Patchwork [1,of,2,v2] osx: install dummy web.cacerts to enable use of system keychain

login
register
mail settings
Submitter Mads Kiilerich
Date Aug. 31, 2014, 8:25 a.m.
Message ID <7ae1fe0a0751e3e59705.1409473520@localhost.localdomain>
Download mbox | patch
Permalink /patch/5652/
State Accepted
Headers show

Comments

Mads Kiilerich - Aug. 31, 2014, 8:25 a.m.
# HG changeset patch
# User Mads Kiilerich <madski@unity3d.com>
# Date 1409473464 -7200
#      Sun Aug 31 10:24:24 2014 +0200
# Node ID 7ae1fe0a0751e3e5970574e472d1361f9593f5f5
# Parent  ca6d28307d6fd64a0ff9d9504b91f07b1601dc36
osx: install dummy web.cacerts to enable use of system keychain

On Mac OS X 10.6 and higher, OpenSSL (which is what Python and therefore
Mercurial use to implement their SSL support) will look in the system keychain.
Unfortunately, the SSL code in the Python core doesn't allow for this
situation---it always expects you to specify a certificate bundle, and if one
is specified if must contain at least one certificate.

The ship a pem file with a certificate the expired before it began so it can't
contain any backdoor.

Patch

diff --git a/contrib/macosx/dummycert.pem b/contrib/macosx/dummycert.pem
new file mode 100644
--- /dev/null
+++ b/contrib/macosx/dummycert.pem
@@ -0,0 +1,54 @@ 
+On Mac OS X 10.6 and higher, OpenSSL (which is what Python and therefore
+Mercurial use to implement their SSL support) will look in the system keychain.
+Unfortunately, the SSL code in the Python core doesn't allow for this
+situation---it always expects you to specify a certificate bundle, and if one
+is specified if must contain at least one certificate.
+
+cat > cn.conf << EOT
+[req]
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+commonName = Common Name
+commonName_default = no.example.com
+EOT
+
+openssl req -nodes -new -x509 -keyout /dev/null -out dummycert.pem -days -1 -config cn.conf -subj '/CN=hg.example.com'
+
+-----BEGIN CERTIFICATE-----
+MIIBIzCBzgIJANjmj39sb3FmMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMTDmhn
+LmV4YW1wbGUuY29tMB4XDTE0MDgzMDA4NDU1OVoXDTE0MDgyOTA4NDU1OVowGTEX
+MBUGA1UEAxMOaGcuZXhhbXBsZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
+mh/ZySGlcq0ALNLmA1gZqt61HruywPrRk6WyrLJRgt+X7OP9FFlEfl2tzHfzqvmK
+CtSQoPINWOdAJMekBYFgKQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAF9h49LkSqJ6a
+IlpogZuUHtihXeKZBsiktVIDlDccYsNy0RSh9XxUfhk+XMLw8jBlYvcltSXdJ7We
+aKdQRekuMQ==
+-----END CERTIFICATE-----
+
+openssl x509 -in dummycert.pem -noout -text
+
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 15629337334278746470 (0xd8e68f7f6c6f7166)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=hg.example.com
+        Validity
+            Not Before: Aug 30 08:45:59 2014 GMT
+            Not After : Aug 29 08:45:59 2014 GMT
+        Subject: CN=hg.example.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (512 bit)
+                Modulus:
+                    00:9a:1f:d9:c9:21:a5:72:ad:00:2c:d2:e6:03:58:
+                    19:aa:de:b5:1e:bb:b2:c0:fa:d1:93:a5:b2:ac:b2:
+                    51:82:df:97:ec:e3:fd:14:59:44:7e:5d:ad:cc:77:
+                    f3:aa:f9:8a:0a:d4:90:a0:f2:0d:58:e7:40:24:c7:
+                    a4:05:81:60:29
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+         17:d8:78:f4:b9:12:a8:9e:9a:22:5a:68:81:9b:94:1e:d8:a1:
+         5d:e2:99:06:c8:a4:b5:52:03:94:37:1c:62:c3:72:d1:14:a1:
+         f5:7c:54:7e:19:3e:5c:c2:f0:f2:30:65:62:f7:25:b5:25:dd:
+         27:b5:9e:68:a7:50:45:e9:2e:31
diff --git a/contrib/macosx/dummycert.rc b/contrib/macosx/dummycert.rc
new file mode 100644
--- /dev/null
+++ b/contrib/macosx/dummycert.rc
@@ -0,0 +1,2 @@ 
+[web]
+cacerts = /etc/mercurial/hgrc.d/dummycert.pem
diff --git a/setup.py b/setup.py
--- a/setup.py
+++ b/setup.py
@@ -495,6 +495,11 @@  for root in ('templates',):
             packagedata['mercurial'].append(f)
 
 datafiles = []
+if sys.platform == 'darwin':
+    datafiles.append(
+        ('/etc/mercurial/hgrc.d', ['contrib/macosx/dummycert.rc',
+                                   'contrib/macosx/dummycert.pem']))
+
 setupversion = version
 extra = {}