Ticket #5446 enhancement new
cross-platform API for enumerating X509 certificates trusted by the platform for transport layer security
|Reported by:||glyph||Owned by:||itamar|
Description (last modified by glyph) (diff)
One component of #5445 (as originally discussed on #4023) would be an API for extracting the native trust roots from the platform. This is actually at least 3 tasks: one for Windows, one for Mac OS X, and at least one for Linux and BSD derivatives (although the only mechanism I'm familiar with there is the ca-certificates package in Debian, so perhaps there are other mechanisms we'd need to use as well).
I think that there's a way to discover the '/etc/ssl/certs' path (the one ca-certificates installs) via some API in OpenSSL, and if there is, we should use it, so that it will work with an arbitrary distro rather than being hard-coded to where Debian decided to stick it.
On Windows - and this is purely from a quick glance at the reference documentation, so take it with a grain of salt - I believe the right way to do this is to use CertOpenSystemStore with the string "CA", or possibly "ROOT", or maybe both, and then do CertEnumCertificatesInStore or maybe just PFXExportCertStoreEx to dump the certs into a format we can import into OpenSSL.
On OS X, and again, I haven't done this, I believe you just have to call SSLCopyTrustedRoots to get the default trusted SSL CA certificates and then SecCertificateCopyData on the retrieved roots to turn them into DER (which we can then load into any SSL implementation).