id summary reporter owner description type status priority milestone component resolution keywords cc branch branch_author launchpad_bug 5446 cross-platform API for enumerating X509 certificates trusted by the platform for transport layer security glyph itamar "One component of #5445 (as originally discussed on #4023) would be an API for extracting the native trust roots from the platform. This is actually at least 3 tasks: one for Windows, one for Mac OS X, and at least one for Linux and BSD derivatives (although the only mechanism I'm familiar with there is the ca-certificates package in Debian, so perhaps there are other mechanisms we'd need to use as well). I ''think'' that there's a way to discover the '/etc/ssl/certs' path (the one ca-certificates installs) via some API in OpenSSL, and if there is, we should use it, so that it will work with an arbitrary distro rather than being hard-coded to where Debian decided to stick it. On Windows - and this is purely from a quick glance at the reference documentation, so take it with a grain of salt - I believe the right way to do this is to use [http://msdn.microsoft.com/en-us/library/windows/desktop/aa376560(v=vs.85).aspx CertOpenSystemStore] with the string ""CA"", or possibly ""ROOT"", or maybe both, and then do [http://msdn.microsoft.com/en-us/library/windows/desktop/aa376050(v=vs.85).aspx CertEnumCertificatesInStore] or maybe just [http://msdn.microsoft.com/en-us/library/windows/desktop/aa387313(v=vs.85).aspx PFXExportCertStoreEx] to dump the certs into a format we can import into OpenSSL. On OS X, and again, I haven't done this, I believe you just have to call [https://developer.apple.com/library/mac/#documentation/Security/Reference/secureTransportRef/Reference/reference.html SSLCopyTrustedRoots] to get the default trusted SSL CA certificates and then [https://developer.apple.com/library/mac/#documentation/security/Reference/certifkeytrustservices/Reference/reference.html SecCertificateCopyData] on the retrieved roots to turn them into DER (which we can then load into any SSL implementation)." enhancement new normal core ivank-twisted-bugs@… tom.most@… branches/trusted-ca-linux-5446 itamarst