[Spice-devel] [spice-gtk v5 2/2] Use system-wide trust certificate store
David Jaša
djasa at redhat.com
Wed Nov 13 02:33:33 PST 2013
Hi Iordan,
I'm a mere Android user so this question of mine may be dumb:
On Android, there is a system store for CAs and a user store for
certificates (not just CAs but also personal and maybe self-signed). Is
there some good way (API, fs location, ...) how can apps use these
essentially system certs?
David
i iordanov píše v Út 12. 11. 2013 v 10:55 -0500:
> Hi Christophe,
>
> I know I may be opening a can of worms with this question, but it'll
> help with supporting mobile devices, and maybe improve portability.
>
> Typically we cross-compile binaries for mobile devices, so detecting
> the location of anything automatically will yield inappropriate
> results. In addition, we cannot rely that on a mobile device the
> system-wide store is in /etc/pki, /etc/ssl or that it's accessible.
>
> Hence, would it be possible to provide an option along the lines of
> what librest provides (--with-ca-certificates=[path]), which specifies
> where to look for the system-wide CA bundle?
>
> This way, I can create a CA bundle file, add it to mobile applications
> as a resource, and then specify its location to librest and spice-gtk
> at compile time.
>
> If such an option cannot be provided, it would be nice if I can simply
> change one location in the source of spice-gtk to tell it where to
> look for the bundle. Where is that location?
>
> Thanks!
> iordan
>
> On Tue, Nov 12, 2013 at 10:23 AM, Christophe Fergeau
> <cfergeau at redhat.com> wrote:
> > On Tue, Nov 12, 2013 at 04:20:03PM +0100, Christophe Fergeau wrote:
> >> Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem
> >> by default for its trust certificate store (to verify the certificates
> >> used during SPICE TLS connections). However, these days a system-wide
> >> trust store can be found in /etc/pki or /etc/ssl.
> >> This commit checks at compile time where the trust store is located,
> >> and then loads it before loading the user-specified trust store.
> >> This can be disabled at compile time using --without-ca-certificates.
> >
> > I forgot to amend this ;)
> >
> > Christophe
> >
> > _______________________________________________
> > Spice-devel mailing list
> > Spice-devel at lists.freedesktop.org
> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >
>
>
>
--
David Jaša, RHCE
SPICE QE based in Brno
GPG Key: 22C33E24
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5727 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20131113/af9cafd4/attachment.bin>
More information about the Spice-devel
mailing list