Hi David, The KeyChain on Android is available only through Java. In some old versions, apparently one was able to access it through native code, but that's no longer the case. I haven't looked into what it would take to make use of the KeyChain, but it certainly won't be as easy as telling OpenSSL to verify a certificate against its certificate authority store. I'd have to basically rip out the current code and send the certificate through a callback to Java. In the interest of staying as close to libspice as possible and keeping the modifications to a minimum, it would make better sense to either feed libspice a CA bundle, or to tell OpenSSL where to find it. Cheers, iordan On Wed, Nov 13, 2013 at 5:33 AM, David Jaša <djasa@xxxxxxxxxx> wrote: > Hi Iordan, > > I'm a mere Android user so this question of mine may be dumb: > > On Android, there is a system store for CAs and a user store for > certificates (not just CAs but also personal and maybe self-signed). Is > there some good way (API, fs location, ...) how can apps use these > essentially system certs? > > David > > > i iordanov píše v Út 12. 11. 2013 v 10:55 -0500: >> Hi Christophe, >> >> I know I may be opening a can of worms with this question, but it'll >> help with supporting mobile devices, and maybe improve portability. >> >> Typically we cross-compile binaries for mobile devices, so detecting >> the location of anything automatically will yield inappropriate >> results. In addition, we cannot rely that on a mobile device the >> system-wide store is in /etc/pki, /etc/ssl or that it's accessible. >> >> Hence, would it be possible to provide an option along the lines of >> what librest provides (--with-ca-certificates=[path]), which specifies >> where to look for the system-wide CA bundle? >> >> This way, I can create a CA bundle file, add it to mobile applications >> as a resource, and then specify its location to librest and spice-gtk >> at compile time. >> >> If such an option cannot be provided, it would be nice if I can simply >> change one location in the source of spice-gtk to tell it where to >> look for the bundle. Where is that location? >> >> Thanks! >> iordan >> >> On Tue, Nov 12, 2013 at 10:23 AM, Christophe Fergeau >> <cfergeau@xxxxxxxxxx> wrote: >> > On Tue, Nov 12, 2013 at 04:20:03PM +0100, Christophe Fergeau wrote: >> >> Currently, spice-gtk will look in $HOME/.spicec/spice_truststore.pem >> >> by default for its trust certificate store (to verify the certificates >> >> used during SPICE TLS connections). However, these days a system-wide >> >> trust store can be found in /etc/pki or /etc/ssl. >> >> This commit checks at compile time where the trust store is located, >> >> and then loads it before loading the user-specified trust store. >> >> This can be disabled at compile time using --without-ca-certificates. >> > >> > I forgot to amend this ;) >> > >> > Christophe >> > >> > _______________________________________________ >> > Spice-devel mailing list >> > Spice-devel@xxxxxxxxxxxxxxxxxxxxx >> > http://lists.freedesktop.org/mailman/listinfo/spice-devel >> > >> >> >> > > -- > > David Jaša, RHCE > > SPICE QE based in Brno > GPG Key: 22C33E24 > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 > > -- The conscious mind has only one thread of execution. _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel