[Spice-devel] [spice-gtk v5 2/2] Use system-wide trust certificate store

[Christophe Fergeau]

Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem
by default for its trust certificate store (to verify the certificates
used during SPICE TLS connections). However, these days a system-wide
trust store can be found in /etc/pki or /etc/ssl.
This commit checks at compile time where the trust store is located,
and then loads it before loading the user-specified trust store.
This can be disabled at compile time using --without-ca-certificates.
---
 gtk/spice-channel.c | 18 +++++++++++++++---
 spice-common        |  2 +-
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index d122920..3bb14d0 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -2152,17 +2152,21 @@ static int spice_channel_load_ca(SpiceChannel *channel)
     BIO *in;
     int i, count = 0;
     guint8 *ca;
+    gboolean use_system_ca;
     guint size;
     const gchar *ca_file;
+    int rc;
 
     g_return_val_if_fail(c->ctx != NULL, 0);
 
     lookup = X509_STORE_add_lookup(c->ctx->cert_store, &spice_x509_mem_lookup);
     ca_file = spice_session_get_ca_file(c->session);
     spice_session_get_ca(c->session, &ca, &size);
+    use_system_ca = spice_session_get_use_system_ca_file(c->session);
 
-    CHANNEL_DEBUG(channel, "Load CA, file: %s, data: %p", ca_file, ca);
-    g_warn_if_fail(ca_file || ca);
+    CHANNEL_DEBUG(channel, "Load CA, file: %s, data: %p use system CA: %d",
+                  ca_file, ca, use_system_ca);
+    g_warn_if_fail(ca_file || ca || use_system_ca);
 
     if (ca != NULL) {
         in = BIO_new_mem_buf(ca, size);
@@ -2185,13 +2189,21 @@ static int spice_channel_load_ca(SpiceChannel *channel)
     }
 
     if (ca_file != NULL) {
-        int rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
+        rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
         if (rc != 1)
             g_warning("loading ca certs from %s failed", ca_file);
         else
             count++;
     }
 
+    if (use_system_ca) {
+        rc = SSL_CTX_set_default_verify_paths(c->ctx);
+        if (rc != 1)
+            g_warning("loading ca certs from default location failed");
+        else
+            count++;
+    }
+
     return count;
 }
 
diff --git a/spice-common b/spice-common
index 1450bb4..eb4fbdb 160000
--- a/spice-common
+++ b/spice-common
@@ -1 +1 @@
-Subproject commit 1450bb4ddbd8ceab9192e4f84606aa5ae54c5ea6
+Subproject commit eb4fbdb0cee94c2205e8e76085fb20ef7e45859f
-- 
1.8.4.2