The choice of this format was to allow for the following scenarios:
Prior to Android N (Nougat), the set of trust anchors included in Android were provided in the platform/libcore repository, under luni/src/main/files/cacerts
Beginning with Android N, the set of trust anchors included in Android is provided in the platform/system/ca-certifcates repository, under files
.
The set of root certificates for macOS is available at https://opensource.apple.com/.
Since macOS 10.4 (Tiger), the set of root certificates included is available within the security_certificates
package, which is independently versioned from other packages in macOS. Only revisions since 10.9 whose package contents had changed were included for consideration.
Additional restrictions upon trusted CAs are maintained both within the code of Security.framework and through additional plist expressions, such as for allowlisted certificates. However, these were not consulted, as they're not applicable to this use case.
Mozilla NSS independently versions the set of included root certificates from the NSS library version. The root package is known within the source as nssckbi
, maintained in lib/ckfw/builtins
. The version can be extracted from nssckbi.h
, while the trust store is maintained within certdata.txt
.
Additional restrictions upon trusted CAs are maintained both within the code of NSS and Mozilla Firefox; however, these were not consulted, as they're not applicable to this use case.
Microsoft Windows maintains its root certificates in two locations - within a resource of crypt32.dll
, shipped with the appropriate Windows release, and through the Automatic Root Update (AuthRoot) mechanism, served at http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authroot.cab
The contents of the cab file are a PKCS#7 trust store, with attribute OIDs that match to PROP_ID
documented in wincrypt.h
and, less exhaustively, on MSDN
Additional restrictions upon trusted CAs are maintained as properties within the STL; however, these were not consulted, as they're not applicable to this use case.