← Previous Change
Next Change →
Changes between and of
side by side
lines around each change
Show the changes in full context
White space changes
02/26/2013 01:57:44 PM (
cross-platform API for inspecting configured trust root
cross-platform API for enumerating X509 certificates trusted by the platform for transport layer security
Ticket #5446 – Description
One component of #5445 (as originally discussed on #4023) would be an API for extracting the native trust roots from the platform. This is actually at least 3 tasks: one for Windows, one for Mac OS X, and at least one for Linux and BSD derivatives (although the only mechanism I'm familiar with there is the ca-certificates package in Debian, so perhaps there are other mechanisms we'd need to use as well).
I ''think'' that there's a way to discover the '/etc/ssl/certs' path (the one ca-certificates installs) via some API in OpenSSL, and if there is, we should use it, so that it will work with an arbitrary distro rather than being hard-coded to where Debian decided to stick it.
On Windows - and this is purely from a quick glance at the reference documentation, so take it with a grain of salt - I believe the right way to do this is to use [http://msdn.microsoft.com/en-us/library/windows/desktop/aa376560(v=vs.85).aspx CertOpenSystemStore] with the string "CA", or possibly "ROOT", or maybe both, and then do [http://msdn.microsoft.com/en-us/library/windows/desktop/aa376050(v=vs.85).aspx CertEnumCertificatesInStore] or maybe just [http://msdn.microsoft.com/en-us/library/windows/desktop/aa387313(v=vs.85).aspx PFXExportCertStoreEx] to dump the certs into a format we can import into OpenSSL.
On OS X, and again, I haven't done this, I believe you just have to call [https://developer.apple.com/library/mac/#documentation/Security/Reference/secureTransportRef/Reference/reference.html SSLCopyTrustedRoots] to get the default trusted SSL CA certificates and then [https://developer.apple.com/library/mac/#documentation/security/Reference/certifkeytrustservices/Reference/reference.html SecCertificateCopyData] on the retrieved roots to turn them into DER (which we can then load into any SSL implementation).
Site design credits