[Spice-devel] [spice-gtk v5 1/2] Add SpiceSession:use-system-ca-file property

Christophe Fergeau cfergeau at redhat.com
Tue Nov 12 07:20:02 PST 2013


This property indicates whether to look into the system
CA database when validating certificates in a TLS connection.
This property defaults to TRUE, but is automatically set to
FALSE when SpiceSession:ca-file is set.
---
 gtk/spice-option.c       |  8 ++++++++
 gtk/spice-session-priv.h |  3 +++
 gtk/spice-session.c      | 46 +++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/gtk/spice-option.c b/gtk/spice-option.c
index 5f7c803..f07e9be 100644
--- a/gtk/spice-option.c
+++ b/gtk/spice-option.c
@@ -216,6 +216,7 @@ GOptionGroup* spice_get_option_group(void)
  **/
 void spice_set_session_option(SpiceSession *session)
 {
+    gboolean use_system_ca_file = FALSE;
     g_return_if_fail(SPICE_IS_SESSION(session));
 
     if (ca_file == NULL) {
@@ -223,6 +224,9 @@ void spice_set_session_option(SpiceSession *session)
         if (!homedir)
             homedir = g_get_home_dir();
         ca_file = g_strdup_printf("%s/.spicec/spice_truststore.pem", homedir);
+        /* If --spice-ca-file was not used, we want to keep using the
+         * system CA database if needed */
+        use_system_ca_file = TRUE;
     }
 
     if (disable_effects) {
@@ -241,6 +245,10 @@ void spice_set_session_option(SpiceSession *session)
         g_object_set(session, "color-depth", color_depth, NULL);
     if (ca_file)
         g_object_set(session, "ca-file", ca_file, NULL);
+    /* Setting SpiceSession:ca-file may change the value of
+     * SpiceSession:use_system_ca_file, so these 2 properties should not
+     * be set in a single call */
+    g_object_set(session, "use-system-ca-file", use_system_ca_file, NULL);
     if (host_subject)
         g_object_set(session, "cert-subject", host_subject, NULL);
     if (smartcard) {
diff --git a/gtk/spice-session-priv.h b/gtk/spice-session-priv.h
index 55fee47..b13e1ee 100644
--- a/gtk/spice-session-priv.h
+++ b/gtk/spice-session-priv.h
@@ -39,6 +39,8 @@ struct _SpiceSessionPrivate {
     char              *tls_port;
     char              *password;
     char              *ca_file;
+    /* Whether to use SPICE_SYSTEM_CA_FILE as a trust store or not  */
+    gboolean          use_system_ca_file;
     char              *ciphers;
     GByteArray        *pubkey;
     GByteArray        *ca;
@@ -140,6 +142,7 @@ const gchar* spice_session_get_host(SpiceSession *session);
 const gchar* spice_session_get_cert_subject(SpiceSession *session);
 const gchar* spice_session_get_ciphers(SpiceSession *session);
 const gchar* spice_session_get_ca_file(SpiceSession *session);
+gboolean spice_session_get_use_system_ca_file(SpiceSession *session);
 void spice_session_get_ca(SpiceSession *session, guint8 **ca, guint *size);
 
 void spice_session_set_caches_hints(SpiceSession *session,
diff --git a/gtk/spice-session.c b/gtk/spice-session.c
index 79a13de..60526fe 100644
--- a/gtk/spice-session.c
+++ b/gtk/spice-session.c
@@ -108,7 +108,8 @@ enum {
     PROP_NAME,
     PROP_CA,
     PROP_PROXY,
-    PROP_SECURE_CHANNELS
+    PROP_SECURE_CHANNELS,
+    PROP_USE_SYSTEM_CA_FILE
 };
 
 /* signals */
@@ -501,6 +502,9 @@ static void spice_session_get_property(GObject    *gobject,
     case PROP_PROXY:
         g_value_take_string(value, spice_proxy_to_string(s->proxy));
 	break;
+    case PROP_USE_SYSTEM_CA_FILE:
+        g_value_set_boolean(value, s->use_system_ca_file);
+        break;
     default:
 	G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec);
 	break;
@@ -536,6 +540,9 @@ static void spice_session_set_property(GObject      *gobject,
     case PROP_CA_FILE:
         g_free(s->ca_file);
         s->ca_file = g_value_dup_string(value);
+        if (s->use_system_ca_file) {
+            g_object_set(gobject, "use-system-ca-file", FALSE, NULL);
+        }
         break;
     case PROP_CIPHERS:
         g_free(s->ciphers);
@@ -619,10 +626,16 @@ static void spice_session_set_property(GObject      *gobject,
     case PROP_CA:
         g_clear_pointer(&s->ca, g_byte_array_unref);
         s->ca = g_value_dup_boxed(value);
+        if (s->use_system_ca_file) {
+            g_object_set(gobject, "use-system-ca-file", FALSE, NULL);
+        }
         break;
     case PROP_PROXY:
         update_proxy(session, g_value_get_string(value));
         break;
+    case PROP_USE_SYSTEM_CA_FILE:
+        s->use_system_ca_file = g_value_get_boolean(value);
+        break;
     default:
         G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec);
         break;
@@ -720,6 +733,27 @@ static void spice_session_class_init(SpiceSessionClass *klass)
                              G_PARAM_STATIC_STRINGS));
 
     /**
+     * SpiceSession:use-system-ca-file:
+     *
+     * When this property is set to %TRUE, the system certificate database
+     * will be used when verifying the certificate used by the remote host
+     * in a TLS connection.
+     *
+     * If this is set to %FALSE, only the file specified in
+     * #SpiceSession:ca-file will be used to check the remote certificate.
+     *
+     **/
+    g_object_class_install_property
+        (gobject_class, PROP_USE_SYSTEM_CA_FILE,
+         g_param_spec_boolean("use-system-ca-file",
+                             "Use system CA file",
+                             "Use the system certificate database",
+                             TRUE,
+                             G_PARAM_READWRITE |
+                             G_PARAM_CONSTRUCT |
+                             G_PARAM_STATIC_STRINGS));
+
+    /**
      * SpiceSession:ciphers:
      *
      **/
@@ -2082,6 +2116,16 @@ const gchar* spice_session_get_ca_file(SpiceSession *session)
 }
 
 G_GNUC_INTERNAL
+gboolean spice_session_get_use_system_ca_file(SpiceSession *session)
+{
+    SpiceSessionPrivate *s = SPICE_SESSION_GET_PRIVATE(session);
+
+    g_return_val_if_fail(s != NULL, FALSE);
+    return s->use_system_ca_file;
+
+}
+
+G_GNUC_INTERNAL
 void spice_session_get_caches(SpiceSession *session,
                               display_cache **images,
                               SpiceGlzDecoderWindow **glz_window)
-- 
1.8.4.2



More information about the Spice-devel mailing list