nabla-c0d3 / trust_stores_observatory Goto Github PK
View Code? Open in Web Editor NEWContinuously monitor and record the content of the major platforms' root certificate stores.
License: MIT License
Continuously monitor and record the content of the major platforms' root certificate stores.
License: MIT License
From #4 it'd be handy to show diffs between yaml files. That way it's a bit more apparent which CA's were removed, added, etc between runs.
The file at /lib/security/blacklisted.certs
contains the SHA-256 hash of blacklisted CA certificates. We should parse that to store it in the Java store's YAML file.
some certificates from https://support.apple.com/en-us/HT213464 are missing:
1be7abe30686b16348afd1c61b6866a0ea7f4821e67d5e8af937cf8011bc750d: HARICA Client RSA Root CA 2021
77b82cd8644c4305f7acc5cb156b45675004033d51c60c6202a8e0c33467d3a0: Certainly Root R1
6b328085625318aa50d173c98d8bda09d57e27413d114cf787a0f5d06c030cf6: Certum EC-384 CA
9a296a5182d1d451a2e37f439b74daafa267523329f90f9a0d2007c334e23c9a: GLOBALTRUST 2020
657cfe2fa73faa38462571f332a2363a46fce7020951710702cdfbb6eeda3305: certSIGN ROOT CA G2
8dd4b5373cb0de36769c12339280d82746b3aa6cd426e797a31babe4279cf00b: HARICA Client ECC Root CA 2021
88f438dcf8ffd1fa8f429115ffe5f82ae1e06e0c70c375faad717b34a49e7265: NAVER Global Root Certification Authority
69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470: ISRG Root X2
d95d0e8eda79525bf9beb11b14d2100d3294985f0c62d9fabd9cd999eccb7b1d: HARICA TLS RSA Root CA 2021
fe7696573855773e37a95e7ad4d9cc96c30157c15d31765ba9b15704e1ae78fd: Certum Trusted Root CA
b4585f22e4ac756a4e8612a1361c5d9d031a93fd84febb778fa3068b0fc42dc2: Certainly Root E1
3f99cc474acfce4dfed58794665e478d1547739f2e780f1bb4ca9b133097d401: HARICA TLS ECC Root CA 2021
most can be found here:
https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
the rest can be found here:
https://repo.harica.gr/rep_dyn.php
Google Chrome used to use the OS's root store. Starting with Chrome 105, Chrome is using it's own root store maintained by google in the chromium project.
Certs can be found here: https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/
We should automatically add all certificates at https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT to this repo, before refreshing the stores, so that there are no missing certificates.
(JMRTD: An Open Source Java Implementation of Machine Readable Travel Documents)
https://jmrtd.org/certificates.shtml
It is probably a subset of #19
Hi!
I've been working on a related project cert-manage which works to trim down trusted CA's on a device. It can list installed CA certs and then apply a whitelist against them to remove trust.
I want to build some sort of observatory (ideally captured from opt-in running installs of cert-manage) and some clean room builds. It would be pretty easy to report what's installed in a format consumable for this project.
After installing (no releases yet) you can list see what's installed with the following:
$ cert-manage list # platform
$ cert-manage list -app java [-format openssl, etc]
https://www.icao.int/Security/FAL/PKD
Data download with rather prohibitive terms: https://pkddownloadsg.icao.int/
https://helpx.adobe.com/acrobat/kb/approved-trust-list1.html
Not sure where the data can be fetched from.
It should include the EU trust list as well (#16) but is non-normative
This would require:
the trust store pushed has 137 certificates while the one in google has 138 (probably not really just a single difference).
What would you think about using cert-manage
(I've released 0.1.0) to generate observatory yamls from installed CA store instances during the weekly cron?
This would be via dockerfiles like: openjdk:9-jre
and ubuntu:latest
. Ideally every stable and latest app/platform could be included. We could install apps (chrome, firefox) into dockerfiles too.
There should be good enough versions embedded in the observatory yaml now.
$ ./cert-manage list -app java -format observatory | head -n2
platform: Java
version: 1.8.0_152
$ ./cert-manage list -app chrome -format observatory | head -n2
platform: Chrome
version: 63.0.3239.132
$ ./cert-manage list -format observatory | head -n2
platform: Darwin (OSX)
version: 10.13.3
https://hub.docker.com/_/ubuntu/
https://hub.docker.com/_/openjdk/
https://ec.europa.eu/digital-single-market/en/eu-trusted-lists-trust-service-providers
The data is in signed XML:
https://ec.europa.eu/information_society/policy/esignature/trusted-list/tl-mp.xml
and it points to some national signed trust lists via TSLLocation
XML elements, making it very hard to observe changes.
A public Analysis Tool is available at https://webgate.ec.europa.eu/tl-browser/ (official) and http://tlbrowser.tsl.website/tools/ (3rd party)
#12 mentioned this project uses Oracle's Java 8. Their newer releases require licensing for commercial use, but OpenJDK is free for projects to use.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.