apple sectrust: add to features

It should be visible in the feature list that libcurl is build with Apple SecTrust enabled. Closes #19057
2026-01-18 17:21:26 +01:00 · 2025-10-14 12:13:24 +02:00
parent 79553fb7c6
commit c37ed9a11e
8 changed files with 30 additions and 9 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -767,6 +767,9 @@ endif()
 if(APPLE)
  option(USE_APPLE_SECTRUST "Use Apple OS-native certificate verification" OFF)
  if(USE_APPLE_SECTRUST)
+    if(NOT CURL_USE_OPENSSL AND NOT CURL_USE_GNUTLS)
+      message(FATAL_ERROR "Apple SecTrust is only supported with Openssl/GnuTLS")
+    endif()
    find_library(COREFOUNDATION_FRAMEWORK NAMES "Security")
    mark_as_advanced(COREFOUNDATION_FRAMEWORK)
    if(NOT COREFOUNDATION_FRAMEWORK)
@@ -2173,6 +2176,7 @@ curl_add_if("HTTPSRR"       _ssl_enabled AND USE_HTTPSRR)
 curl_add_if("PSL"           USE_LIBPSL)
 curl_add_if("CAcert"        CURL_CA_EMBED_SET)
 curl_add_if("SSLS-EXPORT"   _ssl_enabled AND USE_SSLS_EXPORT)
+curl_add_if("AppleSecTrust" USE_APPLE_SECTRUST AND _ssl_enabled AND (USE_OPENSSL OR USE_GNUTLS))
 if(_items)
  if(CMAKE_VERSION VERSION_GREATER_EQUAL 3.13)
    list(SORT _items CASE INSENSITIVE)
--- a/configure.ac
+++ b/configure.ac
@@ -5304,6 +5304,10 @@ if test "x$OPENSSL_ENABLED" = "x1" -o -n "$SSL_ENABLED"; then
  fi
 fi

+if test "x$APPLE_SECTRUST_ENABLED" = "x1"; then
+  SUPPORT_FEATURES="$SUPPORT_FEATURES AppleSecTrust"
+fi
+
 if test "x$want_httpsrr" != "xno"; then
  SUPPORT_FEATURES="$SUPPORT_FEATURES HTTPSRR"
 fi
--- a/docs/libcurl/curl_version_info.md
+++ b/docs/libcurl/curl_version_info.md
@@ -159,6 +159,13 @@ entry.

 HTTP Alt-Svc parsing and the associated options (Added in 7.64.1)

+## `AppleSecTrust`
+
+*features* mask bit: non-existent
+
+libcurl was built with support for Apple's SecTrust service to verify
+server certificates (Added in 8.17.0).
+
 ## `AsynchDNS`

 *features* mask bit: CURL_VERSION_ASYNCHDNS
--- a/lib/version.c
+++ b/lib/version.c
@@ -523,6 +523,9 @@ static const struct feat features_table[] = {
 #ifdef USE_LIBPSL
  FEATURE("PSL",         NULL,                CURL_VERSION_PSL),
 #endif
+#ifdef USE_APPLE_SECTRUST
+  FEATURE("AppleSecTrust", NULL,              0),
+#endif
 #ifdef USE_SPNEGO
  FEATURE("SPNEGO",      NULL,                CURL_VERSION_SPNEGO),
 #endif
--- a/lib/vtls/apple.c
+++ b/lib/vtls/apple.c
@@ -46,16 +46,16 @@
 #include "vtls.h"
 #include "apple.h"

-#if defined(USE_SSL) && defined(USE_APPLE_SECTRUST)
+#ifdef USE_APPLE_SECTRUST
 #include <Security/Security.h>
-#endif /* USE_SSL && USE_APPLE_SECTRUST */
+#endif

 /* The last #include files should be: */
 #include "../curl_memory.h"
 #include "../memdebug.h"


-#if defined(USE_SSL) && defined(USE_APPLE_SECTRUST)
+#ifdef USE_APPLE_SECTRUST
 #define SSL_SYSTEM_VERIFIER

 #if (defined(MAC_OS_X_VERSION_MAX_ALLOWED)      \
@@ -294,4 +294,4 @@ out:
  return result;
 }

-#endif /* USE_SSL && USE_APPLE_SECTRUST */
+#endif /* USE_APPLE_SECTRUST */
--- a/lib/vtls/apple.h
+++ b/lib/vtls/apple.h
@@ -26,7 +26,7 @@

 #include "../curl_setup.h"

-#if defined(USE_SSL) && defined(USE_APPLE_SECTRUST)
+#ifdef USE_APPLE_SECTRUST
 struct Curl_cfilter;
 struct Curl_easy;
 struct ssl_peer;
@@ -50,6 +50,6 @@ CURLcode Curl_vtls_apple_verify(struct Curl_cfilter *cf,
                                void *cb_user_data,
                                const unsigned char *ocsp_buf,
                                size_t ocsp_len);
-#endif /* USE_SSL && USE_APPLE_SECTRUST */
+#endif /* USE_APPLE_SECTRUST */

 #endif /* HEADER_CURL_VTLS_APPLE_H */
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -80,7 +80,7 @@

 #ifdef USE_APPLE_SECTRUST
 #include <Security/Security.h>
-#endif /* USE_APPLE_SECTRUST */
+#endif

 /* The last #include files should be: */
 #include "../curl_memory.h"
--- a/m4/curl-apple-sectrust.m4
+++ b/m4/curl-apple-sectrust.m4
@@ -41,7 +41,10 @@ if test "x$OPT_APPLE_SECTRUST" = xyes; then
  ],[
    build_for_apple="no"
  ])
-  if test "x$build_for_apple" != "xno"; then
+  if test "x$build_for_apple" == "xno"; then
+    AC_MSG_ERROR([Apple SecTrust can only be enabled for Apple OS targets])
+  fi
+  if test "x$OPENSSL_ENABLED" == "x1" -o "x$GNUTLS_ENABLED" == "x1"; then
    AC_MSG_RESULT(yes)
    AC_DEFINE(USE_APPLE_SECTRUST, 1, [enable Apple OS certificate validation])
    APPLE_SECTRUST_ENABLED=1
@@ -49,7 +52,7 @@ if test "x$OPT_APPLE_SECTRUST" = xyes; then
    LDFLAGS="$LDFLAGS $APPLE_SECTRUST_LDFLAGS"
    LDFLAGSPC="$LDFLAGSPC $APPLE_SECTRUST_LDFLAGS"
  else
-    AC_MSG_RESULT(no)
+    AC_MSG_ERROR([Apple SecTrust is only supported for OpenSSL/GnuTLS builds])
  fi
 else
  AC_MSG_RESULT(no)