[Spice-devel] [spice-gtk] Use system-wide trust certificate store

Christophe Fergeau cfergeau at redhat.com
Wed Sep 18 05:40:52 PDT 2013 

Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem
by default for its trust certificate store (to verify the certificates
used during SPICE TLS connections). However, these days a system-wide
trust store can be found in /etc/pki or /etc/ssl.
This commit checks at compile time where the trust store is located,
and then loads it before loading the user-specified trust store.
This can be disabled at compile time using --without-ca-certificates.
---
 configure.ac        | 25 +++++++++++++++++++++++++
 gtk/spice-channel.c | 21 ++++++++++++++-------
 2 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/configure.ac b/configure.ac
index 74738a3..bf08c42 100644
--- a/configure.ac
+++ b/configure.ac
@@ -108,6 +108,31 @@ AC_SUBST(SSL_CFLAGS)
 AC_SUBST(SSL_LIBS)
 SPICE_GLIB_REQUIRES="${SPICE_GLIB_REQUIRES} openssl"
 
+dnl Stolen from glib-networking - those guys rock
+AC_MSG_CHECKING([location of system Certificate Authority list])
+AC_ARG_WITH(ca-certificates,
+            [AC_HELP_STRING([--with-ca-certificates=@<:@path@:>@],
+                            [path to system Certificate Authority list])])
+if test "$with_ca_certificates" = "no"; then
+    AC_MSG_RESULT([disabled])
+else
+    if test -z "$with_ca_certificates"; then
+        for f in /etc/pki/tls/certs/ca-bundle.crt \
+                 /etc/ssl/certs/ca-certificates.crt \
+                 /etc/ssl/ca-bundle.pem; do
+            if test -f "$f"; then
+                with_ca_certificates="$f"
+            fi
+        done
+        if test -z "$with_ca_certificates"; then
+            AC_MSG_ERROR([could not find. Use --with-ca-certificates=path to set, or --without-ca-certificates to disable])
+        fi
+    fi
+
+    AC_MSG_RESULT($with_ca_certificates)
+    AC_DEFINE_UNQUOTED(SPICE_SYSTEM_CA_FILE, ["$with_ca_certificates"], [The system TLS CA list])
+fi
+
 dnl Cyrus SASL
 AC_ARG_WITH([sasl],
   [AS_HELP_STRING([--with-sasl=@<:@yes/no/auto@:>@], [use cyrus SASL for authentication @<:@default=auto@:>@])],
diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index b01b820..ab07453 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -2159,6 +2159,7 @@ static int spice_channel_load_ca(SpiceChannel *channel)
     guint8 *ca;
     guint size;
     const gchar *ca_file;
+    int rc;
 
     g_return_val_if_fail(c->ctx != NULL, 0);
 
@@ -2189,13 +2190,19 @@ static int spice_channel_load_ca(SpiceChannel *channel)
         sk_X509_INFO_pop_free(inf, X509_INFO_free);
     }
 
-    if (ca_file != NULL) {
-        int rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
-        if (rc != 1)
-            g_warning("loading ca certs from %s failed", ca_file);
-        else
-            count++;
-    }
+#ifdef SPICE_SYSTEM_CA_FILE
+    rc = SSL_CTX_load_verify_locations(c->ctx, SPICE_SYSTEM_CA_FILE, NULL);
+    if (rc != 1)
+        g_warning("loading ca certs from %s failed", ca_file);
+    else
+        count++;
+#endif
+
+    rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
+    if (rc != 1)
+        g_warning("loading ca certs from %s failed", ca_file);
+    else
+        count++;
 
     return count;
 }
-- 
1.8.3.1

More information about the Spice-devel mailing list