5 files changed, 60 insertions, 41 deletions

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 3b47c60dfd..a0ff406dec 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -10,6 +10,7 @@ concurrency:
   cancel-in-progress: true
 jobs:
   x86_64-linux-debug:
+    timeout-minutes: 420
     runs-on: [self-hosted, Linux, x86_64]
     steps:
       - name: Checkout
diff --git a/lib/std/crypto/Certificate/Bundle.zig b/lib/std/crypto/Certificate/Bundle.zig
index 94618c5ef8..1a5a45ae63 100644
--- a/lib/std/crypto/Certificate/Bundle.zig
+++ b/lib/std/crypto/Certificate/Bundle.zig
@@ -120,21 +120,14 @@ pub fn rescanWindows(cb: *Bundle, gpa: Allocator) !void {
     };
     defer _ = w.crypt32.CertCloseStore(store, 0);
 
+    const now_sec = std.time.timestamp();
+
     var ctx = w.crypt32.CertEnumCertificatesInStore(store, null);
     while (ctx) |context| : (ctx = w.crypt32.CertEnumCertificatesInStore(store, ctx)) {
         const decoded_start = @intCast(u32, cb.bytes.items.len);
         const encoded_cert = context.pbCertEncoded[0..context.cbCertEncoded];
         try cb.bytes.appendSlice(gpa, encoded_cert);
-        const parsed_cert = try Certificate.parse(.{
-            .buffer = cb.bytes.items,
-            .index = decoded_start,
-        });
-        const gop = try cb.map.getOrPutContext(gpa, parsed_cert.subject_slice, .{ .cb = cb });
-        if (gop.found_existing) {
-            cb.bytes.items.len = decoded_start;
-        } else {
-            gop.value_ptr.* = decoded_start;
-        }
+        try cb.parseCert(gpa, decoded_start, now_sec);
     }
     cb.bytes.shrinkAndFree(gpa, cb.bytes.items.len);
 }
diff --git a/lib/std/crypto/Certificate/Bundle/macos.zig b/lib/std/crypto/Certificate/Bundle/macos.zig
index 8268a67a48..5260aa61a6 100644
--- a/lib/std/crypto/Certificate/Bundle/macos.zig
+++ b/lib/std/crypto/Certificate/Bundle/macos.zig
@@ -1,11 +1,14 @@
 const std = @import("std");
 const assert = std.debug.assert;
-const mem = std.mem;
 const fs = std.fs;
+const mem = std.mem;
 const Allocator = std.mem.Allocator;
 const Bundle = @import("../Bundle.zig");
 
 pub fn rescanMac(cb: *Bundle, gpa: Allocator) !void {
+    cb.bytes.clearRetainingCapacity();
+    cb.map.clearRetainingCapacity();
+
     const file = try fs.openFileAbsolute("/System/Library/Keychains/SystemRootCertificates.keychain", .{});
     defer file.close();
 
@@ -37,7 +40,7 @@ pub fn rescanMac(cb: *Bundle, gpa: Allocator) !void {
 
         const table_header = try reader.readStructBig(TableHeader);
 
-        if (@intToEnum(TableId, table_header.table_id) != TableId.CSSM_DL_DB_RECORD_X509_CERTIFICATE) {
+        if (@intToEnum(std.os.darwin.cssm.DB_RECORDTYPE, table_header.table_id) != .X509_CERTIFICATE) {
             continue;
         }
 
@@ -63,6 +66,8 @@ pub fn rescanMac(cb: *Bundle, gpa: Allocator) !void {
             try cb.parseCert(gpa, cert_start, now_sec);
         }
     }
+
+    cb.bytes.shrinkAndFree(gpa, cb.bytes.items.len);
 }
 
 const ApplDbHeader = extern struct {
@@ -88,35 +93,6 @@ const TableHeader = extern struct {
     record_numbers_count: u32,
 };
 
-const TableId = enum(u32) {
-    CSSM_DL_DB_SCHEMA_INFO = 0x00000000,
-    CSSM_DL_DB_SCHEMA_INDEXES = 0x00000001,
-    CSSM_DL_DB_SCHEMA_ATTRIBUTES = 0x00000002,
-    CSSM_DL_DB_SCHEMA_PARSING_MODULE = 0x00000003,
-
-    CSSM_DL_DB_RECORD_ANY = 0x0000000a,
-    CSSM_DL_DB_RECORD_CERT = 0x0000000b,
-    CSSM_DL_DB_RECORD_CRL = 0x0000000c,
-    CSSM_DL_DB_RECORD_POLICY = 0x0000000d,
-    CSSM_DL_DB_RECORD_GENERIC = 0x0000000e,
-    CSSM_DL_DB_RECORD_PUBLIC_KEY = 0x0000000f,
-    CSSM_DL_DB_RECORD_PRIVATE_KEY = 0x00000010,
-    CSSM_DL_DB_RECORD_SYMMETRIC_KEY = 0x00000011,
-    CSSM_DL_DB_RECORD_ALL_KEYS = 0x00000012,
-
-    CSSM_DL_DB_RECORD_GENERIC_PASSWORD = 0x80000000,
-    CSSM_DL_DB_RECORD_INTERNET_PASSWORD = 0x80000001,
-    CSSM_DL_DB_RECORD_APPLESHARE_PASSWORD = 0x80000002,
-    CSSM_DL_DB_RECORD_USER_TRUST = 0x80000003,
-    CSSM_DL_DB_RECORD_X509_CRL = 0x80000004,
-    CSSM_DL_DB_RECORD_UNLOCK_REFERRAL = 0x80000005,
-    CSSM_DL_DB_RECORD_EXTENDED_ATTRIBUTE = 0x80000006,
-    CSSM_DL_DB_RECORD_X509_CERTIFICATE = 0x80001000,
-    CSSM_DL_DB_RECORD_METADATA = 0x80008000,
-
-    _,
-};
-
 const X509CertHeader = extern struct {
     record_size: u32,
     record_number: u32,
diff --git a/lib/std/os/darwin.zig b/lib/std/os/darwin.zig
index b3fb681d5a..164a0e06c2 100644
--- a/lib/std/os/darwin.zig
+++ b/lib/std/os/darwin.zig
@@ -3,6 +3,8 @@ const builtin = @import("builtin");
 const log = std.log;
 const mem = std.mem;
 
+pub const cssm = @import("darwin/cssm.zig");
+
 pub usingnamespace std.c;
 pub usingnamespace mach_task;
 
diff --git a/lib/std/os/darwin/cssm.zig b/lib/std/os/darwin/cssm.zig
new file mode 100644
index 0000000000..2e11c5d1f4
--- /dev/null
+++ b/lib/std/os/darwin/cssm.zig
@@ -0,0 +1,47 @@
+// Common Security Services Manager
+// Security.framework/Headers/cssm*.h
+
+// Schema Management Name Space Range Definition
+pub const DB_RECORDTYPE_SCHEMA_START = 0x00000000;
+pub const DB_RECORDTYPE_SCHEMA_END = DB_RECORDTYPE_SCHEMA_START + 4;
+
+// Open Group Application Name Space Range Definition
+pub const DB_RECORDTYPE_OPEN_GROUP_START = 0x0000000A;
+pub const DB_RECORDTYPE_OPEN_GROUP_END = DB_RECORDTYPE_OPEN_GROUP_START + 8;
+
+// Industry At Large Application Name Space Range Definition
+pub const DB_RECORDTYPE_APP_DEFINED_START = 0x80000000;
+pub const DB_RECORDTYPE_APP_DEFINED_END = 0xffffffff;
+
+pub const DB_RECORDTYPE = enum(u32) {
+    // Record Types defined in the Schema Management Name Space
+    SCHEMA_INFO = DB_RECORDTYPE_SCHEMA_START + 0,
+    SCHEMA_INDEXES = DB_RECORDTYPE_SCHEMA_START + 1,
+    SCHEMA_ATTRIBUTES = DB_RECORDTYPE_SCHEMA_START + 2,
+    SCHEMA_PARSING_MODULE = DB_RECORDTYPE_SCHEMA_START + 3,
+
+    // Record Types defined in the Open Group Application Name Space
+    ANY = DB_RECORDTYPE_OPEN_GROUP_START + 0,
+    CERT = DB_RECORDTYPE_OPEN_GROUP_START + 1,
+    CRL = DB_RECORDTYPE_OPEN_GROUP_START + 2,
+    POLICY = DB_RECORDTYPE_OPEN_GROUP_START + 3,
+    GENERIC = DB_RECORDTYPE_OPEN_GROUP_START + 4,
+    PUBLIC_KEY = DB_RECORDTYPE_OPEN_GROUP_START + 5,
+    PRIVATE_KEY = DB_RECORDTYPE_OPEN_GROUP_START + 6,
+    SYMMETRIC_KEY = DB_RECORDTYPE_OPEN_GROUP_START + 7,
+    ALL_KEYS = DB_RECORDTYPE_OPEN_GROUP_START + 8,
+
+    // AppleFileDL record types
+    GENERIC_PASSWORD = DB_RECORDTYPE_APP_DEFINED_START + 0,
+    INTERNET_PASSWORD = DB_RECORDTYPE_APP_DEFINED_START + 1,
+    APPLESHARE_PASSWORD = DB_RECORDTYPE_APP_DEFINED_START + 2,
+
+    X509_CERTIFICATE = DB_RECORDTYPE_APP_DEFINED_START + 0x1000,
+    USER_TRUST,
+    X509_CRL,
+    UNLOCK_REFERRAL,
+    EXTENDED_ATTRIBUTE,
+    METADATA = DB_RECORDTYPE_APP_DEFINED_START + 0x8000,
+
+    _,
+};