On Sun, 8 Nov 2015, Nick Zitzmann wrote:
I checked this, and yes, as of OS X 10.11, importing a P12 identity using
curl does cause it to get written to the Keychain. However...
1. We aren't doing this intentionally; the Security framework must be doing
this when either importing the P12 file using SecPKCS12Import() or setting
the identity in the context using SSLSetCertificate().
2. This isn't a security hole, since the user's Keychain is a protected
area, and someone can't just come along and read the private key without
authentication.
Want me to document it?
I think ideally we should make it not do this, so that it will switch to
working like it works with the other backends.
If that is hard/inconvenient in some way we should document how it actually
behaves right now.
--
/ daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
