Embed root keystore in binary #156
Open
+175
−38
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jcarrete5
force-pushed
the
embed-root-keystore
branch
from
d779189 to
182645e
Compare
jcarrete5
commented
Nov 18, 2025
jcarrete5
force-pushed
the
embed-root-keystore
branch
from
182645e to
2feca1b
Compare
jcarrete5
force-pushed
the
embed-root-keystore
branch
from
2feca1b to
69ae5f8
Compare
riwoh
requested changes
Nov 20, 2025
Contributor
riwoh
left a comment
riwoh
left a comment
There was a problem hiding this comment.
Need to update copyright year if the file was touched.
mhabrat
previously approved these changes
Nov 21, 2025
riwoh
previously approved these changes
Jan 16, 2026
There was a problem hiding this comment.
Pull request overview
This PR embeds a root keystore directly into the binary to simplify testing and deployment. Previously, the root keystore was read from an external PKCS12 file; now it can fall back to an embedded version when the ROOT_KEYSTORE environment variable is not set.
Changes:
- Embedded default PKCS12 keystore data as a static array in a new header file
- Modified the keystore loading logic to use embedded data when no external file is specified
- Moved shared constants from common.h to the new root_keystore.h header
- Added tests for the embedded keystore functionality
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| reference/src/util/include/root_keystore.h | New header containing embedded PKCS12 keystore data and shared constants |
| reference/src/util/src/pkcs12.c | Updated to load from embedded keystore when ROOT_KEYSTORE env var is not set |
| reference/src/util/include/common.h | Removed DEFAULT_ROOT_KEYSTORE_PASSWORD and COMMON_ROOT_NAME (moved to root_keystore.h) |
| reference/src/util/include/pkcs12.h | Updated documentation to reflect new embedded keystore behavior |
| reference/src/util/test/pkcs12test.cpp | Added tests for embedded keystore loading functionality |
| reference/src/util/CMakeLists.txt | Added root_keystore.h to library sources |
| reference/src/taimpl/src/porting/otp.c | Added include for root_keystore.h |
| reference/src/taimpl/CMakeLists.txt | Added BYPRODUCTS directive for test file copy |
| reference/src/client/test/sa_key_common.cpp | Added include for root_keystore.h |
| reference/src/client/CMakeLists.txt | Added BYPRODUCTS directive for test file copy |
| reference/README.md | Updated documentation describing the new embedded keystore approach |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jcarrete5
force-pushed
the
embed-root-keystore
branch
from
827bbd2 to
7a3bd8e
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| #include "root_keystore.h" | ||
| #include "gtest/gtest.h" | ||
| #include <cstdlib> | ||
| #include <stdlib.h> |
There was a problem hiding this comment.
Both cstdlib (line 23) and stdlib.h (line 24) are included. In C++ code, only cstdlib should be used. The stdlib.h include is redundant and should be removed.
Suggested change
| #include <stdlib.h> |
Comment on lines
+29
to
+89
| static const uint8_t default_root_keystore[] = { | ||
| 0x30, 0x82, 0x02, 0xb6, 0x02, 0x01, 0x03, 0x30, 0x82, 0x02, 0x60, 0x06, | ||
| 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, | ||
| 0x02, 0x51, 0x04, 0x82, 0x02, 0x4d, 0x30, 0x82, 0x02, 0x49, 0x30, 0x82, | ||
| 0x02, 0x45, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, | ||
| 0x01, 0xa0, 0x82, 0x02, 0x36, 0x04, 0x82, 0x02, 0x32, 0x30, 0x82, 0x02, | ||
| 0x2e, 0x30, 0x82, 0x01, 0x19, 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, | ||
| 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x05, 0xa0, 0x81, 0xb3, 0x30, 0x81, 0xb0, | ||
| 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, | ||
| 0x02, 0xa0, 0x81, 0xa0, 0x04, 0x81, 0x9d, 0x30, 0x81, 0x9a, 0x30, 0x66, | ||
| 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x05, 0x0d, 0x30, | ||
| 0x59, 0x30, 0x38, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, | ||
| 0x05, 0x0c, 0x30, 0x2b, 0x04, 0x14, 0x2d, 0x53, 0x8e, 0x7a, 0xe6, 0x40, | ||
| 0x6b, 0x2c, 0x16, 0x91, 0x5c, 0x58, 0xfe, 0x63, 0x06, 0x86, 0x2d, 0xdf, | ||
| 0xad, 0x13, 0x02, 0x02, 0x27, 0x10, 0x02, 0x01, 0x20, 0x30, 0x0c, 0x06, | ||
| 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x09, 0x05, 0x00, 0x30, | ||
| 0x1d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2a, | ||
| 0x04, 0x10, 0xf8, 0xf4, 0x48, 0xc5, 0x18, 0x05, 0x91, 0xb4, 0xc1, 0x4c, | ||
| 0xe9, 0x70, 0xc6, 0x7e, 0x93, 0x8d, 0x04, 0x30, 0xfc, 0x30, 0xf9, 0xea, | ||
| 0x39, 0x8e, 0xb7, 0xc6, 0xb3, 0x7d, 0xe6, 0xdf, 0xce, 0xf4, 0xdf, 0x91, | ||
| 0x81, 0x44, 0x1e, 0x42, 0x12, 0xc3, 0xc2, 0x59, 0xd8, 0xe1, 0xa5, 0x93, | ||
| 0x79, 0xfe, 0xa4, 0xbb, 0x9d, 0xc4, 0xf4, 0xe9, 0x14, 0xaa, 0x47, 0x87, | ||
| 0x82, 0x96, 0xaf, 0x65, 0x02, 0x1a, 0x3e, 0x48, 0x31, 0x54, 0x30, 0x2f, | ||
| 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x14, 0x31, | ||
| 0x22, 0x1e, 0x20, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, | ||
| 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, | ||
| 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x65, 0x30, | ||
| 0x21, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x15, | ||
| 0x31, 0x14, 0x04, 0x12, 0x54, 0x69, 0x6d, 0x65, 0x20, 0x31, 0x36, 0x35, | ||
| 0x35, 0x31, 0x36, 0x32, 0x33, 0x39, 0x30, 0x39, 0x37, 0x30, 0x30, 0x82, | ||
| 0x01, 0x0d, 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, | ||
| 0x0a, 0x01, 0x05, 0xa0, 0x81, 0xb3, 0x30, 0x81, 0xb0, 0x06, 0x0b, 0x2a, | ||
| 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x02, 0xa0, 0x81, | ||
| 0xa0, 0x04, 0x81, 0x9d, 0x30, 0x81, 0x9a, 0x30, 0x66, 0x06, 0x09, 0x2a, | ||
| 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x05, 0x0d, 0x30, 0x59, 0x30, 0x38, | ||
| 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x05, 0x0c, 0x30, | ||
| 0x2b, 0x04, 0x14, 0x7b, 0xc8, 0x89, 0xce, 0x75, 0xcf, 0x2e, 0xca, 0x1a, | ||
| 0x5b, 0xf1, 0xa6, 0xac, 0xe6, 0x35, 0x56, 0x20, 0xfb, 0xaf, 0xe3, 0x02, | ||
| 0x02, 0x27, 0x10, 0x02, 0x01, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, | ||
| 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x09, 0x05, 0x00, 0x30, 0x1d, 0x06, 0x09, | ||
| 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2a, 0x04, 0x10, 0x72, | ||
| 0x4b, 0x8d, 0x97, 0x79, 0xb0, 0x6c, 0xa9, 0x09, 0x0c, 0xff, 0xc1, 0x19, | ||
| 0xf2, 0x87, 0xf1, 0x04, 0x30, 0x55, 0xc0, 0x29, 0x40, 0x9a, 0x6d, 0x25, | ||
| 0x9f, 0xd6, 0x92, 0xf8, 0x7f, 0x8c, 0xc6, 0x11, 0x70, 0xf8, 0x7b, 0x98, | ||
| 0xd4, 0x81, 0xa8, 0x1a, 0x90, 0xeb, 0x17, 0x14, 0x80, 0x42, 0x68, 0xc0, | ||
| 0xc6, 0xe4, 0x27, 0x47, 0x96, 0x6d, 0x8a, 0xed, 0x6e, 0x37, 0x26, 0xf7, | ||
| 0x4a, 0xa9, 0x95, 0xfb, 0x04, 0x31, 0x48, 0x30, 0x23, 0x06, 0x09, 0x2a, | ||
| 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x14, 0x31, 0x16, 0x1e, 0x14, | ||
| 0x00, 0x63, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x6d, 0x00, 0x6f, 0x00, 0x6e, | ||
| 0x00, 0x72, 0x00, 0x6f, 0x00, 0x6f, 0x00, 0x74, 0x30, 0x21, 0x06, 0x09, | ||
| 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x15, 0x31, 0x14, 0x04, | ||
| 0x12, 0x54, 0x69, 0x6d, 0x65, 0x20, 0x31, 0x36, 0x38, 0x30, 0x33, 0x30, | ||
| 0x35, 0x32, 0x37, 0x33, 0x35, 0x38, 0x37, 0x30, 0x4d, 0x30, 0x31, 0x30, | ||
| 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, | ||
| 0x05, 0x00, 0x04, 0x20, 0xad, 0x5a, 0xfd, 0x11, 0xe8, 0x5c, 0x99, 0x7d, | ||
| 0xea, 0x31, 0x9c, 0x09, 0x35, 0xbc, 0xc8, 0x76, 0x98, 0xef, 0x3f, 0x19, | ||
| 0x82, 0x3e, 0x58, 0xd4, 0x94, 0x1c, 0x4d, 0x13, 0x95, 0x97, 0x5e, 0x43, | ||
| 0x04, 0x14, 0xfa, 0xaf, 0x44, 0xa6, 0x04, 0x8e, 0x3f, 0xc2, 0xb6, 0x0a, | ||
| 0x54, 0x8a, 0xde, 0x84, 0x5a, 0x96, 0xdc, 0xbd, 0x51, 0x76, 0x02, 0x02, | ||
| 0x27, 0x10, | ||
| }; |
There was a problem hiding this comment.
Defining a static array in a header file will create a separate copy of the array in every translation unit that includes this header. This can lead to code bloat. Consider using extern declaration in the header and defining the array in a .c file instead, or add the inline keyword if using C99 or later.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #157