I'm writing a cross platform websocket client using mbedtls. Now I'm left with the burden of feeding a suitable pack of trustet root certificates to the mbedtls API which looks like this:
/* Structure to load trusted root certs into. */
mbedtls_x509_crt ca_certs;
mbedtls_x509_crt_init(&ca_certs);
/* Parse the file with root certificates. */
if (mbedtls_x509_crt_parse_file(&ca_certs, "trusted_certs.pem") != 0) {
exit(EXIT_FAILURE);
}
/* Set the certificates as trusted for this session. */
mbedtls_ssl_conf_ca_chain(&conf, &ca_certs, NULL);
It's pretty straightforward, I just need to concatenate all found certificates and feed it into the function.
I know that on my embedded system (esp32) which is also using mbedtls, there's already a library that provides me with the system-wide CA store, so that should be no problem.
On linux systems I know that the certificate bundle will mostly reside under
/etc/ssl/certs. Question: Is this true for every (major) distribution?On Windows I frankly have no idea. There seems to be something like a certificate store, but how do I get my certificates out of there?
On Apple I don't really care (yet) <3
A reference codebase would also be very helpful!
Look at GnuTLS for an example of how this can be achieved. Specifically, look at add_system_trust() in ~\gnutls\lib\system\certs.c
For Windows it boils down to calling CertOpenStore() and loop through the certificates using CertEnumCertificatesInStore() and CertEnumCRLsInStore() then close the store using CertCloseStore() - very simple.
https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certenumcertificatesinstore