Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support OS certificate store for TLS CA root #5760

Closed
max-au opened this issue Mar 1, 2022 · 3 comments
Closed

Support OS certificate store for TLS CA root #5760

max-au opened this issue Mar 1, 2022 · 3 comments
Assignees
@dgud
Labels
enhancement team:PS Assigned to OTP team PS
Milestone
OTP-25.0

Comments

@max-au
Copy link
Contributor

max-au commented Mar 1, 2022
edited
Loading

At the time being, ssl application has no defaults for Root CA store. It is a user responsibility to provide one, downloaded on the side.

Describe the solution you'd like
Most operating systems have root CA stores available. I'd like to add the OS storage as the default for {cacertfile, ...} option of the ssl application.

Additional context
I have been researching this topic in order to make a Pull Request, when @KennethL mentioned that @dgud and @IngelaAndin are also exploring this space.
I'd like to share some findings and synchronise the development in order to avoid overlaps.
My findings and ideas so far:

  • centos root CA store is available as /etc/pki/tls/certs/ca-bundle.crt
  • ubuntu root CA store is at /etc/ssl/certs/ca-certificates.crt
  • freebsd root CA store is at /usr/local/share/certs/ca-root-nss.crt or /etc/ssl/cert.pem if the former does not exist
  • windows: native code is required to read the Root CA store, see https://docs.microsoft.com/en-us/windows/win32/seccrypto/example-c-program-certificate-store-operations
  • mac OS: technically keychain is available at /System/Library/Keychains/SystemRootCertificates.keychain (plus personal keychain), but official API is Keychain Access (also requiring native code)
  • sunos (solaris): /etc/certs/CA

Several more links to take inspiration from:

I can come up with a draft PR covering Linux + FreeBSD. Tackling Windows and MacOS requires agreement on where to put the native code. My hopes would be to add it to crypto application, to avoid introducing extra NIF build complexity for ssl application. If this approach is acceptable, I would suggest for crypto app to have an API providing required access to the certificate store. Alternative is to export this from public_key app, but it also has no associated NIF.
@IngelaAndin IngelaAndin added the team:PS Assigned to OTP team PS label Mar 2, 2022
@dgud
Copy link
Contributor

dgud commented Mar 2, 2022

You are way ahead of me, I have not even started investigating this.
After a short discussion we believe it is best to make it inside public_key, it belongs best there, or maybe
a new application, but start with a new API module in public_key.
In public_key you will need a new configure file but that is easier than changing the current one in crypto anyway.

@dgud
Copy link
Contributor

dgud commented Apr 1, 2022

Something like this?

WIP #5853

@dgud dgud added this to the OTP-25.0 milestone May 2, 2022
@dgud
Copy link
Contributor

dgud commented May 2, 2022

Merged #5853 to master

@dgud dgud closed this as completed May 2, 2022
@sparkworx sparkworx mentioned this issue Nov 27, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dgud dgud

Labels
enhancement team:PS Assigned to OTP team PS
Projects
None yet
Milestone
OTP-25.0
Development

No branches or pull requests
3 participants
@dgud @IngelaAndin @max-au