cross-platform API for enumerating X509 certificates trusted by the platform for transport layer security
|Reported by:||Glyph||Owned by:||Glyph|
|Cc:||ivank, Tom Most, Hynek Schlawack||Branch:||
branch-diff, diff-cov, branch-cov, buildbot
|Author:||itamarst, rwall, glyph|
Description (last modified by )
One component of #5445 (as originally discussed on #4023) would be an API for extracting the native trust roots from the platform. This is actually at least 3 tasks: one for Windows, one for Mac OS X, and at least one for Linux and BSD derivatives (although the only mechanism I'm familiar with there is the ca-certificates package in Debian, so perhaps there are other mechanisms we'd need to use as well).
I think that there's a way to discover the '/etc/ssl/certs' path (the one ca-certificates installs) via some API in OpenSSL, and if there is, we should use it, so that it will work with an arbitrary distro rather than being hard-coded to where Debian decided to stick it.
On Windows - and this is purely from a quick glance at the reference documentation, so take it with a grain of salt - I believe the right way to do this is to use CertOpenSystemStore with the string "CA", or possibly "ROOT", or maybe both, and then do CertEnumCertificatesInStore or maybe just PFXExportCertStoreEx to dump the certs into a format we can import into OpenSSL.
On OS X, and again, I haven't done this, I believe you just have to call SSLCopyTrustedRoots to get the default trusted SSL CA certificates and then SecCertificateCopyData on the retrieved roots to turn them into DER (which we can then load into any SSL implementation).
Change History (92)
comment:3 Changed 4 years ago by
|Summary:||cross-platform API for inspecting configured trust root → cross-platform API for enumerating X509 certificates trusted by the platform for transport layer security|
comment:21 follow-up: 25 Changed 4 years ago by
|Owner:||changed from Jean-Paul Calderone to Itamar Turner-Trauring|
|Status:||assigned → new|
comment:26 Changed 3 years ago by
|Author:||itamarst → itamarst, rwall|
|Branch:||branches/trusted-ca-linux-5446 → branches/trusted-ca-linux-5446-2|
comment:50 Changed 3 years ago by
|Author:||itamarst, rwall → itamarst, glyph, rwall|
|Branch:||branches/trusted-ca-linux-5446-2 → branches/trusted-ca-openssl-defaults-5446|
comment:55 Changed 3 years ago by
|Owner:||changed from Hynek Schlawack to Glyph|
comment:87 follow-up: 89 Changed 3 years ago by
|Status:||assigned → new|
comment:90 Changed 3 years ago by
|Author:||itamarst, glyph, rwall → itamarst, rwall, glyph|
|Branch:||branches/trusted-ca-openssl-defaults-5446 → branches/trusted-ca-openssl-defaults-5446-2|