nabla-c0d3 / trust_stores_observatory Goto Github PK

From #4 it'd be handy to show diffs between yaml files. That way it's a bit more apparent which CA's were removed, added, etc between runs.

The file at /lib/security/blacklisted.certs contains the SHA-256 hash of blacklisted CA certificates. We should parse that to store it in the Java store's YAML file.

some certificates from https://support.apple.com/en-us/HT213464 are missing:

1be7abe30686b16348afd1c61b6866a0ea7f4821e67d5e8af937cf8011bc750d: HARICA Client RSA Root CA 2021
77b82cd8644c4305f7acc5cb156b45675004033d51c60c6202a8e0c33467d3a0: Certainly Root R1
6b328085625318aa50d173c98d8bda09d57e27413d114cf787a0f5d06c030cf6: Certum EC-384 CA
9a296a5182d1d451a2e37f439b74daafa267523329f90f9a0d2007c334e23c9a: GLOBALTRUST 2020
657cfe2fa73faa38462571f332a2363a46fce7020951710702cdfbb6eeda3305: certSIGN ROOT CA G2
8dd4b5373cb0de36769c12339280d82746b3aa6cd426e797a31babe4279cf00b: HARICA Client ECC Root CA 2021
88f438dcf8ffd1fa8f429115ffe5f82ae1e06e0c70c375faad717b34a49e7265: NAVER Global Root Certification Authority
69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470: ISRG Root X2
d95d0e8eda79525bf9beb11b14d2100d3294985f0c62d9fabd9cd999eccb7b1d: HARICA TLS RSA Root CA 2021
fe7696573855773e37a95e7ad4d9cc96c30157c15d31765ba9b15704e1ae78fd: Certum Trusted Root CA
b4585f22e4ac756a4e8612a1361c5d9d031a93fd84febb778fa3068b0fc42dc2: Certainly Root E1
3f99cc474acfce4dfed58794665e478d1547739f2e780f1bb4ca9b133097d401: HARICA TLS ECC Root CA 2021

most can be found here:
https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt

the rest can be found here:
https://repo.harica.gr/rep_dyn.php

Google Chrome used to use the OS's root store. Starting with Chrome 105, Chrome is using it's own root store maintained by google in the chromium project.

Certs can be found here: https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/

We should automatically add all certificates at https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT to this repo, before refreshing the stores, so that there are no missing certificates.

(JMRTD: An Open Source Java Implementation of Machine Readable Travel Documents)

https://jmrtd.org/certificates.shtml

It is probably a subset of #19

Hi!

I've been working on a related project cert-manage which works to trim down trusted CA's on a device. It can list installed CA certs and then apply a whitelist against them to remove trust.

I want to build some sort of observatory (ideally captured from opt-in running installs of cert-manage) and some clean room builds. It would be pretty easy to report what's installed in a format consumable for this project.

After installing (no releases yet) you can list see what's installed with the following:

$ cert-manage list # platform 
$ cert-manage list -app java [-format openssl, etc]

https://www.icao.int/Security/FAL/PKD

Data download with rather prohibitive terms: https://pkddownloadsg.icao.int/

https://helpx.adobe.com/acrobat/kb/approved-trust-list1.html

Not sure where the data can be fetched from.

It should include the EU trust list as well (#16) but is non-normative

This would require:

• Downloading the latest JRE at http://www.oracle.com/technetwork/java/javase/downloads/index.html
• Parsing the cacerts file in it

the trust store pushed has 137 certificates while the one in google has 138 (probably not really just a single difference).

What would you think about using cert-manage (I've released 0.1.0) to generate observatory yamls from installed CA store instances during the weekly cron?

This would be via dockerfiles like: openjdk:9-jre and ubuntu:latest. Ideally every stable and latest app/platform could be included. We could install apps (chrome, firefox) into dockerfiles too.

There should be good enough versions embedded in the observatory yaml now.

$ ./cert-manage list -app java -format observatory | head -n2
platform: Java
version: 1.8.0_152

$ ./cert-manage list -app chrome -format observatory | head -n2
platform: Chrome
version: 63.0.3239.132

$ ./cert-manage list -format observatory | head -n2
platform: Darwin (OSX)
version: 10.13.3

https://hub.docker.com/_/ubuntu/
https://hub.docker.com/_/openjdk/

https://ec.europa.eu/digital-single-market/en/eu-trusted-lists-trust-service-providers

The data is in signed XML:
https://ec.europa.eu/information_society/policy/esignature/trusted-list/tl-mp.xml
and it points to some national signed trust lists via TSLLocation XML elements, making it very hard to observe changes.

A public Analysis Tool is available at https://webgate.ec.europa.eu/tl-browser/ (official) and http://tlbrowser.tsl.website/tools/ (3rd party)

#12 mentioned this project uses Oracle's Java 8. Their newer releases require licensing for commercial use, but OpenJDK is free for projects to use.