Changes between and of Initial VersionVersion 3Ticket #5446

02/26/2013 01:57:44 PM (3 years ago)


  • Ticket #5446

    • Property Cc ivank added
    • Property Summary changed from cross-platform API for inspecting configured trust root to cross-platform API for enumerating X509 certificates trusted by the platform for transport layer security
  • Ticket #5446 – Description

    initial v3  
    11One component of  #5445 (as originally discussed on #4023) would be an API for extracting the native trust roots from the platform.  This is actually at least 3 tasks: one for Windows, one for Mac OS X, and at least one for Linux and BSD derivatives (although the only mechanism I'm familiar with there is the ca-certificates package in Debian, so perhaps there are other mechanisms we'd need to use as well).
     3I ''think'' that there's a way to discover the '/etc/ssl/certs' path (the one ca-certificates installs) via some API in OpenSSL, and if there is, we should use it, so that it will work with an arbitrary distro rather than being hard-coded to where Debian decided to stick it.
     5On Windows - and this is purely from a quick glance at the reference documentation, so take it with a grain of salt - I believe the right way to do this is to use [ CertOpenSystemStore] with the string "CA", or possibly "ROOT", or maybe both, and then do [ CertEnumCertificatesInStore] or maybe just [ PFXExportCertStoreEx] to dump the certs into a format we can import into OpenSSL.
     7On OS X, and again, I haven't done this, I believe you just have to call [ SSLCopyTrustedRoots] to get the default trusted SSL CA certificates and then [ SecCertificateCopyData] on the retrieved roots to turn them into DER (which we can then load into any SSL implementation).