leverage objective C APIs on macos to install the SSL certificate

Author: umbynos

certificates/certificates.go

@@ -30,8 +30,6 @@ import (
 	"math/big"
 	"net"
 	"os"
-	"os/exec"
-	"runtime"
 	"strings"
 	"text/template"
 	"time"
@@ -274,33 +272,6 @@ func GenerateCertificates(certsDir *paths.Path) {
 	}
 }
 
-// InstallCertificates will install the certificates in the system keychain
-func InstallCertificates(certsDir *paths.Path) {
-	switch runtime.GOOS {
-	case "darwin":
-		command := fmt.Sprintf(`tell application "Terminal"
-reopen
-activate
-delay 1
-do script "sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain %s/ca.cert.pem; echo '\\nYou can now close this window.\\n\\n' ; exit" in front window
-end tell`, certsDir.String())
-		log.Info("osascript", "-e", command)
-		stdoutStderr, err := exec.Command("osascript", "-e", command).CombinedOutput()
-		if err != nil {
-			log.Errorf("cannot install certificate in the system keychain: %s", err)
-		}
-		log.Infof("stdout: %s", stdoutStderr)
-	case "windows":
-		stdoutStderr, err := exec.Command("certmgr.exe", "-add", certsDir.String()+`/ca.cert.cer`, "-s", "-r", "currentUser", "root").CombinedOutput()
-		if err != nil {
-			log.Errorf("cannot install certificate in the system keychain: %s", err)
-		}
-		log.Infof("stdout: %s", stdoutStderr)
-	default:
-		log.Infof("cannot install certificate: OS not supported")
-	}
-}
-
 // CertHandler will expone the certificate (we do not know why this was required)
 func CertHandler(c *gin.Context) {
 	if strings.Contains(c.Request.UserAgent(), "Firefox") {

certificates/install_darwin.go

@@ -0,0 +1,69 @@
+// Copyright 2023 Arduino SA
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published
+// by the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package certificates
+
+//inspired by https://stackoverflow.com/questions/12798950/ios-install-ssl-certificate-programmatically
+
+/*
+#cgo CFLAGS: -x objective-c
+#cgo LDFLAGS: -framework Cocoa
+#import <Cocoa/Cocoa.h>
+
+void installCert(const char *path) {
+    NSURL *url = [NSURL fileURLWithPath:@(path) isDirectory:NO];
+    NSData *rootCertData = [NSData dataWithContentsOfURL:url];
+
+    OSStatus err = noErr;
+    SecCertificateRef rootCert = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef) rootCertData);
+
+    CFTypeRef result;
+
+    NSDictionary* dict = [NSDictionary dictionaryWithObjectsAndKeys:
+    (id)kSecClassCertificate, kSecClass,
+    rootCert, kSecValueRef,
+    nil];
+
+    err = SecItemAdd((CFDictionaryRef)dict, &result);
+
+    if( err == noErr) {
+        NSLog(@"Install root certificate success");
+    } else if( err == errSecDuplicateItem ) {
+        NSLog(@"duplicate root certificate entry");
+    } else {
+        NSLog(@"install root certificate failure");
+    }
+
+    NSDictionary *newTrustSettings = @{(id)kSecTrustSettingsResult: [NSNumber numberWithInt:kSecTrustSettingsResultTrustRoot]};
+    err = SecTrustSettingsSetTrustSettings(rootCert, kSecTrustSettingsDomainUser, (__bridge CFTypeRef)(newTrustSettings));
+    if (err != errSecSuccess) {
+        NSLog(@"Could not change the trust setting for a certificate. Error: %d", err);
+        exit(0);
+    }
+}
+
+*/
+import "C"
+import (
+	log "github.com/sirupsen/logrus"
+
+	"github.com/arduino/go-paths-helper"
+)
+
+// InstallCertificates will install the certificates in the system keychain on macos
+func InstallCertificate(cert *paths.Path) {
+	log.Infof("Installing certificate: %s", cert)
+	C.installCert(C.CString(cert.String()))
+}

certificates/install_default.go

@@ -0,0 +1,29 @@
+// Copyright 2023 Arduino SA
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published
+// by the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+//go:build !darwin
+
+package certificates
+
+import (
+	log "github.com/sirupsen/logrus"
+
+	"github.com/arduino/go-paths-helper"
+)
+
+// InstallCertificates won't do anything on unsupported Operative Systems
+func InstallCertificate(cert *paths.Path) {
+	log.Warn("platform not supported for the certificate install")
+}

systray/systray_real.go

@@ -90,7 +90,7 @@ func (s *Systray) start() {
 				s.updateMenuItem(mRmCrashes, config.LogsIsEmpty())
 			case <-mGenCerts.ClickedCh:
 				cert.GenerateCertificates(config.GetCertificatesDir())
-				cert.InstallCertificates(config.GetCertificatesDir())
+				cert.InstallCertificate(config.GetCertificatesDir().Join("ca.cert.cer"))
 				s.Restart()
 			case <-mPause.ClickedCh:
 				s.Pause()