[Spice-devel] [spice-gtk PATCHv3 2/2] Use system-wide trust certificate store

Christophe Fergeau cfergeau at redhat.com
Thu Sep 19 02:12:13 PDT 2013


Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem
by default for its trust certificate store (to verify the certificates
used during SPICE TLS connections). However, these days a system-wide
trust store can be found in /etc/pki or /etc/ssl.
This commit checks at compile time where the trust store is located,
and then loads it before loading the user-specified trust store.
This can be disabled at compile time using --without-ca-certificates.
---
 configure.ac        | 25 +++++++++++++++++++++++++
 gtk/spice-channel.c | 22 +++++++++++++++++++---
 2 files changed, 44 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 74738a3..bf08c42 100644
--- a/configure.ac
+++ b/configure.ac
@@ -108,6 +108,31 @@ AC_SUBST(SSL_CFLAGS)
 AC_SUBST(SSL_LIBS)
 SPICE_GLIB_REQUIRES="${SPICE_GLIB_REQUIRES} openssl"
 
+dnl Stolen from glib-networking - those guys rock
+AC_MSG_CHECKING([location of system Certificate Authority list])
+AC_ARG_WITH(ca-certificates,
+            [AC_HELP_STRING([--with-ca-certificates=@<:@path@:>@],
+                            [path to system Certificate Authority list])])
+if test "$with_ca_certificates" = "no"; then
+    AC_MSG_RESULT([disabled])
+else
+    if test -z "$with_ca_certificates"; then
+        for f in /etc/pki/tls/certs/ca-bundle.crt \
+                 /etc/ssl/certs/ca-certificates.crt \
+                 /etc/ssl/ca-bundle.pem; do
+            if test -f "$f"; then
+                with_ca_certificates="$f"
+            fi
+        done
+        if test -z "$with_ca_certificates"; then
+            AC_MSG_ERROR([could not find. Use --with-ca-certificates=path to set, or --without-ca-certificates to disable])
+        fi
+    fi
+
+    AC_MSG_RESULT($with_ca_certificates)
+    AC_DEFINE_UNQUOTED(SPICE_SYSTEM_CA_FILE, ["$with_ca_certificates"], [The system TLS CA list])
+fi
+
 dnl Cyrus SASL
 AC_ARG_WITH([sasl],
   [AS_HELP_STRING([--with-sasl=@<:@yes/no/auto@:>@], [use cyrus SASL for authentication @<:@default=auto@:>@])],
diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index b01b820..17b2b52 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -2157,17 +2157,25 @@ static int spice_channel_load_ca(SpiceChannel *channel)
     BIO *in;
     int i, count = 0;
     guint8 *ca;
+    gboolean use_system_ca;
     guint size;
     const gchar *ca_file;
+    int rc;
 
     g_return_val_if_fail(c->ctx != NULL, 0);
 
     lookup = X509_STORE_add_lookup(c->ctx->cert_store, &spice_x509_mem_lookup);
     ca_file = spice_session_get_ca_file(c->session);
     spice_session_get_ca(c->session, &ca, &size);
+#ifdef SPICE_SYSTEM_CA_FILE
+    use_system_ca = spice_session_get_use_system_ca_file(c->session);
+#else
+    use_system_ca = FALSE;
+#endif
 
-    CHANNEL_DEBUG(channel, "Load CA, file: %s, data: %p", ca_file, ca);
-    g_warn_if_fail(ca_file || ca);
+    CHANNEL_DEBUG(channel, "Load CA, file: %s, data: %p use system CA: %d",
+                  ca_file, ca, use_system_ca);
+    g_warn_if_fail(ca_file || ca || use_system_ca);
 
     if (ca != NULL) {
         in = BIO_new_mem_buf(ca, size);
@@ -2189,8 +2197,16 @@ static int spice_channel_load_ca(SpiceChannel *channel)
         sk_X509_INFO_pop_free(inf, X509_INFO_free);
     }
 
+    if (use_system_ca) {
+        rc = SSL_CTX_load_verify_locations(c->ctx, SPICE_SYSTEM_CA_FILE, NULL);
+        if (rc != 1)
+            g_warning("loading ca certs from %s failed", ca_file);
+        else
+            count++;
+    }
+
     if (ca_file != NULL) {
-        int rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
+        rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
         if (rc != 1)
             g_warning("loading ca certs from %s failed", ca_file);
         else
-- 
1.8.3.1



More information about the Spice-devel mailing list