rdkcentral · riwoh · Feb 10, 2026 · Nov 17, 2025 · Nov 20, 2025 · Jan 16, 2026
diff --git a/reference/README.md b/reference/README.md
@@ -71,16 +71,16 @@ the OpenSSL cryptographic implementation with a SoC specific cryptographic imple
 ### 'util'
 
 This directory contains common functions that are used by both the REE client as well as the TA
-implementation. This directory contains code to read a secret symmetric root key from a PKCS 12
-key store. This code is only used by the reference implementation and allows the reference
-implementation to be used for testing purposes with a key that is delivered by a keying provider.
-The reference implementation provides a default test root key in the file root_keystore.p12 that is
-encrypted with a default password. This default password is embedded in the common.h file to
-facilitate ease of testing. If a test root key is provided by a keying provider, the keying provider
-should use a different password to the PKCS 12 key store. To change the default test PKCS 12 key 
-store and password for the reference implementation and for executing the tests, set the
-ROOT_KEYSTORE environment variable with the location of the PKCS 12 key store file and the 
-ROOT_KEYSTORE_PASSWORD environment variable with the password.
+implementation. This directory contains code to read a secret symmetric root key from a PKCS 12 key
+store. This code is only used by the reference implementation and allows the reference implementation to
+be used for testing purposes with a key that is delivered by a keying provider. The reference
+implementation provides a default test root key embedded in include/root_keystore.h that is encrypted
+with a default password. This default password is also embedded in include/root_keystore.h so the key can
+be easily decrypted in tests. If a test root key is provided by a keying provider, the keying provider
+should use a different password to the PKCS 12 key store. To change the default test PKCS 12 key store
+and password for the reference implementation and for executing the tests, set the ROOT_KEYSTORE
+environment variable with the location of the PKCS 12 key store file and the ROOT_KEYSTORE_PASSWORD
+environment variable with the password.
 
 NOTE - OpenSSL does not support PKCS 12 Secret Bags since there is no industry specification for the
 contents of a Secret Bag. This implementation reads a PKCS 12 key store that is created by Java's

diff --git a/reference/src/client/CMakeLists.txt b/reference/src/client/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright 2020-2023 Comcast Cable Communications Management, LLC
+# Copyright 2020-2025 Comcast Cable Communications Management, LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -326,6 +326,7 @@ if (BUILD_TESTS)
 
     add_custom_command(
             TARGET saclienttest POST_BUILD
+            BYPRODUCTS root_keystore.p12
             COMMAND ${CMAKE_COMMAND} -E copy
             ${CMAKE_SOURCE_DIR}/test/root_keystore.p12
             ${CMAKE_CURRENT_BINARY_DIR}/root_keystore.p12)

diff --git a/reference/src/client/test/sa_key_common.cpp b/reference/src/client/test/sa_key_common.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2023 Comcast Cable Communications Management, LLC
+ * Copyright 2020-2025 Comcast Cable Communications Management, LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@
  */
 
 #include "common.h"
+#include "root_keystore.h"
 #include <cstring>
 #include <openssl/cmac.h>
 #include <openssl/ec.h>

diff --git a/reference/src/taimpl/CMakeLists.txt b/reference/src/taimpl/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright 2020-2023 Comcast Cable Communications Management, LLC
+# Copyright 2020-2025 Comcast Cable Communications Management, LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -248,6 +248,7 @@ if (BUILD_TESTS)
 
     add_custom_command(
             TARGET taimpltest POST_BUILD
+            BYPRODUCTS root_keystore.p12
             COMMAND ${CMAKE_COMMAND} -E copy
             ${CMAKE_SOURCE_DIR}/test/root_keystore.p12
             ${CMAKE_CURRENT_BINARY_DIR}/root_keystore.p12)

diff --git a/reference/src/taimpl/src/porting/otp.c b/reference/src/taimpl/src/porting/otp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2023 Comcast Cable Communications Management, LLC
+ * Copyright 2020-2025 Comcast Cable Communications Management, LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,6 +23,7 @@
 #include "pkcs12.h"
 #include "porting/memory.h"
 #include "porting/otp_internal.h"
+#include "root_keystore.h"
 #include "stored_key_internal.h"
 #include <ctype.h>
 #include <openssl/evp.h>

diff --git a/reference/src/util/CMakeLists.txt b/reference/src/util/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright 2020-2023 Comcast Cable Communications Management, LLC
+# Copyright 2020-2025 Comcast Cable Communications Management, LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -45,6 +45,7 @@ add_library(util STATIC
         include/sa_rights.h
         include/test_helpers.h
         include/test_process_common_encryption.h
+        include/root_keystore.h
 
         src/digest_util.c
         src/log.c
@@ -98,9 +99,10 @@ if (BUILD_TESTS)
 
     add_custom_command(
             TARGET utiltest POST_BUILD
+            BYPRODUCTS root_keystore.p12
             COMMAND ${CMAKE_COMMAND} -E copy
             ${CMAKE_SOURCE_DIR}/test/root_keystore.p12
             ${CMAKE_CURRENT_BINARY_DIR}/root_keystore.p12)
 
     gtest_discover_tests(utiltest)
-endif ()
+endif ()
diff --git a/reference/src/util/include/common.h b/reference/src/util/include/common.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2023 Comcast Cable Communications Management, LLC
+ * Copyright 2019-2025 Comcast Cable Communications Management, LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -67,7 +67,4 @@
 #define RSA_PSS_SALTLEN_MAX (-3)
 #endif
 
-#define DEFAULT_ROOT_KEYSTORE_PASSWORD "password01234567"
-#define COMMON_ROOT_NAME "commonroot"
-
 #endif // COMMON_H
diff --git a/reference/src/util/include/pkcs12.h b/reference/src/util/include/pkcs12.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2023 Comcast Cable Communications Management, LLC
+ * Copyright 2022-2025 Comcast Cable Communications Management, LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,8 +36,8 @@ extern "C" {
 
 /**
  * Loads a secret key from a PKCS12 file identified at the ROOT_KEYSTORE environment variable. The password to the
- * keystore is in the ROOT_KEYSTORE_PASSWORD environment variable. If neither is defined, it looks for the file
- * root_keystore.p12 in the working directory with a default password.
+ * keystore is in the ROOT_KEYSTORE_PASSWORD environment variable. If neither is defined, a default
+ * keystore and password are used.
  *
  * @param[out] key the key to load.
  * @param[in,out] key_length the length of the loaded key.

diff --git a/reference/src/util/include/root_keystore.h b/reference/src/util/include/root_keystore.h
@@ -0,0 +1,91 @@
+/*
+ * Copyright 2025 Comcast Cable Communications Management, LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef ROOT_KEYSTORE_H
+#define ROOT_KEYSTORE_H
+
+#include <stdint.h>
+
+#define DEFAULT_ROOT_KEYSTORE_PASSWORD "password01234567"
+#define COMMON_ROOT_NAME "commonroot"
+
+/// A PKCS#12 container containing a secret key encrypted with the
+/// `DEFAULT_ROOT_KEYSTORE_PASSWORD`.
+static const uint8_t default_root_keystore[] = {
+    0x30, 0x82, 0x02, 0xb6, 0x02, 0x01, 0x03, 0x30, 0x82, 0x02, 0x60, 0x06,
+    0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82,
+    0x02, 0x51, 0x04, 0x82, 0x02, 0x4d, 0x30, 0x82, 0x02, 0x49, 0x30, 0x82,
+    0x02, 0x45, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07,
+    0x01, 0xa0, 0x82, 0x02, 0x36, 0x04, 0x82, 0x02, 0x32, 0x30, 0x82, 0x02,
+    0x2e, 0x30, 0x82, 0x01, 0x19, 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+    0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x05, 0xa0, 0x81, 0xb3, 0x30, 0x81, 0xb0,
+    0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01,
+    0x02, 0xa0, 0x81, 0xa0, 0x04, 0x81, 0x9d, 0x30, 0x81, 0x9a, 0x30, 0x66,
+    0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x05, 0x0d, 0x30,
+    0x59, 0x30, 0x38, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+    0x05, 0x0c, 0x30, 0x2b, 0x04, 0x14, 0x2d, 0x53, 0x8e, 0x7a, 0xe6, 0x40,
+    0x6b, 0x2c, 0x16, 0x91, 0x5c, 0x58, 0xfe, 0x63, 0x06, 0x86, 0x2d, 0xdf,
+    0xad, 0x13, 0x02, 0x02, 0x27, 0x10, 0x02, 0x01, 0x20, 0x30, 0x0c, 0x06,
+    0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x09, 0x05, 0x00, 0x30,
+    0x1d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2a,
+    0x04, 0x10, 0xf8, 0xf4, 0x48, 0xc5, 0x18, 0x05, 0x91, 0xb4, 0xc1, 0x4c,
+    0xe9, 0x70, 0xc6, 0x7e, 0x93, 0x8d, 0x04, 0x30, 0xfc, 0x30, 0xf9, 0xea,
+    0x39, 0x8e, 0xb7, 0xc6, 0xb3, 0x7d, 0xe6, 0xdf, 0xce, 0xf4, 0xdf, 0x91,
+    0x81, 0x44, 0x1e, 0x42, 0x12, 0xc3, 0xc2, 0x59, 0xd8, 0xe1, 0xa5, 0x93,
+    0x79, 0xfe, 0xa4, 0xbb, 0x9d, 0xc4, 0xf4, 0xe9, 0x14, 0xaa, 0x47, 0x87,
+    0x82, 0x96, 0xaf, 0x65, 0x02, 0x1a, 0x3e, 0x48, 0x31, 0x54, 0x30, 0x2f,
+    0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x14, 0x31,
+    0x22, 0x1e, 0x20, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00,
+    0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00,
+    0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x66, 0x00, 0x65, 0x30,
+    0x21, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x15,
+    0x31, 0x14, 0x04, 0x12, 0x54, 0x69, 0x6d, 0x65, 0x20, 0x31, 0x36, 0x35,
+    0x35, 0x31, 0x36, 0x32, 0x33, 0x39, 0x30, 0x39, 0x37, 0x30, 0x30, 0x82,
+    0x01, 0x0d, 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c,
+    0x0a, 0x01, 0x05, 0xa0, 0x81, 0xb3, 0x30, 0x81, 0xb0, 0x06, 0x0b, 0x2a,
+    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x02, 0xa0, 0x81,
+    0xa0, 0x04, 0x81, 0x9d, 0x30, 0x81, 0x9a, 0x30, 0x66, 0x06, 0x09, 0x2a,
+    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x05, 0x0d, 0x30, 0x59, 0x30, 0x38,
+    0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x05, 0x0c, 0x30,
+    0x2b, 0x04, 0x14, 0x7b, 0xc8, 0x89, 0xce, 0x75, 0xcf, 0x2e, 0xca, 0x1a,
+    0x5b, 0xf1, 0xa6, 0xac, 0xe6, 0x35, 0x56, 0x20, 0xfb, 0xaf, 0xe3, 0x02,
+    0x02, 0x27, 0x10, 0x02, 0x01, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86,
+    0x48, 0x86, 0xf7, 0x0d, 0x02, 0x09, 0x05, 0x00, 0x30, 0x1d, 0x06, 0x09,
+    0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2a, 0x04, 0x10, 0x72,
+    0x4b, 0x8d, 0x97, 0x79, 0xb0, 0x6c, 0xa9, 0x09, 0x0c, 0xff, 0xc1, 0x19,
+    0xf2, 0x87, 0xf1, 0x04, 0x30, 0x55, 0xc0, 0x29, 0x40, 0x9a, 0x6d, 0x25,
+    0x9f, 0xd6, 0x92, 0xf8, 0x7f, 0x8c, 0xc6, 0x11, 0x70, 0xf8, 0x7b, 0x98,
+    0xd4, 0x81, 0xa8, 0x1a, 0x90, 0xeb, 0x17, 0x14, 0x80, 0x42, 0x68, 0xc0,
+    0xc6, 0xe4, 0x27, 0x47, 0x96, 0x6d, 0x8a, 0xed, 0x6e, 0x37, 0x26, 0xf7,
+    0x4a, 0xa9, 0x95, 0xfb, 0x04, 0x31, 0x48, 0x30, 0x23, 0x06, 0x09, 0x2a,
+    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x14, 0x31, 0x16, 0x1e, 0x14,
+    0x00, 0x63, 0x00, 0x6f, 0x00, 0x6d, 0x00, 0x6d, 0x00, 0x6f, 0x00, 0x6e,
+    0x00, 0x72, 0x00, 0x6f, 0x00, 0x6f, 0x00, 0x74, 0x30, 0x21, 0x06, 0x09,
+    0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x15, 0x31, 0x14, 0x04,
+    0x12, 0x54, 0x69, 0x6d, 0x65, 0x20, 0x31, 0x36, 0x38, 0x30, 0x33, 0x30,
+    0x35, 0x32, 0x37, 0x33, 0x35, 0x38, 0x37, 0x30, 0x4d, 0x30, 0x31, 0x30,
+    0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
+    0x05, 0x00, 0x04, 0x20, 0xad, 0x5a, 0xfd, 0x11, 0xe8, 0x5c, 0x99, 0x7d,
+    0xea, 0x31, 0x9c, 0x09, 0x35, 0xbc, 0xc8, 0x76, 0x98, 0xef, 0x3f, 0x19,
+    0x82, 0x3e, 0x58, 0xd4, 0x94, 0x1c, 0x4d, 0x13, 0x95, 0x97, 0x5e, 0x43,
+    0x04, 0x14, 0xfa, 0xaf, 0x44, 0xa6, 0x04, 0x8e, 0x3f, 0xc2, 0xb6, 0x0a,
+    0x54, 0x8a, 0xde, 0x84, 0x5a, 0x96, 0xdc, 0xbd, 0x51, 0x76, 0x02, 0x02,
+    0x27, 0x10,
+};
+
+#endif /* ROOT_KEYSTORE_H */
diff --git a/reference/src/util/src/pkcs12.c b/reference/src/util/src/pkcs12.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2023 Comcast Cable Communications Management, LLC
+ * Copyright 2022-2025 Comcast Cable Communications Management, LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@
 
 #include "common.h"
 #include "log.h"
+#include "root_keystore.h"
 #include <openssl/pkcs12.h>
 #include <stdbool.h>
 #include <stdio.h>
@@ -186,10 +187,6 @@ bool load_pkcs12_secret_key(
         char* name,
         size_t* name_length) {
 
-    const char* filename = getenv("ROOT_KEYSTORE");
-    if (filename == NULL)
-        filename = "root_keystore.p12";
-
     const char* password = getenv("ROOT_KEYSTORE_PASSWORD");
     if (password == NULL)
         password = DEFAULT_ROOT_KEYSTORE_PASSWORD;
@@ -201,16 +198,26 @@ bool load_pkcs12_secret_key(
     PKCS12* pkcs12 = NULL;
     STACK_OF(PKCS7)* auth_safes = NULL;
     do {
-        file = fopen(filename, "re");
-        if (file == NULL) {
-            ERROR("NULL file");
-            break;
-        }
+        const char* filename = getenv("ROOT_KEYSTORE");
+        if (filename != NULL) {
+            file = fopen(filename, "re");
+            if (file == NULL) {
+                ERROR("NULL file");
+                break;
+            }
 
-        pkcs12 = d2i_PKCS12_fp(file, NULL);
-        if (pkcs12 == NULL) {
-            ERROR("NULL pkcs12");
-            break;
+            pkcs12 = d2i_PKCS12_fp(file, NULL);
+            if (pkcs12 == NULL) {
+                ERROR("NULL pkcs12");
+                break;
+            }
+        } else {
+            const uint8_t *keystore = default_root_keystore;
+            pkcs12 = d2i_PKCS12(NULL, &keystore, sizeof(default_root_keystore));
+            if (pkcs12 == NULL) {
+                ERROR("NULL pkcs12");
+                break;
+            }
         }
 
         if (PKCS12_verify_mac(pkcs12, password, -1) != 1) {

diff --git a/reference/src/util/test/pkcs12test.cpp b/reference/src/util/test/pkcs12test.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2023 Comcast Cable Communications Management, LLC
+ * Copyright 2020-2026 Comcast Cable Communications Management, LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,8 +18,10 @@
 
 #include "pkcs12.h" // NOLINT
 #include "common.h"
+#include "root_keystore.h"
 #include "gtest/gtest.h"
 #include <cstdlib>
+#include <stdlib.h>
 
 namespace {
     TEST(Pkcs12Test, parsePkcs12) {
@@ -37,6 +39,23 @@ namespace {
         ASSERT_EQ(memcmp(name, "fffffffffffffffe", 16), 0);
     }
 
+    TEST(Pkcs12Test, parseEmbeddedPkcs12) {
+        // This code tests whether the embedded keystore is loaded and therefore
+        // requires these environment variables to be unset.
+        unsetenv("ROOT_KEYSTORE_PASSWORD");
+        unsetenv("ROOT_KEYSTORE");
+
+        uint8_t key[SYM_256_KEY_SIZE];
+        size_t key_length = SYM_256_KEY_SIZE;
+        char name[MAX_NAME_SIZE];
+        size_t name_length = MAX_NAME_SIZE;
+        name[0] = '\0';
+        ASSERT_EQ(load_pkcs12_secret_key(key, &key_length, name, &name_length), true);
+        ASSERT_EQ(key_length, SYM_128_KEY_SIZE);
+        ASSERT_EQ(name_length, 16);
+        ASSERT_EQ(memcmp(name, "fffffffffffffffe", 16), 0);
+    }
+
     TEST(Pkcs12Test, parsePkcs12Common) {
         setenv("ROOT_KEYSTORE_PASSWORD", DEFAULT_ROOT_KEYSTORE_PASSWORD, 1);
         setenv("ROOT_KEYSTORE", "root_keystore.p12", 1);
@@ -51,4 +70,21 @@ namespace {
         ASSERT_EQ(name_length, 10);
         ASSERT_EQ(memcmp(name, "commonroot", 10), 0);
     }
+
+    TEST(Pkcs12Test, parseEmbeddedPkcs12Common) {
+        // This code tests whether the embedded keystore is loaded and therefore
+        // requires these environment variables to be unset.
+        unsetenv("ROOT_KEYSTORE_PASSWORD");
+        unsetenv("ROOT_KEYSTORE");
+
+        uint8_t key[SYM_256_KEY_SIZE];
+        size_t key_length = SYM_256_KEY_SIZE;
+        char name[MAX_NAME_SIZE];
+        size_t name_length = MAX_NAME_SIZE;
+        strcpy(name, COMMON_ROOT_NAME);
+        ASSERT_EQ(load_pkcs12_secret_key(key, &key_length, name, &name_length), true);
+        ASSERT_EQ(key_length, SYM_128_KEY_SIZE);
+        ASSERT_EQ(name_length, 10);
+        ASSERT_EQ(memcmp(name, "commonroot", 10), 0);
+    }
 } // namespace