[libvirt] [PATCHv3 1/5] smartcard: add XML support for <smartcard> device

Alon Levy alevy at redhat.com
Wed Jan 26 18:29:12 UTC 2011 

On Wed, Jan 26, 2011 at 11:20:50AM -0700, Eric Blake wrote:
> On 01/26/2011 11:09 AM, Alon Levy wrote:
> >> What does QEMU/NSS do with the certificate database ? Is it a readonly
> >> database, or does QEMU/NSS also write to this ? I'm wondering why we
> >> need to specify x509 certificates, as well as the certificate database ?
> > 
> > The cert1/cert2/cert3 names are only internal references in that db, they
> > don't have a global meaning (i.e. it isn't filenames or any other type of uri).
> 
> That changes things in my implementation.  That means that
> cert1/cert2/cert3 do not need _any_ SELinux labeling, because they are
> not files in the file system (just names within a database);
> furthermore, since they are not files, my documentation efforts of
> calling them out as absolute files in the docs needs tweaking.
> Meanwhile, the database _does_ need SELinux labeling (and I'm assuming
> here that the database argument, if provided, must be an absolute path
> to the actual file containing the database of the three certificate
> names).  What does the database default to if you omit it from the qemu
> command line?
> 

Sorry for the double work. I wasn't revieing the patches because I assumed
it would be too much work, and didn't catch the point where you thought they
were filenames. I'll fix that - I'll review the next set of patches ;)


yes, the db is a directory name, treated as normal (can be absolute or relative
to cwd, I don't check, just feed it to NSS). It defaults to /etc/pki/nssdb:
(certutil needs an argument, we have it #defined:
hw/ccid-card-emulated.c:#define CERTIFICATES_DEFAULT_DB "/etc/pki/nssdb"
)

$ certutil -L -d /etc/pki/nssdb

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Alon3                                                        Cu,Cu,Cu
Alon2                                                        Cu,Cu,Cu
Alon1                                                        Cu,Cu,Cu

$ ls /etc/pki/nssdb
cert8.db  cert9.db  key3.db  key4.db  pkcs11.txt  secmod.db


> -- 
> Eric Blake   eblake at redhat.com    +1-801-349-2682
> Libvirt virtualization library http://libvirt.org
>

More information about the libvir-list mailing list