[libvirt] [PATCHv3 1/5] smartcard: add XML support for <smartcard> device
Alon Levy
alevy at redhat.com
Wed Jan 26 18:29:12 UTC 2011
On Wed, Jan 26, 2011 at 11:20:50AM -0700, Eric Blake wrote:
> On 01/26/2011 11:09 AM, Alon Levy wrote:
> >> What does QEMU/NSS do with the certificate database ? Is it a readonly
> >> database, or does QEMU/NSS also write to this ? I'm wondering why we
> >> need to specify x509 certificates, as well as the certificate database ?
> >
> > The cert1/cert2/cert3 names are only internal references in that db, they
> > don't have a global meaning (i.e. it isn't filenames or any other type of uri).
>
> That changes things in my implementation. That means that
> cert1/cert2/cert3 do not need _any_ SELinux labeling, because they are
> not files in the file system (just names within a database);
> furthermore, since they are not files, my documentation efforts of
> calling them out as absolute files in the docs needs tweaking.
> Meanwhile, the database _does_ need SELinux labeling (and I'm assuming
> here that the database argument, if provided, must be an absolute path
> to the actual file containing the database of the three certificate
> names). What does the database default to if you omit it from the qemu
> command line?
>
Sorry for the double work. I wasn't revieing the patches because I assumed
it would be too much work, and didn't catch the point where you thought they
were filenames. I'll fix that - I'll review the next set of patches ;)
yes, the db is a directory name, treated as normal (can be absolute or relative
to cwd, I don't check, just feed it to NSS). It defaults to /etc/pki/nssdb:
(certutil needs an argument, we have it #defined:
hw/ccid-card-emulated.c:#define CERTIFICATES_DEFAULT_DB "/etc/pki/nssdb"
)
$ certutil -L -d /etc/pki/nssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Alon3 Cu,Cu,Cu
Alon2 Cu,Cu,Cu
Alon1 Cu,Cu,Cu
$ ls /etc/pki/nssdb
cert8.db cert9.db key3.db key4.db pkcs11.txt secmod.db
> --
> Eric Blake eblake at redhat.com +1-801-349-2682
> Libvirt virtualization library http://libvirt.org
>
More information about the libvir-list
mailing list