Changes between and of Initial VersionVersion 3Ticket #5446


Ignore:
Timestamp:
02/26/2013 01:57:44 PM (19 months ago)
Author:
glyph
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #5446

    • Property Cc ivank-twisted-bugs@… added
    • Property Summary changed from cross-platform API for inspecting configured trust root to cross-platform API for enumerating X509 certificates trusted by the platform for transport layer security
  • Ticket #5446 – Description

    initial v3  
    11One component of  #5445 (as originally discussed on #4023) would be an API for extracting the native trust roots from the platform.  This is actually at least 3 tasks: one for Windows, one for Mac OS X, and at least one for Linux and BSD derivatives (although the only mechanism I'm familiar with there is the ca-certificates package in Debian, so perhaps there are other mechanisms we'd need to use as well). 
     2 
     3I ''think'' that there's a way to discover the '/etc/ssl/certs' path (the one ca-certificates installs) via some API in OpenSSL, and if there is, we should use it, so that it will work with an arbitrary distro rather than being hard-coded to where Debian decided to stick it. 
     4 
     5On Windows - and this is purely from a quick glance at the reference documentation, so take it with a grain of salt - I believe the right way to do this is to use [http://msdn.microsoft.com/en-us/library/windows/desktop/aa376560(v=vs.85).aspx CertOpenSystemStore] with the string "CA", or possibly "ROOT", or maybe both, and then do [http://msdn.microsoft.com/en-us/library/windows/desktop/aa376050(v=vs.85).aspx CertEnumCertificatesInStore] or maybe just [http://msdn.microsoft.com/en-us/library/windows/desktop/aa387313(v=vs.85).aspx PFXExportCertStoreEx] to dump the certs into a format we can import into OpenSSL. 
     6 
     7On OS X, and again, I haven't done this, I believe you just have to call [https://developer.apple.com/library/mac/#documentation/Security/Reference/secureTransportRef/Reference/reference.html SSLCopyTrustedRoots] to get the default trusted SSL CA certificates and then [https://developer.apple.com/library/mac/#documentation/security/Reference/certifkeytrustservices/Reference/reference.html SecCertificateCopyData] on the retrieved roots to turn them into DER (which we can then load into any SSL implementation).