Possible bug keeping additional certs from being considered during validation on Mac

[FaustinCarter]

I think there might be a typo/bug here in this section of code, specifically on Line 428. It feels like instead of passing cert_chain to _der_certs_to_cf_cert_array, instead ctx_ca_certs_der should be passed. Once ctx_ca_certs_der is created by pulling from the context, nothing else is ever done with it. I think the intended behavior is to add those certs into the SecTrust object as Anchors, but instead what seems to be happening is that the certs that are being passed in for validation (that were previously added during the call to SecTrustCreateWithCertificates) are being explicitly set again as Anchors via SecTrustSetAnchorCertificates.

https://github.com/sethmlarson/truststore/blob/178fea29c3fb5b14a62deeb112ed3e3d81e95157/src/truststore/_macos.py#L419-L434

I'll admit that I'm pretty green with how SecTrust stuff works on Mac, so if I'm way off, please help me understand what's going on!

[FaustinCarter]

Additionally, I'm noticing that after SecTrustSetAnchorCertificates is called on line 429, there is not a followup call to SecTrustSetAnchorCertificatesOnly, which means that the built in system-provided anchors will not be used for validation. Maybe this is the desired behavior?