> On Nov 3, 2015, at 6:14 AM, Daniel Stenberg <[email protected]> wrote: > > I fell over this tweet just a while ago and it seems curl does something > unexpected here or at the very least undocumented: > > "invoking curl --cert ./smthng.p12 on OSX stores cert and key(!) in your > Keychain for later use in i.e. Safari." [1] > > Is this intended? If not, we should fix it. If it is, we should document it.
I checked this, and yes, as of OS X 10.11, importing a P12 identity using curl does cause it to get written to the Keychain. However... 1. We aren't doing this intentionally; the Security framework must be doing this when either importing the P12 file using SecPKCS12Import() or setting the identity in the context using SSLSetCertificate(). 2. This isn't a security hole, since the user's Keychain is a protected area, and someone can't just come along and read the private key without authentication. Want me to document it? Nick Zitzmann <http://www.chronosnet.com/> ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
