[Spice-devel] [spice-gtk v5] Use system-wide trust certificate store
Christophe Fergeau
cfergeau at redhat.com
Tue Nov 12 08:24:13 PST 2013
Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem
by default for its trust certificate store (to verify the certificates
used during SPICE TLS connections).
However, these days, progress is under-way to have a system-wide
certificate store [1].
In order to use it, we only need to call SSL_CTX_set_default_verify_paths()
and it will automatically use the shared system CA store if the distro
is properly setup.
[1] https://fedoraproject.org/wiki/Features/SharedSystemCertificates
---
gtk/spice-channel.c | 18 +++++++++++++++---
spice-common | 2 +-
2 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index d122920..3bb14d0 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -2152,17 +2152,21 @@ static int spice_channel_load_ca(SpiceChannel *channel)
BIO *in;
int i, count = 0;
guint8 *ca;
+ gboolean use_system_ca;
guint size;
const gchar *ca_file;
+ int rc;
g_return_val_if_fail(c->ctx != NULL, 0);
lookup = X509_STORE_add_lookup(c->ctx->cert_store, &spice_x509_mem_lookup);
ca_file = spice_session_get_ca_file(c->session);
spice_session_get_ca(c->session, &ca, &size);
+ use_system_ca = spice_session_get_use_system_ca_file(c->session);
- CHANNEL_DEBUG(channel, "Load CA, file: %s, data: %p", ca_file, ca);
- g_warn_if_fail(ca_file || ca);
+ CHANNEL_DEBUG(channel, "Load CA, file: %s, data: %p use system CA: %d",
+ ca_file, ca, use_system_ca);
+ g_warn_if_fail(ca_file || ca || use_system_ca);
if (ca != NULL) {
in = BIO_new_mem_buf(ca, size);
@@ -2185,13 +2189,21 @@ static int spice_channel_load_ca(SpiceChannel *channel)
}
if (ca_file != NULL) {
- int rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
+ rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
if (rc != 1)
g_warning("loading ca certs from %s failed", ca_file);
else
count++;
}
+ if (use_system_ca) {
+ rc = SSL_CTX_set_default_verify_paths(c->ctx);
+ if (rc != 1)
+ g_warning("loading ca certs from default location failed");
+ else
+ count++;
+ }
+
return count;
}
diff --git a/spice-common b/spice-common
index 1450bb4..eb4fbdb 160000
--- a/spice-common
+++ b/spice-common
@@ -1 +1 @@
-Subproject commit 1450bb4ddbd8ceab9192e4f84606aa5ae54c5ea6
+Subproject commit eb4fbdb0cee94c2205e8e76085fb20ef7e45859f
--
1.8.4.2
More information about the Spice-devel
mailing list