att

Author: mateusmoutinho

.gitignore

@@ -1,3 +1,4 @@
 BearSSLTrustAnchors.c
 *.o
-*.so
+*.so
+certs/

README.md

@@ -1,6 +1,6 @@
 # BearSSLTrustedAnchors
 
-A trusted CA certificates generator for BearSSL applications, providing a ready-to-use C source file with trusted root certificates.
+A trusted CA certificates generator for BearSSL applications, providing a ready-to-use C source file with trusted root certificates compatible with virtually any website.
 
 ## Latest Release
 
@@ -10,14 +10,25 @@ A trusted CA certificates generator for BearSSL applications, providing a ready-
 
 ## Overview
 
-This project generates trusted anchor certificates for [BearSSL](https://bearssl.org/) from the official Mozilla CA certificate bundle. The generated C source file contains all trusted root certificates in a format that can be directly compiled into BearSSL applications.
+This project generates trusted anchor certificates for [BearSSL](https://bearssl.org/) from multiple CA sources, maximizing compatibility with public websites, government portals, and enterprise services. The generated C source file contains all trusted root certificates in a format that can be directly compiled into BearSSL applications.
 
-### Certificate Source
+### Certificate Sources
 
-The trusted anchors are generated from:
-- **Source**: [Mozilla CA Certificate Bundle](https://curl.se/docs/caextract.html)  
-- **URL**: [https://curl.se/ca/cacert.pem](https://curl.se/ca/cacert.pem)
-- **Tool**: `brssl` from [BearSSL](https://bearssl.org/)
+The trusted anchors are generated by combining:
+
+| # | Source | Description |
+|---|--------|-------------|
+| 1 | [Mozilla CA Bundle](https://curl.se/docs/caextract.html) (`curl.se/ca/cacert.pem`) | Primary bundle — covers the vast majority of public websites |
+| 2 | System CA bundle (auto-detected) | Adds national, governmental, and corporate CAs not present in Mozilla's bundle |
+
+**System bundle auto-detection order:**
+
+| Path | Distribution |
+|------|-------------|
+| `/etc/ssl/certs/ca-certificates.crt` | Debian / Ubuntu |
+| `/etc/pki/tls/certs/ca-bundle.crt` | RHEL / CentOS / Fedora |
+| `/etc/ssl/ca-bundle.pem` | openSUSE |
+| `/etc/ssl/cert.pem` | Alpine / macOS |
 
 ## Usage
 
@@ -31,11 +42,12 @@ sh generator.sh
 
 This script will:
 1. Download the latest CA certificate bundle from Mozilla
-2. Convert it to BearSSL format using the `brssl` tool
-3. Generate the `BearSSLTrustedAnchors.c` file
+2. Merge it with the system CA bundle (if available)
+3. Convert the combined bundle to BearSSL format using the `brssl` tool
+4. Generate the `BearSSLTrustedAnchors.c` file
 
 ### Requirements
 
 - [BearSSL](https://bearssl.org/) tools (`brssl`)
-- `curl` or `wget` for downloading certificates
+- `curl` for downloading certificates
 - `bash` shell

generator.sh

@@ -1,9 +1,34 @@
 #!/bin/bash
 
+CERT_DIR="certs"
+COMBINED_CERT="$CERT_DIR/cacert.pem"
 
+mkdir -p "$CERT_DIR"
 
-# Download CA certificates
-curl -L https://curl.se/ca/cacert.pem -o BearSSL/cacert.pem
+# Start with empty combined file
+> "$COMBINED_CERT"
+
+# Source 1: Mozilla CA Bundle (via curl.se) — primary, most comprehensive public bundle
+echo "Downloading Mozilla CA Bundle..."
+curl -L https://curl.se/ca/cacert.pem -o "$CERT_DIR/mozilla.pem"
+cat "$CERT_DIR/mozilla.pem" >> "$COMBINED_CERT"
+
+# Source 2: System CA certificates — adds national/corporate/enterprise CAs not in Mozilla
+if [ -f /etc/ssl/certs/ca-certificates.crt ]; then
+    echo "Adding system CA certificates (Debian/Ubuntu)..."
+    cat /etc/ssl/certs/ca-certificates.crt >> "$COMBINED_CERT"
+elif [ -f /etc/pki/tls/certs/ca-bundle.crt ]; then
+    echo "Adding system CA certificates (RHEL/CentOS/Fedora)..."
+    cat /etc/pki/tls/certs/ca-bundle.crt >> "$COMBINED_CERT"
+elif [ -f /etc/ssl/ca-bundle.pem ]; then
+    echo "Adding system CA certificates (openSUSE)..."
+    cat /etc/ssl/ca-bundle.pem >> "$COMBINED_CERT"
+elif [ -f /etc/ssl/cert.pem ]; then
+    echo "Adding system CA certificates (Alpine/macOS)..."
+    cat /etc/ssl/cert.pem >> "$COMBINED_CERT"
+else
+    echo "No system CA bundle found, using Mozilla bundle only."
+fi
 
 # Build BearSSL
 cd BearSSL && make
@@ -13,5 +38,6 @@ cd ..
 chmod +x BearSSL/build/brssl
 
 # Generate trust anchors file
-./BearSSL/build/brssl ta BearSSL/cacert.pem > BearSSLTrustAnchors.c
+./BearSSL/build/brssl ta "$COMBINED_CERT" > BearSSLTrustAnchors.c
 
+echo "Done! Generated BearSSLTrustAnchors.c"