Bug 1656992 - osclientcerts: disable AIA fetching when looking for issuer certificates (macOS) r=kjacobs

When the macOS osclientcerts backend looks for issuer certificates, it can
result in network I/O unless it is specifically disabled. The Windows backend
already handles this, so this only applies to macOS.

Differential Revision: https://phabricator.services.mozilla.com/D85799

security/manager/ssl/osclientcerts/src/backend_macos.rs

@@ -884,6 +884,12 @@ fn get_issuers(identity: &SecIdentity) -> Result<Vec<SecCertificate>, ()> {
         return Err(());
     }
     let trust = unsafe { SecTrust::wrap_under_create_rule(trust) };
+    // Disable AIA fetching so that SecTrustEvaluateWithError doesn't result in network I/O.
+    let status = unsafe { SecTrustSetNetworkFetchAllowed(trust.as_concrete_TypeRef(), 0) };
+    if status != errSecSuccess {
+        error!("SecTrustSetNetworkFetchAllowed failed: {}", status);
+        return Err(());
+    }
     // We ignore the return value here because we don't care if the certificate is trusted or not -
     // we're only doing this to build its issuer chain as much as possible.
     let _ = SECURITY_FRAMEWORK.sec_trust_evaluate_with_error(&trust)?;

security/manager/ssl/osclientcerts/src/bindings_macos.rs

@@ -52,4 +52,7 @@ extern "C" {
     pub fn SecTrustGetCertificateCount(trust: SecTrustRef) -> CFIndex;
     pub static kSecClassIdentity: CFStringRef;
     pub static kSecAttrKeyTypeRSA: CFStringRef;
+
+    // Available starting macOS 10.9
+    pub fn SecTrustSetNetworkFetchAllowed(trust: SecTrustRef, allowFetch: Boolean) -> OSStatus;
 }