Hello Sid, currently there is no "standard certificate store" available on Linux. Almost every application (cryptographic library) uses its own solution but there is an ongoing effort to solve this sad situation in p11-glue project [0] that promotes PKCS#11 as a glue between crypto libraries and security applications. I think you should take a look at its two suprojects P11-Kit [1] and TrustModule [2]. PKCS#11 interface is nowadays supported by almost every smartcard/HSM middleware and there are also pure software modules available such as SoftHSM [3] or NSS Internal PKCS#11 module (used by Mozilla products). Unmanaged PKCS#11 modules can be easily interfaced in C# via managed wrappers such as Pkcs11Interop [4]. Full disclosure: I am the author of Pkcs11Interop :)
However if you are looking for a quickest, easy to understand, easy to implement and "truly" cross-platform solution (Android and iOS included) you will probably end up with something very similar to Jeff's solution with PKCS#12 file. [0] http://p11-glue.freedesktop.org/ [1] http://p11-glue.freedesktop.org/p11-kit.html [2] http://p11-glue.freedesktop.org/trust-module.html [3] http://www.opendnssec.org/softhsm/ [4] http://pkcs11interop.net/ -- Kind Regards / S pozdravom Jaroslav Imrich http://www.jimrich.sk On Tue, Nov 12, 2013 at 8:35 PM, Sid Shetye <sid...@outlook.com> wrote: > Thanks Jeff. > > > > Taking a step back before jumping into library details, did you find any > other alternatives before deciding to have your own cert store > implementation? I ask because it seems odd (to me) that you and I would be > the first ones to face the “cross platform certificate store” problem – > surely someone else might have solved this before. Especially in the Bouncy > Castle community? That’s my (perhaps naïve) thinking. So would appreciate > if you could share your learnings on this topic (and great job on the > GitHub repo!) > > > > Regards, > > Sid > > > > *From:* Jeff Stedfast [mailto:j...@xamarin.com] > *Sent:* Tuesday, November 12, 2013 11:05 AM > *To:* Sid Shetye > *Cc:* Bouncy Castle Developer List > *Subject:* Re: [dev-crypto-csharp] Certificate store for cross platform > designs > > > > Hi Sid, > > > > I asked this question just last week ;-) > > > > What I ended up doing is to use a pkcs12 file to store private certs/keys > and a file containing unencrypted certs for everything else (like CAs and > such). > > > > If you come up with a better way, I'd appreciate if you let me know. I'm > working on a cross-platform (Windows, Mac, Linux, iOS, and Android) MIME > library with support for S/MIME and PGP, so am really interested in a > cross-platform way of managing certificates. > > > > You can find my current cross-platform certificate management logic here: > https://github.com/jstedfast/MimeKit/blob/master/MimeKit/Cryptography/DefaultSecureMimeContext.cs#L104 > > > > and here: > https://github.com/jstedfast/MimeKit/blob/master/MimeKit/Cryptography/X509CertificateStore.cs > > > > The first link creates 2 X509CertificateStores, one for root certificates > and one for user certs (equivalent, I suppose, of StoreName.Root and > StoreName.My). I should probably also have something equivalent to > StoreName.AddressBook, but right now they are stored in the pkcs12 file > along with the user's other personal certificates. > > > > Hope that helps, > > > > Jeff > > > > On Tue, Nov 12, 2013 at 1:42 PM, Sid Shetye <sid...@outlook.com> wrote: > > Hi folks, > > > > Although we do use BC for some crypto stuff, we haven’t explored anything > beyond the standard Windows cert store for certificate storage. So at > present we use the Windows certificate store as: > > > > var store = new X509Store(StoreName.My, StoreLocation.LocalMachine); > > store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly); > > var certs = store.Certificates.Find(X509FindType.FindBySubjectName, > subjectName, true); > > > > We’d like to switch to something that’s more cross platform (esp Linux > compatible). What are some good design patterns for a secure, cross > platform certificate storage? We need to store RSA and EC certificates as > well as their respective private keys (if they exist in the password > protected PFX). > > > > Regards > > Sid > > > > >
