Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[etc] Chromium root store #2601

Open
janbrasna opened this issue Nov 20, 2024 · 4 comments
Open

[etc] Chromium root store #2601

janbrasna opened this issue Nov 20, 2024 · 4 comments

Comments

@janbrasna
Copy link
Contributor

Neither Android nor Chrome trust store is included in etc exports, noting:

Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.

However, Chromium no longer relies on the underlying OS, as quoted from the link:

"In Chrome 105, Chrome began a platform-by-platform transition from relying on the host operating system’s Root Store to its own on Windows, macOS, ChromeOS, Linux, and Android. […] Apple policies prevent the Chrome Root Store and corresponding Chrome Certificate Verifier from being used on Chrome for iOS. Learn more about the Chrome Root Store and Chrome Certificate Verifier here."

So taking the table from chromium/src/[~]/ssl/chrome_root_store/faq.md it maps to:

Chrome on...* Rollout Began** Enabled by Default
Android Chrome 114 Chrome 115
Chrome OS Chrome 114 Chrome 114
iOS*** N/A N/A
Linux Chrome 114 Chrome 114
macOS Chrome 105 Chrome 108
Windows Chrome 105 Chrome 108

There are two sources, one we used for years to map as "Android" roots: https://pki.goog/roots.pem and also now the chromium reference to its src: https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/root_store.md

(Not sure how these map to Mozilla/NSS or Microsoft/SChannel exports as compared to just CCADB that all of these are a member of anyways…)

@janbrasna
Copy link
Contributor Author

@drwetter
Copy link
Owner

Ah, cool. That makes matters easier than I thought. How does one retrieve the raw file?

The android root CAs you mentioned above contain only 36 certificates

@janbrasna
Copy link
Contributor Author

janbrasna commented Nov 28, 2024

In theory the txt format link in footer should work: root_store.certs?format=TEXT

(ah yea it'd probably need base64decoding tho: google/gitiles#106 ;D)

@janbrasna
Copy link
Contributor Author

janbrasna commented Nov 28, 2024

Truth is I got a bit lost in the Android roots, as the current repo seems rather complicated (and the individual certs stored as separate files at main…):

E.g. some refs/releases include the roots.pem:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants