(Apologies if you get this twice - I wasn't subscribed to wine-devel on this account, and apparently it didn't get moderated through.)
Folks, I'm hoping for feedback on how to get CA certificates into Wine's registry. We'll need them in order to verify signatures on things. A number of apps depend on this [1].
We have a few choices: 1. Include them in a .inf file and install them with wine. There are two problems with this that I see: Signatures are opaque (asn.1 encoded) and thus hard to verify, and there's a potential maintenance hassle. It's by far the simplest though.
2. We search for certificates installed locally and import them into the registry. The trouble with this is that different distros, and even different versions of the same distro, install them in different locations. There are also usually several potential sources on the same machine, installed by different apps, and it's not clear which certs are meant to be trusted and which are not. (For example, there are several "example" certs installed on my system, and I can identify them as such, but a tool would not be able to tell the difference.) We could write a script that checks in several likely locations, but that seems dangerous: one of those locations might inadvertently be world-writable, so an attacker could possibly put untrustworthy certificates there. 2.a. We write a tool to import local certs, but make you specify the path. Ugly, but punts the problem to the user.
3. We do what the distros do: get the certificates from Mozilla's CVS, and munge them into the right format. (Google for mkcabundle.pl) This is similar to what we do for the unicode tables, but it does introduce a dependency on CVS (or perhaps wget from a web CVS front end.)
I suppose I should mention there's another option: 4. We don't load certs in Wine at all, and don't implement certificate chain verification, but dynamically load openssl or gnutls and ask them to do it for us. I don't think this is simpler than the alternatives, as I've already put a fair amount of work into crypt32, but if none of the other options is acceptable I can look into it.
I'd very much appreciate feedback on which option seems the best, or, most likely to get committed ;) Thanks, --Juan
[1] Here's a partial list - there are more: Bug 5423, AOL AIM won't install, http://bugs.winehq.org/show_bug.cgi?id=5423 Bug 7892, iTunes startup, http://bugs.winehq.org/show_bug.cgi?id=7892 Bug 8870, Outlook can't open signed messages, http://bugs.winehq.org/show_bug.cgi?id=8870
On Wednesday 25 July 2007 18:20:36 Juan Lang wrote:
2.a. We write a tool to import local certs, but make you specify the path. Ugly, but punts the problem to the user.
- We do what the distros do: get the certificates from Mozilla's CVS,
and munge them into the right format. (Google for mkcabundle.pl) This is similar to what we do for the unicode tables, but it does introduce a dependency on CVS (or perhaps wget from a web CVS front end.)
Isn't that what the distro's add-on value should be?
Cheers, Kai
On Wednesday 25 July 2007 18:20:36 Juan Lang wrote:
- We don't load certs in Wine at all, and don't implement certificate
chain verification, but dynamically load openssl or gnutls and ask them to do it for us. I don't think this is simpler than the alternatives, as I've already put a fair amount of work into crypt32, but if none of the other options is acceptable I can look into it.
Is there perhaps an API to just retrieve the CA bundle from a local openssl or gnutls installation?
-Hans
Is there perhaps an API to just retrieve the CA bundle from a local openssl or gnutls installation?
I'm not aware of one, but I could be mistaken. --Juan
On Wednesday 25 July 2007, you wrote:
Is there perhaps an API to just retrieve the CA bundle from a local openssl or gnutls installation?
I'm not aware of one, but I could be mistaken.
Since you mentioned Mozilla CVS, perhaps another option is to package them together with gecko?
-Hans
Since you mentioned Mozilla CVS, perhaps another option is to package them together with gecko?
That's an interesting idea. I'll work on getting them from CVS, then talk to Jacek about it.
Thanks, --Juan
Hi,
Is it possible to put it on sourceforge like the gecko engine? And download it whenever necessary. And also it should have versioning support and be updated frequently.
Thanks, VJ
On 7/26/07, Juan Lang juan.lang@gmail.com wrote:
Since you mentioned Mozilla CVS, perhaps another option is to package them together with gecko?
That's an interesting idea. I'll work on getting them from CVS, then talk to Jacek about it.
Thanks, --Juan
On Fri, Jul 27, 2007 at 02:12:13AM -0400, Vijay Kiran Kamuju wrote:
Is it possible to put it on sourceforge like the gecko engine? And download it whenever necessary.
The problem with that is that what we want to download here are certificates. So for them to be of good use one needs to obtain them in a way so that the trust chain doesn't break too much.
The easiest way to get that is by distributing them with the normal source (and thus also with the distribution specific packages). Those are usually signed.
Or to not distribute them and get them from the system at runtime in some way.
Jan
-
Hans Leidekker -
Jan Zerebecki -
Juan Lang -
Kai Blin -
Vijay Kiran Kamuju