macOS: Custom chains that include intermediate certificates do not work

[timja]

Hi

In our enterprise setup we have a MiTM setup on most URLs using ZScaler (although some are bypassed).

We have a setup:

Root -> Intermediate 1 -> Intermediate 2 -> Re-signed leaf.

This doesn't work in IntelliJ and JetBrains toolbox.

I tracked down a similar bug in the JDK and created a PR for it here: openjdk/jdk#22911

---

See the documentation for: SecTrustSettingsCopyTrustSettings(::_:)

Specifically:

However, an empty trust settings array isn’t the same as no trust settings, where the trustSettings parameter returns NULL. No trust-settings array means “this certificate must be verifiable using a known trusted certificate”.

This is incorrectly implemented at

jvm-native-trusted-roots/src/main/java/org/jetbrains/nativecerts/mac/SecurityFrameworkUtil.java

Line 122 in 02023e5

if (SecurityFramework.OSStatus.errSecItemNotFound.equals(rc) || trustedSettingsArray == null) {

by returning false when null.

---

I plan to provide a PR for this

[lj-replicate]

Related issue: https://youtrack.jetbrains.com/issue/IJPL-1027/Import-consider-intermediate-CAs-from-system-trust-store

[shalupov]

Merged to trunk, please check that it works for you in the end

[timja]

Thanks!

Above the tests passing, the end 2 end test would be to upgrade it in intellij, I can test it in our enterprise environment there.

Last time I tried building intellij I got a very broken IDE, would it be possible for you to update it to a new version / snapshot and then I can test it end 2 end please?

[timja]

Merged to trunk, please check that it works for you in the end

I've ran the repository manual tests on both Windows and macOS after your changes and those are fine for me.

[shalupov]

Yes, I'll prepare a new nightly build and share it with you