third_party/rust_crates/vendor/rustls-native-certs-0.5.0/src/macos.rs - fuchsia - Git at Google

 use security_framework::trust_settings::{
     Domain,
     TrustSettings,
     TrustSettingsForCertificate
 };
 use std::io::{Error, ErrorKind};
 use std::collections::HashMap;

 use crate::RootStoreBuilder;

 pub fn build_native_certs<B: RootStoreBuilder>(builder: &mut B) -> Result<(), Error> {
     // The various domains are designed to interact like this:
     //
     // "Per-user Trust Settings override locally administered
     //  Trust Settings, which in turn override the System Trust
     //  Settings."
     //
     // So we collect the certificates in this order; as a map of
     // their DER encoding to what we'll do with them.  We don't
     // overwrite existing elements, which mean User settings
     // trump Admin trump System, as desired.

     let mut all_certs = HashMap::new();

     for domain in &[Domain::User, Domain::Admin, Domain::System] {
         let ts = TrustSettings::new(*domain);
         let iter = ts.iter()
             .map_err(|err| Error::new(ErrorKind::Other, err))?;

         for cert in iter {
             let der = cert.to_der();

             // If there are no specific trust settings, the default
             // is to trust the certificate as a root cert.  Weird API but OK.
             // The docs say:
             //
             // "Note that an empty Trust Settings array means "always trust this cert,
             //  with a resulting kSecTrustSettingsResult of kSecTrustSettingsResultTrustRoot".
             let trusted = ts.tls_trust_settings_for_certificate(&cert)
                 .map_err(|err| Error::new(ErrorKind::Other, err))?
                 .unwrap_or(TrustSettingsForCertificate::TrustRoot);

             all_certs.entry(der)
                 .or_insert(trusted);
         }
     }

     let mut first_error = None;

     // Now we have all the certificates and an idea of whether
     // to use them.
     for (der, trusted) in all_certs.drain() {
         match trusted {
             TrustSettingsForCertificate::TrustRoot |
                 TrustSettingsForCertificate::TrustAsRoot => {
                 match builder.load_der(der) {
                     Err(err) => {
                         first_error = first_error
                             .or_else(|| Some(Error::new(ErrorKind::InvalidData, err)));
                     }
                     _ => {}
                 };
             },
             _ => {} // discard
         }
     }

     if let Some(err) = first_error {
         Err(err)
     } else {
         Ok(())
     }
 }
	use security_framework::trust_settings::{
	Domain,
	TrustSettings,
	TrustSettingsForCertificate
	};
	use std::io::{Error, ErrorKind};
	use std::collections::HashMap;

	use crate::RootStoreBuilder;

	pub fn build_native_certs<B: RootStoreBuilder>(builder: &mut B) -> Result<(), Error> {
	// The various domains are designed to interact like this:
	//
	// "Per-user Trust Settings override locally administered
	// Trust Settings, which in turn override the System Trust
	// Settings."
	//
	// So we collect the certificates in this order; as a map of
	// their DER encoding to what we'll do with them. We don't
	// overwrite existing elements, which mean User settings
	// trump Admin trump System, as desired.

	let mut all_certs = HashMap::new();

	for domain in &[Domain::User, Domain::Admin, Domain::System] {
	let ts = TrustSettings::new(*domain);
	let iter = ts.iter()
	.map_err(\|err\| Error::new(ErrorKind::Other, err))?;

	for cert in iter {
	let der = cert.to_der();

	// If there are no specific trust settings, the default
	// is to trust the certificate as a root cert. Weird API but OK.
	// The docs say:
	//
	// "Note that an empty Trust Settings array means "always trust this cert,
	// with a resulting kSecTrustSettingsResult of kSecTrustSettingsResultTrustRoot".
	let trusted = ts.tls_trust_settings_for_certificate(&cert)
	.map_err(\|err\| Error::new(ErrorKind::Other, err))?
	.unwrap_or(TrustSettingsForCertificate::TrustRoot);

	all_certs.entry(der)
	.or_insert(trusted);
	}
	}

	let mut first_error = None;

	// Now we have all the certificates and an idea of whether
	// to use them.
	for (der, trusted) in all_certs.drain() {
	match trusted {
	TrustSettingsForCertificate::TrustRoot \|
	TrustSettingsForCertificate::TrustAsRoot => {
	match builder.load_der(der) {
	Err(err) => {
	first_error = first_error
	.or_else(\|\| Some(Error::new(ErrorKind::InvalidData, err)));
	}
	_ => {}
	};
	},
	_ => {} // discard
	}
	}

	if let Some(err) = first_error {
	Err(err)
	} else {
	Ok(())
	}
	}