[Spice-devel] [spice-gtk PATCHv4 2/2] Use system-wide trust certificate store
Christophe Fergeau
cfergeau at redhat.com
Tue Sep 24 01:03:49 PDT 2013
Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem
by default for its trust certificate store (to verify the certificates
used during SPICE TLS connections). However, these days a system-wide
trust store can be found in /etc/pki or /etc/ssl.
This commit checks at compile time where the trust store is located,
and then loads it before loading the user-specified trust store.
This can be disabled at compile time using --without-ca-certificates.
---
configure.ac | 26 ++++++++++++++++++++++++++
gtk/spice-channel.c | 24 +++++++++++++++++++++---
2 files changed, 47 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index 74738a3..12a40bf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -108,6 +108,31 @@ AC_SUBST(SSL_CFLAGS)
AC_SUBST(SSL_LIBS)
SPICE_GLIB_REQUIRES="${SPICE_GLIB_REQUIRES} openssl"
+dnl Stolen from glib-networking - those guys rock
+AC_MSG_CHECKING([location of system Certificate Authority list])
+AC_ARG_WITH(ca-certificates,
+ [AC_HELP_STRING([--with-ca-certificates=@<:@path@:>@],
+ [path to system Certificate Authority list])])
+if test "$with_ca_certificates" = "no"; then
+ AC_MSG_RESULT([disabled])
+else
+ if test -z "$with_ca_certificates"; then
+ for f in /etc/pki/tls/certs/ca-bundle.crt \
+ /etc/ssl/certs/ca-certificates.crt \
+ /etc/ssl/ca-bundle.pem; do
+ if test -f "$f"; then
+ with_ca_certificates="$f"
+ fi
+ done
+ if test -z "$with_ca_certificates"; then
+ AC_MSG_ERROR([could not find. Use --with-ca-certificates=path to set, or --without-ca-certificates to disable])
+ fi
+ fi
+
+ AC_MSG_RESULT($with_ca_certificates)
+ AC_DEFINE_UNQUOTED(SPICE_SYSTEM_CA_FILE, ["$with_ca_certificates"], [The system TLS CA list])
+fi
+
dnl Cyrus SASL
AC_ARG_WITH([sasl],
[AS_HELP_STRING([--with-sasl=@<:@yes/no/auto@:>@], [use cyrus SASL for authentication @<:@default=auto@:>@])],
@@ -701,6 +726,7 @@ AC_MSG_NOTICE([
Audio: ${with_audio}
Target: ${red_target}
SASL support: ${enable_sasl}
+ System CA store: ${with_ca_certificates}
Smartcard support: ${have_smartcard}
USB redirection support: ${have_usbredir} ${with_usbredir_hotplug}
Gtk: $GTK_API_VERSION
diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index b01b820..d20a451 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -2157,17 +2157,25 @@ static int spice_channel_load_ca(SpiceChannel *channel)
BIO *in;
int i, count = 0;
guint8 *ca;
+ gboolean use_system_ca;
guint size;
const gchar *ca_file;
+ int rc;
g_return_val_if_fail(c->ctx != NULL, 0);
lookup = X509_STORE_add_lookup(c->ctx->cert_store, &spice_x509_mem_lookup);
ca_file = spice_session_get_ca_file(c->session);
spice_session_get_ca(c->session, &ca, &size);
+#ifdef SPICE_SYSTEM_CA_FILE
+ use_system_ca = spice_session_get_use_system_ca_file(c->session);
+#else
+ use_system_ca = FALSE;
+#endif
- CHANNEL_DEBUG(channel, "Load CA, file: %s, data: %p", ca_file, ca);
- g_warn_if_fail(ca_file || ca);
+ CHANNEL_DEBUG(channel, "Load CA, file: %s, data: %p use system CA: %d",
+ ca_file, ca, use_system_ca);
+ g_warn_if_fail(ca_file || ca || use_system_ca);
if (ca != NULL) {
in = BIO_new_mem_buf(ca, size);
@@ -2189,8 +2197,18 @@ static int spice_channel_load_ca(SpiceChannel *channel)
sk_X509_INFO_pop_free(inf, X509_INFO_free);
}
+#ifdef SPICE_SYSTEM_CA_FILE
+ if (use_system_ca) {
+ rc = SSL_CTX_load_verify_locations(c->ctx, SPICE_SYSTEM_CA_FILE, NULL);
+ if (rc != 1)
+ g_warning("loading ca certs from %s failed", ca_file);
+ else
+ count++;
+ }
+#endif
+
if (ca_file != NULL) {
- int rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
+ rc = SSL_CTX_load_verify_locations(c->ctx, ca_file, NULL);
if (rc != 1)
g_warning("loading ca certs from %s failed", ca_file);
else
--
1.8.3.1
More information about the Spice-devel
mailing list