better alternatives.
The bulk of the patch is fairly straightforward, with the gnutls calls cribbed from the windows variant.
-David