[Spice-devel] [spice-gtk v5 2/2] Use system-wide trust certificate store

Wed Nov 13 08:14:03 PST 2013

Hi David,

The KeyChain on Android is available only through Java. In some old
versions, apparently one was able to access it through native code,
but that's no longer the case.

I haven't looked into what it would take to make use of the KeyChain,
but it certainly won't be as easy as telling OpenSSL to verify a
certificate against its certificate authority store.

I'd have to basically rip out the current code and send the
certificate through a callback to Java.

In the interest of staying as close to libspice as possible and
keeping the modifications to a minimum, it would make better sense to
either feed libspice a CA bundle, or to tell OpenSSL where to find it.

Cheers,
iordan

On Wed, Nov 13, 2013 at 5:33 AM, David Jaša <djasa at redhat.com> wrote:
> Hi Iordan,
>
> I'm a mere Android user so this question of mine may be dumb:
>
> On Android, there is a system store for CAs and a user store for
> certificates (not just CAs but also personal and maybe self-signed). Is
> there some good way (API, fs location, ...) how can apps use these
> essentially system certs?
>
> David
>
>
> i iordanov píše v Út 12. 11. 2013 v 10:55 -0500:
>> Hi Christophe,
>>
>> I know I may be opening a can of worms with this question, but it'll
>> help with supporting mobile devices, and maybe improve portability.
>>
>> Typically we cross-compile binaries for mobile devices, so detecting
>> the location of anything automatically will yield inappropriate
>> results. In addition, we cannot rely that on a mobile device the
>> system-wide store is in /etc/pki, /etc/ssl or that it's accessible.
>>
>> Hence, would it be possible to provide an option along the lines of
>> what librest provides (--with-ca-certificates=[path]), which specifies
>> where to look for the system-wide CA bundle?
>>
>> This way, I can create a CA bundle file, add it to mobile applications
>> as a resource, and then specify its location to librest and spice-gtk
>> at compile time.
>>
>> If such an option cannot be provided, it would be nice if I can simply
>> change one location in the source of spice-gtk to tell it where to
>> look for the bundle. Where is that location?
>>
>> Thanks!
>> iordan
>>
>> On Tue, Nov 12, 2013 at 10:23 AM, Christophe Fergeau
>> <cfergeau at redhat.com> wrote:
>> > On Tue, Nov 12, 2013 at 04:20:03PM +0100, Christophe Fergeau wrote:
>> >> Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem
>> >> by default for its trust certificate store (to verify the certificates
>> >> used during SPICE TLS connections). However, these days a system-wide
>> >> trust store can be found in /etc/pki or /etc/ssl.
>> >> This commit checks at compile time where the trust store is located,
>> >> and then loads it before loading the user-specified trust store.
>> >> This can be disabled at compile time using --without-ca-certificates.
>> >
>> > I forgot to amend this ;)
>> >
>> > Christophe
>> >
>> > _______________________________________________
>> > Spice-devel mailing list
>> > Spice-devel at lists.freedesktop.org
>> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>> >
>>
>>
>>
>
> --
>
> David Jaša, RHCE
>
> SPICE QE based in Brno
> GPG Key:     22C33E24
> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>
>

-- 
The conscious mind has only one thread of execution.