[Spice-devel] [spice-gtk v6] Use system-wide trust certificate store

[Christophe Fergeau]

Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem
by default for its trust certificate store (to verify the certificates
used during SPICE TLS connections).
However, these days, progress is under-way to have a system-wide
certificate store [1].
In order to use it, we only need to call SSL_CTX_set_default_verify_paths()
and it will automatically use the shared system CA store if the distro
is properly setup.
We only try to use that store if there was no user-provided CA file to use,
or if we failed to load it.

[1] https://fedoraproject.org/wiki/Features/SharedSystemCertificates
---
 gtk/spice-channel.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index d122920..035cb98 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -2154,6 +2154,7 @@ static int spice_channel_load_ca(SpiceChannel *channel)
     guint8 *ca;
     guint size;
     const gchar *ca_file;
+    int rc;
 
     g_return_val_if_fail(c->ctx != NULL, 0);
 
@@ -2185,13 +2186,21 @@ static int spice_channel_load_ca(SpiceChannel *channel)
     }
 
     if (ca_file != NULL) {
-        int rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
+        rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
         if (rc != 1)
             g_warning("loading ca certs from %s failed", ca_file);
         else
             count++;
     }
 
+    if (count == 0) {
+        rc = SSL_CTX_set_default_verify_paths(c->ctx);
+        if (rc != 1)
+            g_warning("loading ca certs from default location failed");
+        else
+            count++;
+    }
+
     return count;
 }
 
-- 
1.8.4.2