Opened 9 years ago

Last modified 6 years ago

#5446 enhancement new

— at cross-platform API for enumerating X509 certificates trusted by the platform for transport layer securityVersion 3

Reported by: Glyph Owned by:
Priority: normal Milestone:
Component: core Keywords:
Cc: ivank, Tom Most, Hynek Schlawack Branch:

Description (last modified by Glyph)

One component of #5445 (as originally discussed on #4023) would be an API for extracting the native trust roots from the platform. This is actually at least 3 tasks: one for Windows, one for Mac OS X, and at least one for Linux and BSD derivatives (although the only mechanism I'm familiar with there is the ca-certificates package in Debian, so perhaps there are other mechanisms we'd need to use as well).

I think that there's a way to discover the '/etc/ssl/certs' path (the one ca-certificates installs) via some API in OpenSSL, and if there is, we should use it, so that it will work with an arbitrary distro rather than being hard-coded to where Debian decided to stick it.

On Windows - and this is purely from a quick glance at the reference documentation, so take it with a grain of salt - I believe the right way to do this is to use CertOpenSystemStore with the string "CA", or possibly "ROOT", or maybe both, and then do CertEnumCertificatesInStore or maybe just PFXExportCertStoreEx to dump the certs into a format we can import into OpenSSL.

On OS X, and again, I haven't done this, I believe you just have to call SSLCopyTrustedRoots to get the default trusted SSL CA certificates and then SecCertificateCopyData on the retrieved roots to turn them into DER (which we can then load into any SSL implementation).

Change History (3)

comment:1 Changed 9 years ago by ivank

Cc: ivank added

comment:2 Changed 9 years ago by Jean-Paul Calderone

What does "inspect" mean in this context?

comment:3 Changed 7 years ago by Glyph

Description: modified (diff)
Summary: cross-platform API for inspecting configured trust rootcross-platform API for enumerating X509 certificates trusted by the platform for transport layer security
Note: See TracTickets for help on using tickets.