On Wed, Jan 26, 2011 at 11:20:50AM -0700, Eric Blake wrote:
On 01/26/2011 11:09 AM, Alon Levy wrote:
What does QEMU/NSS do with the certificate database ? Is it a readonly database, or does QEMU/NSS also write to this ? I'm wondering why we need to specify x509 certificates, as well as the certificate database ?
The cert1/cert2/cert3 names are only internal references in that db, they don't have a global meaning (i.e. it isn't filenames or any other type of uri).
That changes things in my implementation. That means that cert1/cert2/cert3 do not need _any_ SELinux labeling, because they are not files in the file system (just names within a database); furthermore, since they are not files, my documentation efforts of calling them out as absolute files in the docs needs tweaking. Meanwhile, the database _does_ need SELinux labeling (and I'm assuming here that the database argument, if provided, must be an absolute path to the actual file containing the database of the three certificate names). What does the database default to if you omit it from the qemu command line?
Sorry for the double work. I wasn't revieing the patches because I assumed it would be too much work, and didn't catch the point where you thought they were filenames. I'll fix that - I'll review the next set of patches ;) yes, the db is a directory name, treated as normal (can be absolute or relative to cwd, I don't check, just feed it to NSS). It defaults to /etc/pki/nssdb: (certutil needs an argument, we have it #defined: hw/ccid-card-emulated.c:#define CERTIFICATES_DEFAULT_DB "/etc/pki/nssdb" ) $ certutil -L -d /etc/pki/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Alon3 Cu,Cu,Cu Alon2 Cu,Cu,Cu Alon1 Cu,Cu,Cu $ ls /etc/pki/nssdb cert8.db cert9.db key3.db key4.db pkcs11.txt secmod.db
-- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org